Port Forwarding for a local SSH Server (RouterOS)

Command Center

3 min read

·

20-10-2024

the ifix

1

0

Share

If you're looking to access your local SSH server from outside your home network, port forwarding is essential. In this article, we will walk you through the process of setting up port forwarding on RouterOS to enable external SSH connections to your local server.

Understanding Port Forwarding

Port forwarding is a networking technique that allows external devices to connect to a specific internal IP address within a private local area network (LAN). When you set up port forwarding, you instruct your router to direct incoming traffic on a specific port (in this case, SSH, which uses port 22 by default) to a particular internal device.

Original Problem Code:

You may have come across configurations that look something like this:

/ip firewall nat add action=dst-nat chain=dstnat comment="SSH Port Forwarding" dst-port=22 protocol=tcp to-addresses=192.168.88.2 to-ports=22
/ip firewall filter add chain=input protocol=tcp dst-port=22 action=accept

Corrected Code for Clarity

To clarify, the above code instructs RouterOS to forward any TCP traffic on port 22 to a specific local IP address (192.168.88.2) within the LAN, which presumably hosts the SSH server. Here's how to interpret it more simply:

/ip firewall nat add action=dst-nat chain=dstnat comment="SSH Port Forwarding" dst-port=22 protocol=tcp to-addresses=192.168.88.2 to-ports=22
/ip firewall filter add chain=input protocol=tcp dst-port=22 action=accept

Setting Up Port Forwarding in RouterOS

1. Access Your RouterOS:

   • Open your web browser and enter your router's IP address (commonly 192.168.88.1 or similar).
   • Log in with your credentials.

2. Navigate to IP > Firewall:

   • Click on the "NAT" tab to configure Network Address Translation.

3. Add a New Rule:

   • Click on the "+" button to create a new NAT rule.
   • Set the action to "dst-nat."
   • For the chain, choose "dstnat."
   • In the dst-port field, enter 22 (the default SSH port).
   • Set the protocol to tcp.
   • Under to-addresses, input the internal IP address of your SSH server (e.g., 192.168.88.2).
   • In the to-ports field, enter 22.

4. Allow Incoming Connections:

   • Move to the "Filter Rules" tab.
   • Click on the "+" button to create a new filter rule.
   • Set the chain to input.
   • For the protocol, select tcp and specify the dst-port as 22.
   • Set the action to accept.

5. Save Your Changes:

   • After adding these configurations, ensure to apply and save the settings.

Testing Your Setup

Once the above configurations are saved, it’s crucial to verify whether the port forwarding is working as intended. You can do this by attempting to SSH into your local server from an external network:

ssh user@your-public-ip

Make sure to replace user with your actual SSH username and your-public-ip with your router’s public IP address. If configured correctly, you should be prompted for your password, granting you access to your SSH server.

Additional Considerations

• Dynamic IP Address: If your router’s public IP address changes frequently, consider using a Dynamic DNS (DDNS) service to have a consistent domain name pointing to your home network.

• Security: Be mindful of security implications when exposing your SSH server to the internet. Consider using key-based authentication instead of password authentication, and keep your software updated.

• Firewall Settings: Ensure that your local firewall settings on the SSH server allow incoming SSH traffic on port 22.

Useful Resources

• RouterOS Documentation
• Understanding Port Forwarding

By following these steps, you can successfully set up port forwarding for a local SSH server using RouterOS, enabling remote access to your device while keeping security in mind.