I try to remote ssh by WAN, and connect is failled. Not any message is show, it seems to always try to connect.
I use port mapping in router, and my command is: $ ssh -p 5000 root@10.xx.xx.xx
I sure to the port mapping is start because the other board can be connected nomally.
Maybe, I guess firmwall is a question, so I modify /etc/config/firmwall :
config rule
option name 'Allow-SSH'
option src 'wan'
option proto 'tcpudp'
option dest_port '22'
option target 'ACCEPT'
Oh, sorry, my statement is error.
Before $ /etc/init.d/firmwall enable, I had command /etc/init.d/firmwall restart.
I just have private IP, and my computer and remote board in this local. But the board connect router.
The router WAN is 10.xx.xx.xx and LAN is 192.168.50.xx
Thank you!
I have remote access opened up on one of my family member's routers via ssh. The rule on the remote router looks like this:
config redirect
option name 'DANGER-allow-SSH-from-WAN'
option target 'DNAT'
option src 'wan'
option src_ip '11.22.33.44' # This is my external IP address from 'ip -4 a show dev eth0' on my local router.
option src_dport '909' # This is the port I access, remote ISP blocks 22.
option dest 'lan'
option dest_ip '10.1.1.1' # This is the remote router's LAN address.
option dest_port '22'
From my local workstation (anything on local lan), I then can get in by specifying the remote external IP address.
This is an RFC1918 address, not a pulbic IP as you have noted. Unless your ISP provides a public IP or can give you special port forwarding, it is not possible to get any inbound connections on your wan.
In actually, My connection is 10.xx.xx.01 -> 10.xx.xx.02:5000
10.xx.xx.02 is router, it is mapping 5000 to LAN (ex: 192.168.50.100:22)
This method in others board is successful. So I doubt the board's firmwall is error.
Thank you!
Ok, so you have two routers? And the '10.xx.xx.xx' one is a subnet router that you are trying to access from the "WAN" side? If that is correct, then I do that, too.
The rule on the subnet router looks substantially the same as above for "real" external wan access, but I don't remap the port.
config redirect
option name 'DANGER-allow-SSH-from-WAN'
option target 'DNAT'
option src 'wan'
option src_dport '22' # Probably 5000 in your example.
option dest 'lan'
option dest_ip '10.1.3.1' # LAN address of the subnet router, in your case probably 192.168.50.100.
option dest_port '22'
option src_ip '10.1.1.186' # LAN address of the workstation from which I start 'ssh'.
Then I can do this from my workstation to get into the subnet router.
$ ssh root@10.1.1.20 # That's the "WAN" address of the subnet router.
If you show us ip -4 address on the router you want to access, that would help a lot.
I should add that I use the remote/subnet router's LAN address for dest_ip because I have dropbear listening only on LAN interfaces (which should also work for all reasonable dropbear configurations).
If I would like to set this, which path I can set. This should not openwrt's /etc/config/firmwall ,but be path in router? Can you give me a absolute path?
Thanks!
Are you trying to create an incoming connection from the internet? Or is the connection coming from the network immediately upstream of the one in question? Could you draw a diagram of your network topology and indicate where your connection attempt is originating?
Oh, I seems to understand your mean! Your config is openwrt's config, and your router is mean openwrt.
But I just learn how to use openwrt, so I call openwrt router is board.
In actually, I don't use it to be a router.
Thank you for helping me study!!
main-router
10.1.1.0/24 (lan network)
/ \
10.1.1.186 10.1.1.20 (router wan IP)
workstation subnet-router
192.168.1.1 (router lan IP)
192.168.1.0/24 (lan network)
/ | \
other subnet devices
Now we want to ssh from workstation to subnet-router. The wan firewall on subnet-router, by default, blocks all ingress on 10.1.1.20, so we need to add a rule to allow access. Additionally, we map outside port 5000 to 22 on subnet-router.
workstation$ ssh -p 5000 root@10.1.1.20
BusyBox v1.36.1 (2023-12-05 23:12:56 UTC) built-in shell (ash)
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
OpenWrt SNAPSHOT, r24586-f3cdc9f988
-----------------------------------------------------
subnet-router$ echo $SSH_CONNECTION
10.1.1.186 56687 192.168.1.1 22
subnet-router$ ip -4 a
3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc cake state UP qlen 1000
inet 10.1.1.20/24 brd 10.1.1.255 scope global eth0
valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
valid_lft forever preferred_lft forever
@efahl Thank you very much for your patience in answering my questions!
And I found my bug already. I use tcpdump and found My openwrt board has a incorrect getway. So, real error is not firmwall but network!!
