I've got a Raspberry and configured it to be accessed remotely on a certain domain (e.g. myddnsdomain.com) via SSH (on specific port e.g.
sshd is listening on that port instead of
22), so what I need to do is access my Raspberry remotely by executing
ssh -p 5555 myddnsdomain.com.
I tried to create a new rule via LuCI in
Port Forwards such as:
192.168.1.3 is the internal IP of the Raspberry).
I'm not able to connect via
ssh -p 5555 myddnsdomain.com, it results in a connection timeout, what am I doing wrong?
5555 is already allowed in the Rasbperry firewall.
Do I maybe have to create a
Traffic Rule instead / as well?
Are you sure the domain points to the correct IP-address and are you sure you have a public IP-address on WAN? Many ISPs these days use CGNAT on IPv4 and thus customers aren't getting public addresses.
mmm I'm sure about the correct IP, not about the CGNAT, but that's why I thought the DDNS service would help me in that!
check your WAN IP, and compare it with the IP you get back on any whatsmyip site.
sorry where can I see it in LuCI?
What @frollic said, the IP on the WAN interface must be your true public IP or it is not going to work. Many ISPs will NAT many customers to one public IP (Carrier Grade NAT) and this makes incoming connections impossible. If CGNAT is in place, the IP issued to the customer is a private one usually in the 10.x or 100.x space.
Since it is an internal service in the router, use a Traffic Rule, not a Forward. Accept port 5555 TCP from wan. It doesn't get forwarded to lan because the ssh service is listening directly on wan.
Generally you'll need to test with a separate Internet connection outside the LAN.
clear, thanks, indeed the IP I see in my main ISP router (not OpenWRT of course) is one in the 10.x space. So I'm adding a Traffic Rule now and see...
That won't work, since that will not do anything to the NAT your ISP is running
but I opened the port on the IPS router as well... anyway what's the alternative I have to make it work?
change ISP, ask/pay for a public IP ?
not an option for me unfortunately!
That's not how CGNAT works: CGNAT is NAT on your ISP's premises, it's completely out of your reach. It is not happening on any of the devices in your home, it is happening where your router/modem is connecting to.
There is nothing you can do to open ports on a CGNAT, so you really only have two options: you get a VPN-account that allows opening ports over that connection and set your OpenWrt to always route all traffic through that VPN, or you rent an external server.
True enough; my mobile broadband has CGNAT only on IPv4, but IPv6 gets assigned a direct /64, so it certainly can happen. I just assumed OP doesn't have IPv6, since they didn't mention anything about it. In hindsight, I should've asked first.