Help with SSH Into Nanopi (openwrt)

Installing and Using OpenWrt
1

Hello All,

I have a nanopi with freindlyWRT(Openwrt).

I connected the wan port of nanopi to my home routers lan port using eth cable, and my laptop to routers lan using eth cable as well.

So both the devices are connected to lan ports of my home router.

ip assigned to me pi is 192.168.0.102
ip assigned to my lap is 192.168.0.103

in pi's luci interface, i set the ssh interface to unspecified.

When i try to ssh using ssh root@192.168.0.102 from my lap i get connection refused error.

I made sure that dropbear is running and listening to port 22 from all ip/sources.

Please help me out!

2

I also added a firewall rule to forward request from any source to 22 port of all interfaces/zones(any)

3

i also tried using 2222 port in dropbear

that didnt work too!

4

This is the WAN address of your pi.

You can't connect to your pi using the wan port.
Connect your laptop only to the lan port of the pi and configure the LAN and WAN to your needs.

What do you want to do with your pi?

5

Sure you can. Just add a firewall rule.

6

Hey @elder_tinkerer Thanks for the info,

I want to setup my pi for a personal usecase with captive potal and stuff

I just want to use the pi wan port alone to ssh.

Is this possible

7

Hey @_bernd ,

Thanks for the info.

i did add a firewall rule to forward everyhting to 22 port of everything.

is this incorrect?

8

That won't work... at least if it's what I think this means.

Let's see your config so we can fix it.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall

This is totally fine in the context you are operating, assuming that the upstream (wan) network is fully trusted. Do you want to open only ssh, or do you want all services to be available? (Keep in mind that opening the router to the wan is never a good idea if the upstream is untrusted, such as the internet).

9

Well, i think i should have written:
You can't connect to your pi using the wan port in the default configuration.

Of course you can if you adjust the firewall.

10

Hey @psherman

root@FriendlyWrt: "#
ubus call system board
"kernel": "6.1.57",
"hostname": "FriendlyWrt",
"system": "ARMv8 Processor rev 0",
"model": "FriendlyElec, nanopi-r5c",
"board_name": "friendlyelec, nanopi-r5c",
"release": t
"distribution": "OpenWrt"
"version": "23.05.5"
"revision"; "r24106-10cc5fcd00",
"target": "rockchip/armv8",
"description": "OpenWrt 23.05.5 r24106-10cc5fcd00"

cat /etc/config/network
config interface 'loopback'
    option device 'lĘ”'
    option proto 'static' 
    option ipaddr '127.0.0.1' 
    option netmask '255.0.0.0'

config globals 'globals'
    option ula_prefix ' fd00:ab:cd: :/48'

config device
    option name 'eth0'
    option macaddr '42:ca: 3a :0a:ac:7d'

config interface 'wan'
    option device 'etho' 
    option proto 'dhcp'

config interface 'wan6' 
    option device 'etho'
    option proto 'dhcpv6'

config device
    option name 'br-lan' 
    option type 'bridge'
    list ports 'eth1'

config device
    option name 'eth1'
    option macadar '42:ca :3a :0a :ac: 7e'

config inteface 'lan'
    option device 'br-lan'
    option ipaddr '192.168.2.1'
    option netmask '255.255.255.0'
    option proto 'static'
    option ip6assign '60'

config defaults
	option syn_flood	1
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
# Uncomment this line to disable ipv6 rules
#	option disable_ipv6	1
	option fullcone		1

config zone
	option name		lan
	list   network		'lan'
	option input		ACCEPT
	option output		ACCEPT
	option forward		ACCEPT

config zone
	option name		wan
	list   network		'wan'
	list   network		'wan6'
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
	option fullcone4	1
	option fullcone6	1
	option masq		1
	option mtu_fix		1

config forwarding
	option src		lan
	option dest		wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
	option name		Allow-DHCP-Renew
	option src		wan
	option proto		udp
	option dest_port	68
	option target		ACCEPT
	option family		ipv4

# Allow IPv4 ping
config rule
	option name		Allow-Ping
	option src		wan
	option proto		icmp
	option icmp_type	echo-request
	option family		ipv4
	option target		ACCEPT

config rule
	option name		Allow-IGMP
	option src		wan
	option proto		igmp
	option family		ipv4
	option target		ACCEPT

# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
	option name		Allow-DHCPv6
	option src		wan
	option proto		udp
	option dest_port	546
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-MLD
	option src		wan
	option proto		icmp
	option src_ip		fe80::/10
	list icmp_type		'130/0'
	list icmp_type		'131/0'
	list icmp_type		'132/0'
	list icmp_type		'143/0'
	option family		ipv6
	option target		ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Input
	option src		wan
	option proto	icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	list icmp_type		router-solicitation
	list icmp_type		neighbour-solicitation
	list icmp_type		router-advertisement
	list icmp_type		neighbour-advertisement
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Forward
	option src		wan
	option dest		*
	option proto		icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-IPSec-ESP
	option src		wan
	option dest		lan
	option proto		esp
	option target		ACCEPT

config rule
	option name		Allow-ISAKMP
	option src		wan
	option dest		lan
	option dest_port	500
	option proto		udp
	option target		ACCEPT

config rule
	option name		Allow-ssh
	list proto		tcp
	option src		*
	option dest		*
	option dest_port	22
	option target		ACCEPT
11

@psherman

Thanks for the info.

I have to open this ssh only for a very short time and will close it after testing a few things!

The rule i added was Allow-ssh, all other firewall rules were there already!

12

It appears you are using firmware that is not from the official OpenWrt project.

When using forks/offshoots/vendor-specific builds that are "based on OpenWrt", there may be many differences compared to the official versions (hosted by OpenWrt.org). Some of these customizations may fundamentally change the way that OpenWrt works. You might need help from people with specific/specialized knowledge about the firmware you are using, so it is possible that advice you get here may not be useful.

You may find that the best options are:

  1. Install an official version of OpenWrt, if your device is supported (see https://firmware-selector.openwrt.org).
  2. Ask for help from the maintainer(s) or user community of the specific firmware that you are using.
  3. Provide the source code for the firmware so that users on this forum can understand how your firmware works (OpenWrt forum users are volunteers, so somebody might look at the code if they have time and are interested in your issue).

If you believe that this specific issue is common to generic/official OpenWrt and/or the maintainers of your build have indicated as such, please feel free to clarify.

13

@psherman

thanks for the info,

nanopi r5c is not supported by openwrt officialy yet

that is why i went with friendlywrt

which is also based of openwrt right?

I also assumed that, changes with respect to openwrt will also work on friendlywrt as well, i am sorry for that

14

Support is nearly official... 24.10.0 includes does support this model, currently in release candidate.
https://firmware-selector.openwrt.org/?version=24.10.0-rc6&target=rockchip%2Farmv8&id=friendlyarm_nanopi-r5c

"Based on" when you apply that loosely. I like to say that many of the OpenWrt forks are to the official version the way that corn-syrup based "maple flavored" syrups are to genuine/pure maple syrup.

Sometimes these things are true, and other times it can actually break things badly. That's why we recommend either using official OpenWrt (and getting help here) or reaching out to the support resources that are dedicated to the fork you are using.

15

@psherman

Thanks for the clarification.

I have been using open wrt for months now on my pi.

But since, i moved to this rc, i am expermenting on this with thier software.

But i too badly want to go back to open wrt.

So can i download and flash r5c with the firmware you suggested?

16

Yes, you should be able to run the official openwrt. The release candidate should be pretty solid, the there is the possibility of a few rough edges.

17

No worries, i will right away start the flashing.

I will try setting up the same setup there as well.

I will get back to the same thread if i dont suceed and looking for your guidance incase of a problem.

but thanks a lot for your time and knowledge!

18

@gamerkid004 I can confirm OpenWrt 24.10rc6 runs solid on the R5C. My R5C is running my home network gateway on 24.10rc6 now.

19

The rule is wrong, it is allowing 22 to be forwarded, but you want it for input. Remove the option dest *