Port forwarding for ssh

trendy · February 1, 2020, 9:48pm

Yes, that's right.

erg · February 1, 2020, 9:58pm

trendy,
cheers for that.
I see there's no comments about the Mikrotik config dump ... any clues?

trendy · February 1, 2020, 10:47pm

Seems that rule #6 should be forwarding SSH packets from the 92.X.Y.Z public IP to 192.168.88.254, which I hope is the WAN IP of your OpenWrt. You can verify that with ip -4 addr

erg · February 1, 2020, 11:20pm

trendy,

that is correct, it is the WAN IP. Still, I can't ssh from the internet though and there's no traffic I could see on routers' port 22 with tcpdump.

trendy · February 1, 2020, 11:40pm

All evidence points to your ISP's configuration. Other port forwards work fine? I can see they are also forwarding 80 and 443.

AndrewZ · February 2, 2020, 8:15am

Take OpenWrt completely out of equation.
Connect your PC to ISP router, assign your PC with 192.168.88.254, install Wireshark, tcpdump etc. and work with your ISP.

erg · February 2, 2020, 9:36am

AndrewZ,
That won't work I don't think: the thing consists of a long distance antenna and a WAN port. I have no ssh access. Or should I just look for packets arriving from WAN, is that what you're suggesting?

trendy,
nmap from LAN side shows port 443 as filtered, from the internet as closed.
port 80 shows as closed from the LAN side and WAN side. tcpdump shows packets arriving on both ports

AndrewZ · February 2, 2020, 9:40am

Almost correct. Just look for packets arriving from your ISP router to your PC.
OpenWrt is out of discussion yet.

erg · February 2, 2020, 9:43am

AndrewZ,
are you suggesting those tcpdump scans on OpenWrt are not reliable? To be clear, I'm running tcpdump on OpenWrt now, not on a laptop, so that should catch packets arriving to it just like it would if I connected with a laptop, is my understanding.

AndrewZ · February 2, 2020, 9:49am

Please forget about OpenWrt for a while, there are no signs yet that your problem has any relation to OpenWrt. Make the simplest configuration - PC directly connected to ISP router - and work with your ISP.

erg · February 2, 2020, 10:00am

AndrewZ,
Ok, will try, got to wait for that, he ain't gonna do that for me today.
Also wanted to check: if my ISP's router has, as per his configs, forwarding rule set for port 22 (assuming that that rule is ok syntax wise and all), can there be some superseding setting not allowing port 22 to open?

AndrewZ · February 2, 2020, 10:10am

You don't need anybody else to run the test. It looks like your ISP router has port forwardings configured for TCP ports 22,80,333,443. Just go to any port testing site like this and run the test. Watch for results in your Wireshark, tcpdump, etc., not on the web site.

erg · February 2, 2020, 11:09am

AndrewZ,
I've tried that, changed my ethernet to the address of the WAN of the router, plugged in the antenna to it but can't get a connection for some reason (I'm running Gentoo on the laptop, not that it should matter...). Do I need some additional steps here? Here's my routing table when IP is set to 192.168.88.254 (router's WAN IP)

route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.88.0    0.0.0.0         255.255.255.0   U     0      0        0

I understand what you're saying - simplify the setup as much as possible. We're relying on tcpdump on OpenWrt working correctly on it if I ssh to the router and run those scans from there. But, in theory, it should, and it shouldn't matter if I'm testing this on the router or a laptop plugged in straight to the antenna, should it?

AndrewZ · February 2, 2020, 11:27am

Your issues are unrelated to OpenWrt yet. Please keep in mind that this is the OpenWrt forum.
Your routing table is wrong - destination should be 0.0.0.0 and gateway 192.168.88.1
Desired result would be something like that:

$ ip -4 r
default via 192.168.88.1 dev ens1 proto static

erg · February 2, 2020, 11:46am

AndrewZ,

Your issues are unrelated to OpenWrt yet.

I understand that, and appreciate help in understanding that is the issue.

I've corrected my routing, it works, scanned those ports and results are the same: no packets arrive at port 22. Traffic arrives at ports 80, 333, 443.

As a workaround, should I simply route traffic from port 333 on OpenWrt to my server and use that port for ssh?

AndrewZ · February 2, 2020, 11:55am

Now we're back to the subject. Add the following to your /etc/config/firewall

config redirect
        option enabled '1'
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '333'
        option dest_ip '192.168.1.100'
        option dest_port '22'
        option name 'myserver'

and test with ssh username@{ISP router IP} -p 333

erg · February 2, 2020, 12:13pm

AndrewZ,
just a minute, changed firewall rules on OpenWrt and Pi configs, now just quickly compiling tcpdump on Pi (I want to see that happen :-))

erg · February 2, 2020, 12:39pm

Ok. We're getting somewhere. Packets arrive at the router but do not get forwarded to Pi yet.

[edit as forum does not allow me to post more posts (just on time)]

Jessusss. Got there. Amazing. I can't express my relief and gratitude, I have to leave this setup in a few hours and now I know it works and I can get to it from the outside.

What I did: something was wrong with adding that rule through /etc/firewall.user, I simply added it through LUCI and it works. Tested from outside and it politely asks for a password.

Thank you all for helping me with it. Don't know if I should marked it as solved as that bloody port 22 still does not forward the traffic but the workaround works.

[second edit]
Edit button on the old posts is gone, can't seem to be able to mark topic as solved. Perhaps in 8 hours?

AndrewZ · February 2, 2020, 12:54pm

Please mark as solved as the fact that port 22 does not work is completely unrelated to OpenWrt.

tmomas · March 15, 2021, 3:26pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.