[multiwan][multihome] SSH server on multiple wan interfaces

sanosis · March 5, 2022, 2:56pm

Setup: openwrt router with at least 2 public interfaces (both ipv4 or ipv6)
Goal: Connect to ssh/dropbear on any of the interfaces.
Problem: You can connect to sshd/dropbear only on the default's route interface.

Reason: dropbear will send reply to requests received on second wan by default route…

Any idea how to deal with the situation?

sanosis · March 5, 2022, 3:05pm

This problem is far broader, but only rears it's head when you have multiple routing paths between the server and client. The easiest situation to think about are multiple external/public wan interfaces - you have 2 ways of reaching the client. If the path matches the default server's route everything works, if not it will probably break. You can notice similar problems with multiple lans/wifis in internal network.

Basic reason - dropbear binds to interface only for listening, it answers using default kernel's routing table - in many situation this is not a problem, for local networks your router/server has them in it's routing table, and unknown addresses are external/wan -> use default route. This breaks when you have more then one wan or network with more then one working route from client.

ulmwind · March 5, 2022, 4:40pm

I recommend you to use multiple ports for dropbear, and route packets by ports like Local OpenVPN Server + OpenVPN Client (Scenario 1): https://docs.openwrt.melmac.net/vpn-policy-routing/

sanosis · March 6, 2022, 8:10am

Thanks for the suggestion - tried, was not able to make it work (but it might)…
Found a cleaner solution, but haven't found a good way to put it dynamically (different ip/gateway):

ip route add table 10000 81.12.1.0/21  dev eth1.99
# ip route add table 10000 *ip range of wan* dev wan_dev
ip route add table 10000 default via 81.12.1.1 dev eth1.99
# ip route add table 10000 *wan gateway* dev wan_dev
ip rule add from 81.12.1.10 lookup 10000
# ip rule add from *wan interface ip* lookup 10000

routing table id can be different (as long as does not conflict with existing tables).

sanosis · March 6, 2022, 8:19am

For public ip you need:

ip route add table 10000 wan_ip dev wan_dev
ip route add table 10000 default dev wan_dev
ip rule add from wan_ip lookup 10000

ulmwind · March 6, 2022, 9:52am

OK, what is the trouble with my suggestion?

Common approach is to mark packets, and route them by different tables. But the simplest way is to mark them by port number. Manually you can try to mark them in incoming interface.

sanosis · March 6, 2022, 1:02pm

Got it working, example below:

config policy
	option interface 'wan'
	option proto 'tcp'
	option name 'ssh'
	option chain 'OUTPUT'
	option src_port 'ssh_port'

By default it filters prerouting chain, works after changing the chain to OUTPUT, with source address set to wan's ip it's mostly equivalent to ip table/ip rule