SSH Access form WAN side

Hegabo · December 25, 2020, 5:09pm

I have BTHH5A as modem and main router, and C7 as a secondary connected via WDS. I set DDNS and made 2 rules to forward high number ports (one FOR each) to port 22 of the particular LAN address of each router.

Now if I SSH my DDNS url (using the port number) from my phone via my home network, it works. But if I try to connect using mobile date, it get stuck before authentication. It doesn't fail like it fails straight away if I put a wrong port number for example.

Soy what explains that? I would think that maybe the router gets the IP of my DDNS url from the ARP table and figure out that it's acutally its own address so it doesn't send the traffic to the WAN side, but the high port number works so this suggests that the connection acutely comes from the WAN side. So how is that different from accessing from mobile networks?

AndrewZ · December 25, 2020, 5:16pm

Do you have a public IP on your router WAN ?

trendy · December 25, 2020, 7:42pm

NAT Loopback explains that.
You know the drill...

ubus call system board; \
uci export network; uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c; ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*

Hegabo · December 25, 2020, 8:44pm

Yes, not static though, hence the DDNS.

Indeed!

root@BT:~# ubus call system board
{
        "kernel": "4.14.195",
        "hostname": "BT",
        "system": "xRX200 rev 1.2",
        "model": "BT Home Hub 5A",
        "board_name": "bt,homehub-v5a",
        "release": {
                "distribution": "OpenWrt",
                "version": "19.07.4",
                "revision": "r11208-ce6496d796",
                "target": "lantiq/xrx200",
                "description": "OpenWrt 19.07.4 r11208-ce6496d796"
        }
}

root@BT:~# uci export network
package network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd31:73ec:1c86::/48'

config atm-bridge 'atm'
        option vpi '1'
        option vci '32'
        option encaps 'llc'
        option payload 'bridged'
        option nameprefix 'dsl'

config dsl 'dsl'
        option ds_snr_offset '0'
        option line_mode 'vdsl'
        option annex 'b'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.0.1'

config device 'lan_dev'
        option name 'eth0.1'
        option macaddr 'redacted'

config interface 'wan'
        option ifname 'dsl0'
        option proto 'pppoe'
        option username 'redacted'
        option password 'redacted'
        option ipv6 'auto'
        option peerdns '0'
        list dns '1.1.1.1'
        list dns '8.8.8.8'
        option mtu '1492'

config device 'wan_dev'
        option name 'dsl0'
        option macaddr 'redacted'

config interface 'wan6'
        option ifname '@wan'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 4 6t'
        option vid '1'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '5 6t'
        option vid '2'

root@BT:~# uci export dhcp
package dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option leasetime '12h'
        option limit '150'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

root@BT:~# uci export firewall
package firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option forward 'REJECT'
        option input 'DROP'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config redirect
        option dest_port '22'
        option src 'wan'
        option target 'DNAT'
        option dest_ip '192.168.0.1'
        option dest 'lan'
        list proto 'tcp'
        option name 'ddns-bt'
        option src_dport 'redacted'

config redirect
        option dest_port '22'
        option src 'wan'
        option name 'ddns-c7'
        option src_dport 'redacted'
        option target 'DNAT'
        option dest_ip '192.168.0.2'
        option dest 'lan'
        list proto 'tcp'

root@BT:~# head -n -0 /etc/firewall.user
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.

root@BT:~# iptables-save -c
# Generated by iptables-save v1.8.3 on Fri Dec 25 22:32:21 2020
*nat
:PREROUTING ACCEPT [506:88874]
:INPUT ACCEPT [163:11217]
:OUTPUT ACCEPT [62:4349]
:POSTROUTING ACCEPT [3:188]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[506:88874] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[487:88046] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[19:828] -A PREROUTING -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_prerouting
[108:24178] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[0:0] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[105:23990] -A POSTROUTING -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[0:0] -A zone_lan_postrouting -s 192.168.0.0/24 -d 192.168.0.1/32 -p tcp -m tcp --dport 22 -m comment --comment "!fw3: ddns-bt (reflection)" -j SNAT --to-source 192.168.0.1
[0:0] -A zone_lan_postrouting -s 192.168.0.0/24 -d 192.168.0.2/32 -p tcp -m tcp --dport 22 -m comment --comment "!fw3: ddns-c7 (reflection)" -j SNAT --to-source 192.168.0.1
[0:0] -A zone_lan_postrouting -s 192.168.0.0/24 -d 192.168.0.100/32 -p tcp -m tcp --dport 3389 -m comment --comment "!fw3: RDT (reflection)" -j SNAT --to-source 192.168.0.1
[487:88046] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_lan_prerouting -s 192.168.0.0/24 -d 156.204.79.84/32 -p tcp -m tcp --dport 27211 -m comment --comment "!fw3: ddns-bt (reflection)" -j DNAT --to-destination 192.168.0.1:22
[0:0] -A zone_lan_prerouting -s 192.168.0.0/24 -d 156.204.79.84/32 -p tcp -m tcp --dport 27212 -m comment --comment "!fw3: ddns-c7 (reflection)" -j DNAT --to-destination 192.168.0.2:22
[0:0] -A zone_lan_prerouting -s 192.168.0.0/24 -d 156.204.79.84/32 -p tcp -m tcp --dport 33890 -m comment --comment "!fw3: RDT (reflection)" -j DNAT --to-destination 192.168.0.100:3389
[105:23990] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[105:23990] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[19:828] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 27211 -m comment --comment "!fw3: ddns-bt" -j DNAT --to-destination 192.168.0.1:22
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 27212 -m comment --comment "!fw3: ddns-c7" -j DNAT --to-destination 192.168.0.2:22
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 33890 -m comment --comment "!fw3: RDT" -j DNAT --to-destination 192.168.0.100:3389
COMMIT
# Completed on Fri Dec 25 22:32:21 2020
# Generated by iptables-save v1.8.3 on Fri Dec 25 22:32:21 2020
*raw
:PREROUTING ACCEPT [6147:2129540]
:OUTPUT ACCEPT [623:102283]
:zone_lan_helper - [0:0]
[3181:704481] -A PREROUTING -i br-lan -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
COMMIT
# Completed on Fri Dec 25 22:32:21 2020
# Generated by iptables-save v1.8.3 on Fri Dec 25 22:32:21 2020
*mangle
:PREROUTING ACCEPT [6149:2129620]
:INPUT ACCEPT [853:71591]
:FORWARD ACCEPT [5018:2001029]
:OUTPUT ACCEPT [625:102939]
:POSTROUTING ACCEPT [5641:2103864]
:RRDIPT_FORWARD - [0:0]
:RRDIPT_INPUT - [0:0]
:RRDIPT_OUTPUT - [0:0]
[26320:2372500] -A INPUT -j RRDIPT_INPUT
[689492:449267752] -A FORWARD -j RRDIPT_FORWARD
[24:1356] -A FORWARD -o pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[25:1372] -A FORWARD -i pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[20603:2259246] -A OUTPUT -j RRDIPT_OUTPUT
[0:0] -A RRDIPT_INPUT -i eth0 -j RETURN
[0:0] -A RRDIPT_OUTPUT -o eth0 -j RETURN
COMMIT
# Completed on Fri Dec 25 22:32:21 2020
# Generated by iptables-save v1.8.3 on Fri Dec 25 22:32:21 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_DROP - [0:0]
[40:3554] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[814:68077] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[630:55898] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[18:748] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[165:11351] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[19:828] -A INPUT -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_input
[5018:2001029] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[4969:1979836] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[49:21193] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[40:3554] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[587:100009] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[528:95848] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[59:4161] -A OUTPUT -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[18:748] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[0:0] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[49:21193] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[49:21193] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[165:11351] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[165:11351] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[0:0] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[0:0] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[165:11351] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[2:104] -A zone_wan_dest_ACCEPT -o pppoe-wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[106:25250] -A zone_wan_dest_ACCEPT -o pppoe-wan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o pppoe-wan -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[19:828] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[19:828] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_DROP
[59:4161] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[59:4161] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[19:828] -A zone_wan_src_DROP -i pppoe-wan -m comment --comment "!fw3" -j DROP
COMMIT
# Completed on Fri Dec 25 22:32:21 2020

root@BT:~# ip -4 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
12: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.0.1/24 brd 192.168.0.255 scope global br-lan
       valid_lft forever preferred_lft forever
29: pppoe-wan: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc cake state UNKNOWN qlen 3
    inet redacted peer redacted/32 scope global pppoe-wan
       valid_lft forever preferred_lft forever

root@BT:~# ip -4 ro li tab all
default via 41.236.117.129 dev pppoe-wan
redacted dev pppoe-wan scope link  src redacted
192.168.0.0/24 dev br-lan scope link  src 192.168.0.1
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
local redacted dev pppoe-wan table local scope host  src redacted
broadcast 192.168.0.0 dev br-lan table local scope link  src 192.168.0.1
local 192.168.0.1 dev br-lan table local scope host  src 192.168.0.1
broadcast 192.168.0.255 dev br-lan table local scope link  src 192.168.0.1

root@BT:~# ip -4 ru
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

root@BT:~# ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
ls: /tmp/resolv.*/*: No such file or directory
lrwxrwxrwx    1 root     root            16 Sep  6 18:19 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            32 Dec 25 18:03 /tmp/resolv.conf
-rw-r--r--    1 root     root            54 Dec 25 18:05 /tmp/resolv.conf.auto
-rw-r--r--    1 root     root            54 Dec 25 18:05 /tmp/resolv.conf.ppp

root@BT:~# head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf.auto <==
# Interface wan
nameserver 1.1.1.1
nameserver 8.8.8.8

==> /tmp/resolv.conf.ppp <==
nameserver 163.121.128.134
nameserver 163.121.128.135
head: /tmp/resolv.*/*: No such file or directory

trendy · December 25, 2020, 8:58pm

FYI this is not needed, I can see it works fine for you, but I had problem in past versions. I don't fill it ever since and has the correct mtu.

This redirect should be a rule. Create a new instance of dropbear on the src_dport and allow that.

Hegabo:

config redirect
        option dest_port '22'
        option src 'wan'
        option target 'DNAT'
        option dest_ip '192.168.0.1'
        option dest 'lan'
        list proto 'tcp'
        option name 'ddns-bt'
        option src_dport 'redacted'

Both your DNATs have zero hits in iptables though, so nothing actually reached the device from the internet. There are also no hits in the reflection rules, so I am not sure you restarted the firewall and reset the counters after you tested from the lan. Either way everything looks correct.

Hegabo · December 26, 2020, 12:08am

Thanks!

I sometimes find it hard to distinguish between redirection and accepting traffic. Shouldn't redirecting tranffic from WAN to LAN is essentially accepting it?

Why a new instance on the external port. If I change the destination port in the rule, shouldn't I be able to keep the dropbear at 22, while exposing the the src_dport on the WAN? (It didn't work though, o I must be missing something).

I guess it doesn't help when I had power loss couple a few hours ago and hadn't tried to SSH the router before I sent the files.

Here it is

root@BT:~# iptables-save -c
# Generated by iptables-save v1.8.3 on Sat Dec 26 01:27:15 2020
*nat
:PREROUTING ACCEPT [14301:2524670]
:INPUT ACCEPT [5678:400310]
:OUTPUT ACCEPT [2874:197653]
:POSTROUTING ACCEPT [57:5080]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[14305:2524910] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[13491:2473581] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[814:51329] -A PREROUTING -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_prerouting
[6616:1336170] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[8:2095] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[6558:1331030] -A POSTROUTING -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_postrouting
[8:2095] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[0:0] -A zone_lan_postrouting -s 192.168.0.0/24 -d 192.168.0.1/32 -p tcp -m tcp --dport 22 -m comment --comment "!fw3: ddns-bt (reflection)" -j SNAT --to-source 192.168.0.1
[1:60] -A zone_lan_postrouting -s 192.168.0.0/24 -d 192.168.0.2/32 -p tcp -m tcp --dport 22 -m comment --comment "!fw3: ddns-c7 (reflection)" -j SNAT --to-source 192.168.0.1
[0:0] -A zone_lan_postrouting -s 192.168.0.0/24 -d 192.168.0.100/32 -p tcp -m tcp --dport 3389 -m comment --comment "!fw3: RDT (reflection)" -j SNAT --to-source 192.168.0.1
[13491:2473581] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[1:60] -A zone_lan_prerouting -s 192.168.0.0/24 -d 156.204.79.84/32 -p tcp -m tcp --dport 27211 -m comment --comment "!fw3: ddns-bt (reflection)" -j DNAT --to-destination 192.168.0.1:22
[1:60] -A zone_lan_prerouting -s 192.168.0.0/24 -d 156.204.79.84/32 -p tcp -m tcp --dport 27212 -m comment --comment "!fw3: ddns-c7 (reflection)" -j DNAT --to-destination 192.168.0.2:22
[0:0] -A zone_lan_prerouting -s 192.168.0.0/24 -d 156.204.79.84/32 -p tcp -m tcp --dport 33890 -m comment --comment "!fw3: RDT (reflection)" -j DNAT --to-destination 192.168.0.100:3389
[6558:1331030] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[6558:1331030] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[814:51329] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[1:60] -A zone_wan_prerouting -p tcp -m tcp --dport 27211 -m comment --comment "!fw3: ddns-bt" -j DNAT --to-destination 192.168.0.1:22
[1:60] -A zone_wan_prerouting -p tcp -m tcp --dport 27212 -m comment --comment "!fw3: ddns-c7" -j DNAT --to-destination 192.168.0.2:22
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 33890 -m comment --comment "!fw3: RDT" -j DNAT --to-destination 192.168.0.100:3389
COMMIT
# Completed on Sat Dec 26 01:27:15 2020
# Generated by iptables-save v1.8.3 on Sat Dec 26 01:27:15 2020
*raw
:PREROUTING ACCEPT [359646:215734987]
:OUTPUT ACCEPT [10730:1323971]
:zone_lan_helper - [0:0]
[145919:29428036] -A PREROUTING -i br-lan -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
COMMIT
# Completed on Sat Dec 26 01:27:15 2020
# Generated by iptables-save v1.8.3 on Sat Dec 26 01:27:15 2020
*mangle
:PREROUTING ACCEPT [359646:215734987]
:INPUT ACCEPT [11806:1078783]
:FORWARD ACCEPT [343764:213721228]
:OUTPUT ACCEPT [10730:1323971]
:POSTROUTING ACCEPT [354361:215037013]
:RRDIPT_FORWARD - [0:0]
:RRDIPT_INPUT - [0:0]
:RRDIPT_OUTPUT - [0:0]
[37273:3379692] -A INPUT -j RRDIPT_INPUT
[1028238:660987951] -A FORWARD -j RRDIPT_FORWARD
[2951:171292] -A FORWARD -o pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[2916:163252] -A FORWARD -i pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[30708:3480278] -A OUTPUT -j RRDIPT_OUTPUT
[0:0] -A RRDIPT_INPUT -i eth0 -j RETURN
[0:0] -A RRDIPT_OUTPUT -o eth0 -j RETURN
COMMIT
# Completed on Sat Dec 26 01:27:15 2020
# Generated by iptables-save v1.8.3 on Sat Dec 26 01:27:15 2020
*filter
:INPUT ACCEPT [1:98]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_DROP - [0:0]
[480:40722] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[11330:1038221] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[4185:530337] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[752:34320] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[6072:445904] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[1073:61980] -A INPUT -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_input
[343764:213721228] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[339534:212502814] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[4229:1218354] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[1:60] -A FORWARD -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[480:40722] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[10254:1284833] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[7429:1089897] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[7:2303] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[2818:192633] -A OUTPUT -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[752:34320] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[7:2303] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[4229:1218354] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[4229:1218354] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[1:60] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[6072:445904] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[1:60] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[6071:445844] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[7:2303] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[7:2303] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[6070:445746] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[131:8010] -A zone_wan_dest_ACCEPT -o pppoe-wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[6915:1402917] -A zone_wan_dest_ACCEPT -o pppoe-wan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o pppoe-wan -m comment --comment "!fw3" -j reject
[1:60] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[1:60] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[1073:61980] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[3:102] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[1:60] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[1069:61818] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_DROP
[2818:192633] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[2818:192633] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[1069:61818] -A zone_wan_src_DROP -i pppoe-wan -m comment --comment "!fw3" -j DROP
COMMIT
# Completed on Sat Dec 26 01:27:15 2020

trendy · December 26, 2020, 1:03am

Yes, but if the LAN is the router IP, then you are doing the same thing with an extra cpu load for the translations.

config dropbear
	option Port '2222'
	option GatewayPorts 'on'
	option RootPasswordAuth 'off'
	option PasswordAuth 'off'
	option Interface 'wan'

config dropbear
	option GatewayPorts 'on'
	option Port '22'
	option PasswordAuth 'on'
	option Interface 'lan'

Looks better, however you should be accessing the router by the lan IP or an internal name, rather than doing nat reflexion to go from lan to wan IP, then to lan IP. Generally nat reflexion is a hack and costs cpu cycles for something that should be intralan traffic.

Hegabo · December 26, 2020, 9:51am

OK. so for the "main router", I have set the following (let's work with password authentication for now:

config dropbear
	option Port 'xxxxx'
	option PasswordAuth 'on'
	option Interface 'wan'
	option GatewayPorts 'on'

And the following firewall rule

config rule
	option src_port 'xxxxx'
	option src 'wan'
	option name 'ddns-bt'
	option target 'ACCEPT'
	list proto 'tcp'

Though, no success yet. What am I doing wrong?

As for the secondary router (connected to main router via WDS) I have the following rule

config rule
	option src_port 'yyyyy'
	option src 'wan'
	option name 'ddns-c7'
	option target 'ACCEPT'
	option dest 'lan'
	list dest_ip '192.168.0.2'
	option dest_port '22'
	list proto 'tcp'

But that doesn't seem to work either.

The other thing I'm still confused about for the secondary router: what's the difference between

making a rule on the main router to accept traffic from WAN and pass it to the secondary router's LAN IP, and
just creating a forward on main router form WAN to the secondary router's LAN IP

AndrewZ · December 26, 2020, 10:37am

Focus on a single (main) router for now.
With a single dropbear instance running on LAN create the following rule and delete all the earlier added rules.

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp'
	option src_dport '8022 or any port you want to use externally'
	option dest_ip 'your LAN IP here'
	option dest_port '22'
	option name 'wan_ssh'

Hegabo · December 26, 2020, 11:00am

That's what I tried initially. Anyway, I disabled the firewall rule for the secondary router and recreated a forward for it. Still no good. It gets stuck and doesn't try the authentication.

AndrewZ · December 26, 2020, 11:06am

Go to any port testing site like this and run port scan/test there. Watch for incoming requests on your WAN using tcpdump.

dziny · December 26, 2020, 11:18am

You want to do this in /etc/config/firewall (have been using this for years):

config 'redirect'
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '6723'
option dest_ip '192.168.0.1'
option dest_port '22'
option name 'ssh'

where you should adjust your src_dport you whatever you want and option dest_ip '192.168.0.1' should be the internal lan ip address of your router.

Hegabo · December 26, 2020, 11:33am

The site shows the port as open. tcpdump shows the following:

13:25:35.181564 IP 5.79.75.134.44560 > WANIP.port: Flags [S], seq 2558501152, win 29200, options [mss 1460,nop,nop,sackOK], length 0
13:25:35.197429 IP WANIP.port > 5.79.75.134.44560: Flags [S.], seq 813931338, ack 2558501153, win 29200, options [mss 1452,nop,nop,sackOK], length 0
13:25:35.269407 IP 5.79.75.134.44560 > WANIP.port: Flags [.], ack 1, win 29200, length 0
13:25:35.269422 IP 5.79.75.134.44560 > WANIP.port: Flags [R.], seq 1, ack 1, win 29200, length 0

I have that already!

config redirect
	option dest_port '22'
	option src 'wan'
	option name 'sshc7'
	option src_dport 'xxxxx'
	option target 'DNAT'
	option dest_ip '192.168.0.2'
	option dest 'lan'
	list proto 'tcp'

AndrewZ · December 26, 2020, 11:37am

Then run tcpdump on LAN instead of WAN to see if your rule is working.

Hegabo · December 26, 2020, 12:11pm

The following is an extract from running tcpdump on the main router's LAN, showing traffic on port 22 of the secondary router's IP.

13:53:54.369578 IP 192.168.0.2.22 > 5.79.75.134.32816: Flags [S.], seq 558180833, ack 1583292425, win 29200, options [mss 1460,nop,nop,sackOK], length 0
...
13:53:54.443314 IP 5.79.75.134.32816 > 192.168.0.2.22: Flags [.], ack 1, win 29200, length 0
13:53:54.443674 IP 5.79.75.134.32816 > 192.168.0.2.22: Flags [R.], seq 1, ack 1, win 29200, length 0
...
13:53:54.449620 IP 192.168.0.2.22 > 5.79.75.134.32816: Flags [P.], seq 1:323, ack 1, win 29200, length 322
...
13:53:54.523411 IP 5.79.75.134.32816 > 192.168.0.2.22: Flags [R], seq 1583292425, win 0, length 0

And the following is an extract from tcpdump on secondary router's LAN

14:06:03.086120 IP 5.79.75.134.39802 > 192.168.0.2.22: Flags [S], seq 2203029943, win 29200, options [mss 1452,nop,nop,sackOK], length 0
14:06:03.086298 IP 192.168.0.2.22 > 5.79.75.134.39802: Flags [S.], seq 3632075827, ack 2203029944, win 29200, options [mss 1460,nop,nop,sackOK], length 0
...
14:06:03.162493 IP 5.79.75.134.39802 > 192.168.0.2.22: Flags [.], ack 1, win 29200, length 0
14:06:03.163122 IP 5.79.75.134.39802 > 192.168.0.2.22: Flags [R.], seq 1, ack 1, win 29200, length 0

trendy · December 26, 2020, 6:09pm

Wrong, it shoud be dest_port.

Same mistake, you are using the source port instead of src_dport

Hegabo · December 26, 2020, 8:30pm

I am keeping the dropbear port as 22 and changing the exposed WAN port, so the router should forward from xxxxx at WAN to 22 at LAN.

trendy · December 26, 2020, 8:36pm

No, the src_port is the port the client is using, which is some random port between 1024-65535.

Hegabo · December 26, 2020, 8:47pm

OK, sorry, I was thinking port forwarding at the time.

OK, so for accessing the main router, I have the following:

config dropbear
	option Port 'xxxxx'
	option PasswordAuth 'on'
	option Interface 'wan'
	option GatewayPorts 'on'

config rule
	option src_port 'xxxxx'
	option src 'wan'
	option name 'ddns-bt'
	option target 'ACCEPT'
	list proto 'tcp'
	option dest_port 'xxxxx'

The client is using the same xxxxx port. Still, I get connection refused!

trendy · December 26, 2020, 8:57pm

Remove the src_port from the rule, I told you already that this is a random port, not the 22 or 2222 or whatever port the server is listening.