Can't open SSH to router via wan

Good day to everyone!
A few days ago I installed OpenWRT 18.06.01 on my TP-Link TL-WR841N v8. I used official image and everything get up (now I switched to custom build image without ipv6, ppoe, etc. but problem still there). I want to access to my router from work from specific ip via ssh, so I had add firewall rule and it did't work :frowning: I tweaked the rule several ways and still nothing. I did try to open ssh to whole world and it's still not working! (not secure, I know, just for the testing) Funny thing that I was manage to open and redirect port for postgresql to home server. To check port I use several web services like this. Also I can't open port for ftp and redirect port for home server's ssh. Dropbear is configured to accept connections on any interface. For now I don't know what to try and where is my mistake. Here is what my rules look like for now:

cat /etc/config/firewall

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option target 'ACCEPT'
        option name 'SSH to router'
        option src 'wan'
        option proto 'tcp'
        option dest_port '22'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option target 'ACCEPT'
        option src 'wan'
        option proto 'tcp'
        option name 'SSH to server'
        option family 'ipv4'
        option dest '*'
        option dest_port '10022'

config rule
        option target 'ACCEPT'
        option proto 'tcp'
        option dest_port '5432'
        option name 'PostgeSQL'
        option family 'ipv4'
        option src 'wan'
        option dest '*'

config rule
        option target 'ACCEPT'
        option src 'wan'
        option proto 'tcp'
        option dest_port '20-21 20021-20121'
        option name 'FTP'
        option family 'ipv4'
        option dest '*'

config rule
        option target 'ACCEPT'
        option src 'wan'
        option proto 'tcp udp'
        option dest_port '28360-28370'
        option name 'Torrent'
        option family 'ipv4'

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'
        option family 'ipv4'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option forward 'ACCEPT'
        option input 'ACCEPT'
        option family 'ipv4'
        option network 'wan wan6'

config include
        option path '/etc/firewall.user'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option dest_ip '192.168.1.2'
        option dest_port '5432'
        option name 'PostgeSQL'
        option src_dport '5432'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option dest_ip '192.168.1.2'
        option dest_port '20-21'
        option name 'FTP'
        option src_dip '@my router's WAN IP'
        option src_dport '20-21'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option dest_ip '192.168.1.2'
        option dest_port '20021-20121'
        option name 'FTP Passive'
        option src_dport '20021-20121'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option dest_ip '192.168.1.2'
        option dest_port '28360-28370'
        option name 'Torrent'

config redirect
        option enabled '1'
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '1022'
        option dest_ip '192.168.1.2'
        option dest_port '22'
        option name 'SSH to server'
        option src_ip '!!!my work ip!!!'

config forwarding
        option dest 'wan'
        option src 'lan'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'any'
        option reload '1'

if you want remote access, you should use a vpn.

Is it a recommendation or only way that openwrt is working?

1 Like

If you understand how to use ssh port forwarding, most any "modern" protocol can be handled.

FTP is not a "modern protocol" due to its two-channel, bi-directionally established approach to control and data transfer. FTP passive mode extended FTP's useful lifespan, but even that has problems without either explicit proxies, or implicit ones. Use of scp, sftp, rsync, WebDAV, other HTTP-based protocols, or the like are often considered "better" ways to deal with file transfer.

Thanks for advice on ftp, I'm thinking about changing ftp to something more modern.
But the main case is ssh access. I'v read a tons of manuals about opening ssh on wan port, but still nothing is working. Like I'm missing something or don't understand.

I think you need a redirect from wan to 192.168.1.1 port 22. It would be safer to ssh to the server and then back to the router, though.

1 Like
uci show dropbear
netstat -lnp | grep :22

It looks like you have both a redirect and a simple open port configured on port 22. In other words there's a lot extra going on in your firewall config that may have broken something.

Try with the stock firewall rules, and add only this one that opens port 22 to the router itself:

config rule
    option name 'Allow-SSH'
    option target ACCEPT
    option src 'wan'
    option dest_port '22'
    option proto 'tcp'
    option family 'ipv4'

Dropbear is still considered safe to expose to the Internet, but it is recommended to use a non-standard port not 22, and disable password logins (use RSA public key instead).

Once SSH is working you can use it to open secure tunnels to other ports either in the router or in machines on your LAN.

1 Like

Open port 22, do not redirect it.
Configure dropbear to listen on WAN too.

3 Likes

Thanks for all replays. Don't have time to answer to all, but in nearest future I will try to make all firewall rules from zero.

uci show dropbear
dropbear.@dropbear[0]=dropbear
dropbear.@dropbear[0].PasswordAuth='on'
dropbear.@dropbear[0].Port='22'

netstat -lnp | grep :22
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1009/dropbear
tcp        0      0 :::22                   :::*                    LISTEN      1009/dropbear

Well, its looks like I have nailed this problem. As I sad - I'v started from scratch and delete all rules.
What I done:

fw3 stop
fw3 flush
iptables -F

Next I open /etc/config/firewall and delete everything exept basic rules and NAT

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'
        option family 'ipv4'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option forward 'ACCEPT'
        option input 'ACCEPT'
        option family 'ipv4'
        option network 'wan wan6'

config forwarding
        option dest 'wan'
        option src 'lan'

I execute fw3 start and found that my internet (nat) is working.
Next was to add lines to open ssh to the world - just copy-pase what mk24 wrote. And it worked! Every rule that I add (ftp, postgesql, port forward to home server's ssh...) works! No matter what I use - luci or ssh. Tomorrow I'll check my connection from work
Thanks for help!

Update: Yep, it's work! Don't know what it was, but idea of starting from the beginning is always good :slight_smile:

Same problem. I set "Interface" for dropbear instance to "unspecified" under System-Administration-SSH Access and made new traffic rule to open ssh port. Can't access SSH from WAN side, and it's working from LAN side. I tried to config dropbear separately for WAN and LAN. It's not working from WAN too.

Have ou try to delete all rules and start from the beginning? (like in my prev. post)

Does the wan interface have a public IP? Does your ISP allow incoming connections?

You have to test from outside. Trying to connect to your public IP or dynamic DNS name from within the LAN usually does not work. Use a different internet connection such as a smartphone hotspot. Or use a third party port scan site.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.