SSH Connection Refused when 4G Enabled (Dual-Wan setup)

dontbeaburden · January 17, 2023, 9:14pm

OpenWrt 21.02.5 running on a GL-x750v2.

Primary wWAN is 2g Wifi (connects to a local SSID)
Backup wWAN via 4g/LTE Modem.

I have no problem SSH'ing to the router on the primary WAN.

If I disable the primary wireless WAN so that the 4gWAN is the only connection to the internet, I can Ping and SSH to it no problem (I can do this because my SIMcard provider allows an OpenVPN connection to their network which then allows me to ping/ssh the device within that network, even though it does not have a static public IP).

However, the moment I bring my wWAN back up, I get ssh: connect to host 10.xxx.xxx.210 port 22: Connection refused. But I can PING 10.xxx.xxx.210 with no problem.

When I use tcpdump -i wwan0 I can see the incoming packets, but obviously no response on my end:
21:10:12.150851 IP 10.yy.yy.133.39150 > 10.xx.xx.210.22: Flags [S], seq 2148067423, win 64240, options [mss 1358,sackOK,TS val 3967433170 ecr 0,nop,wscale 7], length 0

Why can I not ssh but I can ping in this scenario?

What I am expecting
My router should always maintain a 4g/LTE wWAN. I can use this to SSH into the router anytime. If the primary wWAN is online and connected, the 4g wWAN should just sit idle and not be used for WAN data, but it should not deny incoming requests to allowed ports on that interface.

What am I missing? Would this issue have something to do with an improperly configured Gateway?

My Configuration

Regarding below files, I configured a local "management" wlan to the router itself for my development access at the moment.
I currently have eth0 configured as part of that "management" lan because I am troubleshooting why my wlan doesn't always come online at boot and I need to make sure I have router access.
(I have no problem SSH'ing via either of these.)

/etc/config/dropbear

config dropbear
    option Port '22'
    option PasswordAuth 'off'
    option GatewayPorts 'on'

/etc/config/wireless

config wifi-device 'radio0'
    option type 'mac80211'
    option path 'pci0000:00/0000:00:00.0'
    option channel '36'
    option band '5g'
    option htmode 'VHT80'
    option disabled '1'

config wifi-device 'radio1'
    option type 'mac80211'
    option path 'platform/ahb/18100000.wmac'
    option channel '1'
    option band '2g'
    option htmode 'HT20'
    option cell_density '0'

config wifi-iface 'default_radio1'
    option device 'radio1'
    option mode 'ap'
    option encryption 'none'
    option ssid 'trWnepO'
    option network 'Management'

config wifi-iface 'wifinet2'
    option device 'radio1'
    option mode 'sta'
    option ssid 'SSID1'
    option encryption 'psk2'
    option key 'xxxxxxxxxxx'
    option network 'wifi_wan'

config wifi-iface 'wifinet3'
    option device 'radio1'
    option mode 'sta'
    option network 'wwan'
    option ssid 'SSID2'
    option encryption 'psk2'
    option key 'xxxxxxxxxxx'

/etc/config/network

config interface 'loopback'
    option device 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config globals 'globals'
    option ula_prefix 'fd28:9916:8e51::/48'

config device
    option name 'br-lan'
    option type 'bridge'

config interface 'Management'
    option proto 'static'
    option ipaddr '192.168.126.1'
    option netmask '255.255.255.0'
    option device 'radio1.network2'

config interface '4g_modem'
    option ifname 'wwan0'
    option proto 'qmi'
    option device '/dev/cdc-wdm0'
    option apn 'em'
    option auth 'none'
    option pdptype 'ipv4'
    option node '1-1.2:1.4'
    option service 'fdd_lte'
    option metric '10'

config interface 'wifi_wan'
    option proto 'dhcp'
    option device 'wlan1'
    option metric '1'

config interface 'passthrough'
    option proto 'static'
    option device 'eth0'
    option ipaddr '192.168.127.1'
    option netmask '255.255.255.0'
    option defaultroute '0'

config interface 'wwan'
    option proto 'dhcp'
    option metric '2'
    option device 'radio1.network3'

/etc/config/firewall

config defaults
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option synflood_protect '1'

config include
    option path '/etc/firewall.user'

config zone
    option name 'management'
    option input 'ACCEPT'
    option forward 'REJECT'
    option output 'REJECT'
    list network 'Management'
    list network 'passthrough'

config zone
    option output 'ACCEPT'
    option forward 'REJECT'
    option input 'REJECT'
    option name 'wifi_wan'
    list network 'wifi_wan'
    list network 'wwan'

config zone
    option name '4g_wan'
    option output 'ACCEPT'
    option forward 'REJECT'
    list network '4g_modem'
    option input 'REJECT'

config rule
    option name 'Allow-SSH'
    option dest_port '22'
    option target 'ACCEPT'
    list proto 'tcp'
    option src '4g_wan'

config rule
    option name 'Allow-DHCP-Renew'
    option family 'ipv4'
    list proto 'udp'
    option dest_port '68'
    option target 'ACCEPT'
    option src 'management'

config rule
    option name 'Allow-Ping'
    option proto 'icmp'
    option icmp_type 'echo-request'
    option family 'ipv4'
    option target 'ACCEPT'
    option src 'wifi_wan'

config rule
    option name 'Allow-Ping'
    option proto 'icmp'
    option family 'ipv4'
    option target 'ACCEPT'
    option src '4g_wan'
    list icmp_type 'echo-request'

config rule
    option name 'Allow-IGMP'
    option proto 'igmp'
    option family 'ipv4'
    option target 'ACCEPT'
    option src 'wifi_wan'

config rule
    option name 'Allow-IPSec-ESP'
    option dest 'lan'
    option proto 'esp'
    option target 'ACCEPT'
    option src 'wifi_wan'

config rule
    option name 'Allow-DHCP-Renew'
    list proto 'udp'
    option dest_port '68'
    option target 'ACCEPT'
    option src 'wifi_wan'

config rule
    option name 'Allow-DHCP-Renew'
    list proto 'udp'
    option dest_port '68'
    option target 'ACCEPT'
    option src '4g_wan'

config rule
    option name 'Allow-SSH'
    list proto 'tcp'
    option src 'wifi_wan'
    option dest_port '22'
    option target 'ACCEPT'

/etc/config/mwan3

config globals 'globals'
    option mmx_mask '0x3F00'

config policy 'wan_only'
    option last_resort 'unreachable'
    list use_member 'wifi_wan_1_1'
    list use_member 'wifi_backup_wan_1_1'

config interface 'wifi_wan'
    option enabled '1'
    option family 'ipv4'
    option track_method 'ping'
    option reliability '1'
    option count '1'
    option size '56'
    option max_ttl '60'
    option check_quality '0'
    option timeout '4'
    option interval '10'
    option failure_interval '5'
    option recovery_interval '5'
    option down '5'
    option up '5'
    list track_ip '209.244.0.3'
    list track_ip '8.8.4.4'
    list track_ip '1.1.1.1'
    option initial_state 'offline'
    list flush_conntrack 'ifup'
    list flush_conntrack 'connected'

config member 'wifi_wan_1_1'
    option interface 'wifi_wan'
    option metric '1'
    option weight '1'

config interface '4g_modem'
    option family 'ipv4'
    option track_method 'ping'
    option reliability '1'
    option max_ttl '60'
    option check_quality '0'
    option size '8'
    option timeout '10'
    option interval '30'
    option failure_interval '10'
    option recovery_interval '10'
    option down '4'
    option up '2'
    list track_ip '9.9.9.9'
    list track_ip '208.67.220.220'
    option count '5'
    option initial_state 'offline'
    option enabled '0'
    list flush_conntrack 'ifup'
    list flush_conntrack 'connected'

config member '4g_modem_5_1'
    option interface '4g_modem'
    option metric '5'
    option weight '1'

config policy '4g_modem_only'
    list use_member '4g_modem_5_1'
    option last_resort 'unreachable'

config interface 'wwan'
    option enabled '1'
    option family 'ipv4'
    option track_method 'ping'
    option reliability '1'
    option count '1'
    option size '56'
    option max_ttl '60'
    option check_quality '0'
    option timeout '4'
    option interval '10'
    option failure_interval '5'
    option recovery_interval '5'
    option down '5'
    option up '5'
    list track_ip '209.244.0.4'
    list track_ip '8.8.8.8'
    list track_ip '1.0.0.1'
    option initial_state 'offline'
    list flush_conntrack 'ifup'
    list flush_conntrack 'connected'

config member 'wifi_backup_wan_1_1'
    option interface 'wwan'
    option metric '1'
    option weight '1'

Details

Ouput of `ip a show`

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
   valid_lft forever preferred_lft forever
inet6 ::1/128 scope host 
   valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 94:83:c4:13:8c:83 brd ff:ff:ff:ff:ff:ff
inet 192.168.127.1/24 brd 192.168.127.255 scope global eth0
   valid_lft forever preferred_lft forever
inet6 fe80::9683:c4ff:fe13:8c83/64 scope link 
   valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 94:83:c4:13:8c:82 brd ff:ff:ff:ff:ff:ff
4: wwan0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 1000
link/none 
inet 10.188.228.210/30 brd 10.188.228.211 scope global wwan0
   valid_lft forever preferred_lft forever
inet6 fe80::6d53:5596:17:cc6e/64 scope link stable-privacy 
   valid_lft forever preferred_lft forever
5: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 94:83:c4:13:8c:84 brd ff:ff:ff:ff:ff:ff
7: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 94:83:c4:13:8c:84 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.38/24 brd 192.168.1.255 scope global wlan1
   valid_lft forever preferred_lft forever
inet6 fe80::9683:c4ff:fe13:8c84/64 scope link 
   valid_lft forever preferred_lft forever
8: wlan1-1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether 96:83:c4:13:8c:84 brd ff:ff:ff:ff:ff:ff
9: wlan1-2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 92:83:c4:13:8c:84 brd ff:ff:ff:ff:ff:ff
inet 192.168.126.1/24 brd 192.168.126.255 scope global wlan1-2
   valid_lft forever preferred_lft forever
inet6 fe80::9083:c4ff:fe13:8c84/64 scope link 
   valid_lft forever preferred_lft forever

Output of `ip route show`

default via 192.168.1.1 dev wlan1 proto static src 192.168.1.38 metric 1 
default via 10.xxx.xxx.209 dev wwan0 proto static src 10.xxx.xxx.210 metric 10 
10.xxx.xxx.208/30 dev wwan0 proto static scope link metric 10 
192.168.1.0/24 dev wlan1 proto static scope link metric 1 
192.168.126.0/24 dev wlan1-2 proto kernel scope link src 192.168.126.1 
192.168.127.0/24 dev eth0 proto kernel scope link src 192.168.127.1

Output of ip rule show

0:	from all lookup local
1001:	from all iif wlan1 lookup 1
2001:	from all fwmark 0x100/0x3f00 lookup 1
2061:	from all fwmark 0x3d00/0x3f00 blackhole
2062:	from all fwmark 0x3e00/0x3f00 unreachable
3001:	from all fwmark 0x100/0x3f00 unreachable
32766:	from all lookup main
32767:	from all lookup default

Output of "ip route list table 1-250"

Table 1: default via 192.168.1.1 dev wlan1 proto static src 192.168.1.38 metric 1 
10.188.228.208/30 dev wwan0 proto static scope link metric 10 
192.168.1.0/24 dev wlan1 proto static scope link metric 1 
192.168.126.0/24 dev wlan1-2 proto kernel scope link src 192.168.126.1 
192.168.127.0/24 dev eth0 proto kernel scope link src 192.168.127.1

Any other info I can provide? I'm a little concerned after providing all this information the fix is some checkbox I simply didn't see....

lleachii · January 17, 2023, 9:20pm

Because:

You are using a SSH Key (since you disabled the password login), correct?

Do you allow SSH via WAN???
Do you restart dropbear?

dontbeaburden · January 18, 2023, 2:07am

Because:

No. option PasswordAuth 'off' does not cause a ssh: connect to host 10.xxx.xxx.210 port 22: Connection refused. response.

You are using a SSH Key (since you disabled the password login), correct?

Yes. This works perfectly fine on all other interfaces that I SSH from.

Do you allow SSH via WAN???

I have a dual WAN setup (a Wifi connection and a 4g modem connection). My /etc/config/firewall has 2 rules that should cover both of these:

config rule
    option name 'Allow-SSH'
    option dest_port '22'
    option target 'ACCEPT'
    list proto 'tcp'
    option src '4g_wan'

config rule
    option name 'Allow-SSH'
    list proto 'tcp'
    option src 'wifi_wan'
    option dest_port '22'
    option target 'ACCEPT'

I should note that in the scenario I outlined above, taking down my firewall (fw3) has no effect on if the connection is allowed. Only disabling the WiFi wWAN actually allows me to successfully connect to dropbear through the 4g interface.

Put another way, I can always SSH into the router via the wWAN interface (if its up). If the wWAN is not up, I can always SSH into the router via the 4g WAN interface. The moment, I bring both up together, I can no long SSH into the router via the 4g router (but SSH'ing into router via wWAN remains fine).

Do you restart dropbear?

I had not tried this yet as I thought dropbear listens all on all interfaces and the 4gWAN is always up, so I'm not clear why restarting dropbear would be necessary. I tested this just now and restarting dropbear while both WAN interfaces are up does not change the outcome.

My feeling is that this is not a firewall issue else I'd be able to get a different response while 'fw3' was stopped. I am not very clear about routing tables but the fact that bringing up a 2nd WAN interface while the 4g interface is active (and at that moment I lose the ability to SSH into the router via the 4g interface) makes me think its something with routing(?). Or maybe dropbear is getting confused on what interface to listen on in that moment? But I don't know how to test that properly.

dontbeaburden · January 18, 2023, 2:44am

Okay, I also just tested scenarios with Dropbear listening on different interfaces specifically (as opposed to "All") to see if it affected the behavior above. No impact at all. So it doesn't seem like a listener issue.

What would change in how traffic is handled as it arrives to the router over the 4g interface when the WiFi wWAN is enabled, vs when its not, when the firewall and listener service is not a factor?

pavelgl · January 18, 2023, 11:51am

The "4g modem" interface is not enabled, so the necessary iptables and ip rules that mark the incoming traffic and direct the marked packets to the correct routing table are missing.
That routing table (2) is also missing.

Therefore, when both interfaces are running and you send an SSH request to the 4g_modem interface, the response is returned through the wifi_wan interface because it has a lower metric.

dontbeaburden · January 18, 2023, 1:19pm

Ok that makes sense, but this behavior did exist prior to me setting option enabled '0'. That makes me think this is all routing table related.

In theory, is my goal possible with routing tables? Am I able to maintain the 4g connection to always handle incoming connections that arrive on its interface yet act as a back-up to a primary WAN interface should it go down?

pavelgl · January 18, 2023, 3:05pm

I made some tests and it really doesn't work as expected. I'll look into the issue when I have time.

It will only work if the system detects that the interface is down and modifies the routing table (like when running ifdown).
If the interface is up but there is no internet connection, the back-up will fail.

dontbeaburden · January 18, 2023, 4:28pm

Outstanding. Thank you so much clarifying that. I am going to head in a different direction then.

system · January 28, 2023, 4:28pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.