Firewall rule to allow ssh connections from WAN for remote access

I get confused between port forwarding and traffic rule to allow ssh access from WAN so I can remote manage a OW router at my parent's house. I made a 2nd dropbear running on port 33999 that is setup to run on the WAN. Do I just need to make a traffic rule on that port to "device" like this?

name = ssh to router
protocol = TCP
source zone = wan
source address = -- add IP --
source port = 33999
destination zone = device (input)
destination port = any
action = accept

Bold means I typed it and italic means I took the default value

cat /etc/config/dropbear

config dropbear
  option PasswordAuth 'on'
  option Port '22'

config dropbear
  option Port '33999'
  option PasswordAuth 'on'
  option Interface 'wan'

If you want to use port forwarding, you don't need a second dropbear instance.

config redirect
        option target 'DNAT'
        option name 'SSH_to_router'
        list proto 'tcp'
        option src 'wan'
        option src_dport '33999'
        option dest 'lan'
        option dest_ip '' # Router IP
        option dest_port '22'
        option src_ip '' # External IP

If you prefer to use the second dropbear instance, you should swap the source and destination ports in your traffic rule.

config rule
        option name 'SSH_to_router'
        list proto 'tcp'
        option src 'wan'
        list src_ip '' # External IP
        option dest_port '33999'
        option target 'ACCEPT'

If the firewall and the SSH server are on the same machine, you do not need to "forward" any port, but "open" it.

1 Like

For some reason the OP wants to use port 33999. It will work both ways.