I get confused between port forwarding and traffic rule to allow ssh access from WAN so I can remote manage a OW router at my parent's house. I made a 2nd dropbear running on port 33999 that is setup to run on the WAN. Do I just need to make a traffic rule on that port to "device" like this?
name = ssh to router
protocol = TCP
source zone = wan
source address = -- add IP --
source port = 33999
destination zone = device (input)
destination port = any
action = accept
Bold means I typed it and italic means I took the default value
cat /etc/config/dropbear
config dropbear
option PasswordAuth 'on'
option Port '22'
config dropbear
option Port '33999'
option PasswordAuth 'on'
option Interface 'wan'
If you want to use port forwarding, you don't need a second dropbear instance.
config redirect
option target 'DNAT'
option name 'SSH_to_router'
list proto 'tcp'
option src 'wan'
option src_dport '33999'
option dest 'lan'
option dest_ip '192.168.1.1' # Router IP
option dest_port '22'
option src_ip '123.123.123.123' # External IP
If you prefer to use the second dropbear instance, you should swap the source and destination ports in your traffic rule.
config rule
option name 'SSH_to_router'
list proto 'tcp'
option src 'wan'
list src_ip '123.123.123.123' # External IP
option dest_port '33999'
option target 'ACCEPT'
If the firewall and the SSH server are on the same machine, you do not need to "forward" any port, but "open" it.
2 Likes
For some reason the OP wants to use port 33999. It will work both ways.