I'm trying to forward ssh connections from anywhere on internet to my server behind OpenWrt router. It seats behind another router/antenae controlled by my ISP. Port on that seems open:
Also changed default dropbear port to something else.
I can ssh from local network to my server no problem, /etc/hosts.allow allows any IP.
what is curious (I'm a noob when it comes to networking) is that
nmap -Pn 192.168.1.100
...
22/tcp closed ssh
...
even though I'm connected to it through ssh from local network.
And I cannot ssh to it from outside.
What am I doing wrong? Are my interfaces in order in that iptables rule?
Gosh, sorry but not sure what you mean. WAN is on eth0.1 and LAN on br-lan if that's what you're asking about.
I've added rule through LUCI interface now:
Protocol -TCP
Source - wan:0.0.0.0/0:*
Via - device:0.0.0.0/:22
Destination - lan:192.168.1.100:22
Action - DNAT
Still no joy. If all is ok with those rules, perhaps it is my server setup that is faulty? But I can log in from lan and hosts.allow allows any IP, so what gives?
Also, should I tick that box in System->Administration 'Allow remote hosts to connect to local SSH forwarded ports '?
Eduperez,
Unfortunately ain't got tcpdump on the router - I'm afraid this is an antique with severely limited space and installing any extra packages is iffy. Any other way to test that?
It's a small ISP, one man kinda operation, I can give him a bell but he swore he turned ports on so I'd like to sure it is not my setup's fault before I do.
Ok, supposedly there is not enough space to install tcpdump permanently but I can install it to RAM...
I'm just doing that, could you tell me what I'm looking for, how to run it to test whether packets arrive to OpenWrt router?
It's not that complicated.
Type tcpdump -i eth0.1 -vn tcp port 22 and try to connect from outside. Tcpdump can catch packets before they hit the firewall, which is open by the way.
trendy,
when I try your command there's silence.
Just wanted to double check - I'm a noob - I'm trying to log in with hostname@public_ip_here,
hostname is present in LUCI->Network->Hostnames
that hostname appears in Luci->Network->DHCP and DNS -> active leases
does that seem right?
Assign your OpenWrt router WAN port a static IP, from the same subnet you see now on that port. Note the address.
Configure port forwarding or DMZ on your ISP router, put the address from above step as a destination.
Forget about hostnames for a while and test ports from outside by using telnet xxx yyy where xxx is your ISP router WAN IP (that should be public) and yyy is TCP port you want to check. As mentioned earlier, check with tcpdump on OpenWrt WAN.
Please change the topic name to something like port forwarding for ssh to avoid confusion with forwarding function of ssh.
This is getting interesting. I run a remote debugging session with my ISP and well it looks like an issue with their antenae/router/router settings. Beyond my control. The antenae/router is Mikrotik lhg5. Does it make sense to post it's settings here?
The only thing we learned that when he was logged in to the said antenae and tried to ssh to the router, I could see incoming packets. When it's an ssh attempt from further away than the antenae, no incoming packets.
The odd thing is, if I connect laptop to a WAN port of the OpenWrt, get rid of the routing rule, set the ssh port to 22, change permitted ssh to WAN, laptop IP to the WAN IP subnet, I can ping it but can't ssh to it. I could ssh through WAN to the server though.
Also, thanks for that rapid debugging session - really great community.
You need to use pre routing to forward the packet to the right machine and port. Then set up the forward or input/input rule to accept the incoming and outgoing packets.
Right. As I have no knowledge of Mikrotik and it's ways I do not know how to do that.
Here are the settings for the antena/router behind which OpenWrt sits. If you guys have any ideas, that would be awesome. I'll have to run it through my ISP to test them so it may be rather slow to test.
trendy,
actually that's what I meant, thanks for correcting my wording.
Just to double check I'm doing everything possible:
Now when I connect to WAN port of the router with a laptop I can ssh to Pi behind it, it gets forwarded without problems. That does mean when my ISP figures out how to forward traffic on port 22 to the router I am ready to go, right?