How to access OpenWrt dumbap from upper / outside IP

Hello (again) @ll!

Searched (mildly, I must admit) the forum using the following expression:

ssh access to openwrt dumb ap from the internet

(…) on the search field above on the right.

Currently, I am using a dumbap behind a virtualized OpenWrt Router on Proxmox.

(Almost) everything is working as expected/desired. Yet I would like to be able to access the dumbap either from the wan or from another lan where the proxmox openwrt router puts its wan interface. This seems complicated, perhaps, but for simplicity, I would say that the dumbap is connected to the Proxmox OpenWrt router and the latter is in turn connected to an ISP gateway on the ISP gateway’s LAN.

I have tried to redirect the ‘awaiting’ ssh port from the dumbap inside the proxmox openwrt router’s interface. Both luci and cli. And despite being able to redirect the latter router’s own ssh port to itself, I cannot do the (similar) redirection to the dumbap ssh instance.

Can anyone give hints on this?

Thank you beforehand!

A few things...

This is not advisable. You'd be much better off using a VPN (road warrior type config) to gain access to your network(s) from outside.

The router is responsible for the access in general, assuming you have setup the bridged AP correctly.

Let's look at the config of the AP.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Most articulate way would be to add wireguard (or ipsec roadwarrior) on openwrt VM, then you can dial in any time and your phone / computer is like in home network (with small extra latency)

Does it ring the bell?

Need help with it?

What is in ubus call system board in your OpenWrt VM?

Hello to you @psherman and @brada4

Thank you for your interest and your advice.

If it is not too much for you, I would like to answer all your requests I'm the coming day.

Hope you understand.

Went to dinner and now, bedtime.

See you soon and, again, thank you for all your assistance and understanding.

Cheers!

Hello, (again), @psherman , and @brada4 . Thank you for your patience!

I am sorry, for not making myself clearer.

Before posting the information you've required, I am also going to post the following PNG file:

rede-2025-10-17_16:15:22.drawio685×1121 47.2 KB

Here goes the rest of the information.

ubus call system board
Main Router

{
        "kernel": "6.6.104",
        "hostname": "RouterWRT",
        "system": "Common KVM processor",
        "model": "QEMU Standard PC (i440FX + PIIX, 1996)",
        "board_name": "qemu-standard-pc-i440fx-piix-1996",
        "rootfs_type": "ext4",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.3",
                "revision": "r28872-daca7c049b",
                "target": "x86/64",
                "description": "OpenWrt 24.10.3 r28872-daca7c049b",
                "builddate": "1758316778"
        }
}

dumbAP

{
        "kernel": "6.6.104",
        "hostname": "AsusWrt",
        "system": "ARMv8 Processor rev 4",
        "model": "ASUS TUF-AX4200",
        "board_name": "asus,tuf-ax4200",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.3",
                "revision": "r28872-daca7c049b",
                "target": "mediatek/filogic",
                "description": "OpenWrt 24.10.3 r28872-daca7c049b",
                "builddate": "1758316778"
        }
}

cat /etc/config/network

Main Router

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdee:6d21:1ca4::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        option bridge_empty '1'
        option macaddr 'redacted'
        list ports 'eth0'
        list ports 'eth1'

config interface 'lan'
        option device 'br-lan.10'
        option proto 'static'
        option ipaddr 'redacted'
        option netmask '255.255.255.0'
        option ip6assign '64'
        list dns 'redacted' # my pihole
        list dns '1.1.1.1'
        list dns '1.0.0.1'

config interface 'wan'
        option device 'br-lan.115'
        option proto 'static'
        option ipaddr 'redacted'
        option netmask '255.255.255.0'
        option gateway 'redacted'
        list dns 'redacted' # my pihole
        list dns '1.1.1.1'
        list dns '1.0.0.1'

config interface 'wan6'
        option device 'br-lan.115'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option norelease '1'

config bridge-vlan
        option device 'br-lan'
        option vlan '10'
        list ports 'eth1'

config bridge-vlan
        option device 'br-lan'
        option vlan '20'
        list ports 'eth1:t'

config interface 'guest'
        option proto 'static'
        option device 'br-lan.20'
        option ipaddr 'redacted'
        option netmask '255.255.255.0'
        list dns 'redacted' # my pihole
        list dns '1.1.1.1'
        list dns '1.0.0.1'
        option ip6assign '64'

config bridge-vlan
        option device 'br-lan'
        option vlan '115'
        list ports 'eth0'
        list ports 'eth1:t'

dumbAP

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd30:4549:8fa::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan.10'
        option proto 'static'
        option ipaddr 'redacted'
        option netmask '255.255.255.0'
        option ip6assign '64'
        option gateway 'redacted'
        list dns 'redacted' # my pihole
        list dns '1.1.1.1'
        list dns '1.0.0.1'

config bridge-vlan
        option device 'br-lan'
        option vlan '10'
        list ports 'eth1'
        list ports 'lan1'
        list ports 'lan2'

config bridge-vlan
        option device 'br-lan'
        option vlan '20'
        list ports 'eth1:t'
        list ports 'lan3'
        list ports 'lan4'

config interface 'guest'
        option proto 'static'
        option device 'br-lan.20'
        option ipaddr 'redacted'
        option netmask '255.255.255.0'
        list dns 'redacted' # my pihole
        list dns '1.1.1.1'
        list dns '1.0.0.1'
        option ip6assign '64'
        option gateway 'redacted'

config bridge-vlan
        option device 'br-lan'
        option vlan '115'
        list ports 'eth1:t'

config interface 'teo'
        option proto 'static'
        option device 'br-lan.115'
        option ipaddr 'redacted'
        option netmask '255.255.255.0'
        option gateway 'redacted'
        list dns 'redacted' # my pihole
        list dns '1.1.1.1'
        list dns '1.0.0.1'
        option ip6assign '64'

cat /etc/config/wireless

Main Router

Not aplicable (this is a routing device only, and has no wireless functionality active within it)

dumbAP

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi'
        option band '2g'
        option channel '1'
        option htmode 'HE20'
        option disabled '1'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi+1'
        option band '5g'
        option channel 'auto'
        option htmode 'HE80'
        option country 'PT'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'redacted'
        option encryption 'psk2+tkip+ccmp'
        option key 'redacted'

config wifi-iface 'wifinet2'
        option device 'radio1'
        option mode 'ap'
        option ssid 'redacted'
        option encryption 'psk2+tkip+ccmp'
        option key 'redacted'
        option network 'guest'

config wifi-iface 'wifinet3'
        option device 'radio1'
        option mode 'ap'
        option ssid 'redacted'
        option encryption 'psk2+tkip+ccmp'
        option key 'redacted'
        option network 'teo'

cat /etc/config/dhcp

Main Router

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '30'
        option limit '100'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        option start '30'
        option limit '100'
        option leasetime '12h'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option name 'server'
        list mac 'redacted'
        option ip 'redacted'
        option leasetime 'infinite'

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option ra 'server'
        option dhcpv6 'server'

dumbAP

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option ignore '1'

config dhcp 'teo'
        option interface 'teo'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option ignore '1'

cat /etc/config/firewall

Main Router

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'DROP'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'meo'
        option input 'DROP'
        option output 'ACCEPT'
        option forward 'DROP'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'meo'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'meo'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'meo'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'meo'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'meo'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'meo'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'meo'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'meo'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'meo'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'meo'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option src 'guest'
        option name 'guest dhcp dns'
        option dest_port '53 67 68'
        option target 'ACCEPT'

config zone
        option name 'guest'
        option input 'DROP'
        option output 'ACCEPT'
        option forward 'DROP'
        list network 'guest'

config forwarding
        option src 'guest'
        option dest 'meo'

config forwarding
        option src 'lan'
        option dest 'guest'

config redirect  ### this rule here is to access the ssh service running on the main router from the outside lan or merely the upper lan
        option target 'DNAT'
        option src 'meo'
        option src_dport 'redacted'
        option proto 'tcp'
        option family 'ipv4'
        option dest 'lan'
        option dest_ip 'redacted'
        option dest_port 'redacted'
        option name 'SSH-2-WRT'



####### Note: I wish to have a similar rule, but for the dumbAP LAN ipv4 address.

dumbAP

config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

... And finally... the init.d services enabled and running on each device:

Main Router

/etc/init.d/boot                   enabled         stopped
/etc/init.d/cron                   enabled         stopped
/etc/init.d/dnsmasq                enabled         running
/etc/init.d/done                   enabled         stopped
/etc/init.d/dropbear               enabled         running
/etc/init.d/etherwake              enabled         stopped
/etc/init.d/firewall               enabled         stopped
/etc/init.d/gpio_switch            enabled         stopped
/etc/init.d/led                    enabled         stopped
/etc/init.d/log                    enabled         running
/etc/init.d/network                enabled         running
/etc/init.d/odhcpd                 enabled         running
/etc/init.d/packet_steering        enabled         stopped
/etc/init.d/rpcd                   enabled         running
/etc/init.d/sysctl                 enabled         stopped
/etc/init.d/sysfixtime             enabled         stopped
/etc/init.d/sysntpd                enabled         running
/etc/init.d/system                 enabled         stopped
/etc/init.d/ucitrack               enabled         stopped
/etc/init.d/udp-broadcast-relay-redux      enabled         stopped
/etc/init.d/uhttpd                 enabled         running
/etc/init.d/umount                 enabled         stopped
/etc/init.d/urandom_seed           enabled         stopped
/etc/init.d/urngd                  enabled         running

dumbAP

/etc/init.d/boot                   enabled         stopped
/etc/init.d/bootcount              enabled         stopped
/etc/init.d/cron                   enabled         stopped
/etc/init.d/dnsmasq               disabled         stopped
/etc/init.d/done                   enabled         stopped
/etc/init.d/dropbear               enabled         running
/etc/init.d/firewall              disabled         stopped
/etc/init.d/gpio_switch            enabled         stopped
/etc/init.d/led                    enabled         stopped
/etc/init.d/log                    enabled         running
/etc/init.d/network                enabled         running
/etc/init.d/odhcpd                 enabled         running
/etc/init.d/packet_steering        enabled         stopped
/etc/init.d/rpcd                   enabled         running
/etc/init.d/sysctl                 enabled         stopped
/etc/init.d/sysfixtime             enabled         stopped
/etc/init.d/sysntpd                enabled         running
/etc/init.d/system                 enabled         stopped
/etc/init.d/ubihealthd             enabled         running
/etc/init.d/ucitrack               enabled         stopped
/etc/init.d/uhttpd                 enabled         running
/etc/init.d/umount                 enabled         stopped
/etc/init.d/urandom_seed           enabled         stopped
/etc/init.d/urngd                  enabled         running
/etc/init.d/wpad                   enabled         running

Again, thank you very much for your time.

What CPUID flags are in cat /proc/cpuinfo inside VM? As minimum aesni and avx are needed for good encryption.

Outline here:

These redactions are not necessary and make it a bit harder to understand your network topology.

Hi, so no LAN IP's redacted then:

cat /etc/config/network

Main Router

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdee:6d21:1ca4::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        option bridge_empty '1'
        option macaddr 'redacted'
        list ports 'eth0'
        list ports 'eth1'

config interface 'lan'
        option device 'br-lan.10'
        option proto 'static'
        option ipaddr '10.0.1.16'
        option netmask '255.255.255.0'
        option ip6assign '64'
        list dns '192.168.115.2'
        list dns '1.1.1.1'
        list dns '1.0.0.1'

config interface 'wan'
        option device 'br-lan.115'
        option proto 'static'
        option ipaddr '192.168.115.230'
        option netmask '255.255.255.0'
        option gateway '192.168.115.254'
        list dns '192.168.115.2'
        list dns '1.1.1.1'
        list dns '1.0.0.1'

config interface 'wan6'
        option device 'br-lan.115'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option norelease '1'

config bridge-vlan
        option device 'br-lan'
        option vlan '10'
        list ports 'eth1'

config bridge-vlan
        option device 'br-lan'
        option vlan '20'
        list ports 'eth1:t'

config interface 'guest'
        option proto 'static'
        option device 'br-lan.20'
        option ipaddr '10.0.20.16'
        option netmask '255.255.255.0'
        list dns '192.168.115.2'
        list dns '1.1.1.1'
        list dns '1.0.0.1'
        option ip6assign '64'

config bridge-vlan
        option device 'br-lan'
        option vlan '115'
        list ports 'eth0'
        list ports 'eth1:t'

dumbAP

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd30:4549:8fa::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan.10'
        option proto 'static'
        option ipaddr '10.0.1.40'
        option netmask '255.255.255.0'
        option ip6assign '64'
        option gateway '10.0.1.16'
        list dns '192.168.115.2'
        list dns '1.1.1.1'
        list dns '1.0.0.1'

config bridge-vlan
        option device 'br-lan'
        option vlan '10'
        list ports 'eth1'
        list ports 'lan1'
        list ports 'lan2'

config bridge-vlan
        option device 'br-lan'
        option vlan '20'
        list ports 'eth1:t'
        list ports 'lan3'
        list ports 'lan4'

config interface 'guest'
        option proto 'static'
        option device 'br-lan.20'
        option ipaddr '10.0.20.40'
        option netmask '255.255.255.0'
        list dns '192.168.115.2'
        list dns '1.1.1.1'
        list dns '1.0.0.1'
        option ip6assign '64'
        option gateway '10.0.20.16'

config bridge-vlan
        option device 'br-lan'
        option vlan '115'
        list ports 'eth1:t'

config interface 'teo'
        option proto 'static'
        option device 'br-lan.115'
        option ipaddr '192.168.115.40'
        option netmask '255.255.255.0'
        option gateway '192.168.115.254'
        list dns '192.168.115.2'
        list dns '1.1.1.1'
        list dns '1.0.0.1'
        option ip6assign '64'

cat /proc/cpuinfo for the VM OpenWrt router:

processor       : 0
vendor_id       : GenuineIntel
cpu family      : 15
model           : 6
model name      : Common KVM processor
stepping        : 1
microcode       : 0x1
cpu MHz         : 1804.800
cache size      : 16384 KB
physical id     : 0
siblings        : 1
core id         : 0
cpu cores       : 1
apicid          : 0
initial apicid  : 0
fpu             : yes
fpu_exception   : yes
cpuid level     : 13
wp              : yes
flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 syscall nx lm constant_tsc nopl xtopology cpuid tsc_known_freq pni cx16 x2apic hypervisor lahf_lm cpuid_fault pti
bugs            : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs itlb_multihit mmio_unknown bhi its
bogomips        : 3609.60
clflush size    : 64
cache_alignment : 128
address sizes   : 40 bits physical, 48 bits virtual
power management:

None of those you've mentioned are present.

Hope this answers a bit further your questions.

Again, and always, thank you!

You have to change cpu mask to host-model or to real host cpu generation until AVX and AESNI appear in the flags line.

Currently:

Is this what you were talking about?

image705×170 7.39 KB

This to be more exact?

image723×517 36.7 KB

I am aware that encryption does need processing power, but fail to see the direct connection between those hardware capabilities/flags and the impossibility to forward ssh trafic... But not entirely unrelated maybe. Could you @brada4 give more information about your point, please?

P.s.: The real host itself lacks AESNI flag, although it has AES flag support.

Cheers.

I believe so...

www resource where it refers the same cpu-type topic

Going to change it and report back.

No idea, it is a commercially supported product.

Thank you.

Hello, again!

Have any of you @psherman or @brada4 already figured it out?

I did.

This post is a tease.

I am going to post the solution in a while because it all boils down to the network topology, really.

So I am going to try and do another flow chart of the network so that this thread can be closed properly.

As a side note, I am also going to try to disable the flags that @brada4 has hinted, (since he/she failed to explain why it should be relevant to the OP question), and see if the (now) working way, still holds.

And yes, about the commercial support, of course, there are no freebies. Not in this world is there? (So thank you for your kind hint as well)...

Be back in a while, with the needed solution + flowchart.

Cheers!

Hello, again!

Here it is:

rede-2025-10-18_13:49:19.drawio647×1276 47.7 KB

Final note:

What was going wrong, (I suppose), was the logic (my logic, that is), behind all this approach.

I was supposing that I had to forward traffic from the 192.168.115.X network to the main lan 10.0.1.40 IP address.

For the ssh service, that is.

I found out (duh , for myself) that it was not needed after all / from the beginning, that is.

I should have directed the ssh command to target 192.168.115.40 which is the address of the dumbAP on that network.

My mistake was to suppose that the dumbAP would not be reachable at all from the "upper lan" which, obviously, was

not the case.

So this whole thread, for myself, was another “genius”, clumsiness and distraction.

I take this chance to apologize for this stupidity of mine.

Mostly for @psherman and @brada4.

Otherwise, thank you for your cooperation.

Hope that this serves anyone, although I doubt it will.

Thank you!

Cheers!

P.s.: Before closing this thread, one final note for @brada4 :

I've reset the VM flags along with its cpu-type, and apparently, it still works as expected.

I guess that the processing power does matter in some conditions, mostly whenever the speed of the connection is of utmost importance, but maybe not in this household context.

Care to comment?

Thank you!

Cheers!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.