TUF-4200; Unable to access SSH via putty

Hello to all.
Im newbie here - with a question bother me a lot.
Im unable to access SSH interface on OpenWRT 24.10.4
Im using a segmented network. One of my segment is enabled to have access to SSH.
(config follow)**
URL: cgi-bin/luci/admin/system/admin/dropbear
Enable instance: YES
Interface: (interface im using - only local LAN has access)
Port: 22
Password authentication: ON
Allow root with password: YES
Gateway password: unchecked**
*****

Putty response is: Network error. Connection refused.

Im using exactly the same username for accessing the LuCI and the same for SSH.
I checked interface config - local IP v 4 adress (manual setting; 192.168.1.x)
Interface is OK - traffic is passing according to settings; firewall rules are OK
Glad to have some help.
Thank you in advance.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):

Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/dropear
cat /etc/config/dhcp
cat /etc/config/firewall

Are you unable to connect to ssh on just one of the segments or are both of them unable to each the router? What about the web interface?

Hi. Thank you for help. But, Im unable to access my router via SSH, only through LuCI.

All of my segments can not access router via SSH, all of them can access Internet.
From all segments i can access router via web interface. I also tried to reach for more information here (some DNS stuff), but it seems there is no solution for me.

Go here https://openwrt.org/docs/guide-user/troubleshooting/failsafe_and_factory_reset#entering_failsafe_mode

then mount root and copy /rom/etc/config/dropbear to /etc/config/dropbear and reboot

Do you've got any firewall(s) on your clients?
Maybe port 22 is blocked?
Do you've got nmap installed and can do a scan of your router?

Thank you for your help.
I do a check and connection is dropped on the router side. I also changed a SSH port (from 22 to a random number - the same outcome. I cant pass through this. And im a bit confused (maybe due to my lack of knowledges)

Did you provide a copy of the configuration for troubleshooting?

The first command can only be done by ssh or a serial connection. Unless you connect the router via an UART adapter, this information is not available.
Edit:
You could also just copy the first 7 lines from LuCI's Status->Overview->System.

But you could extract the requested files (/etc/config/*) from your config backup. I assume you're using MS Windows, so 7zip should be able to read your *.tar.gz archive and extract the files.

I failed to mentionin to obtain these files via the web GUI.

Here are the files: 

etc\config\network


config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'redacted'
option packet_steering '1'

config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan3'
list ports 'lan4'
option ipv6 '0'
option promisc '0'
option acceptlocal '0'
option sendredirects '1'
option arp_accept '0'
option drop_gratuitous_arp '0'
option multicast '1'

config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.77.99'
option netmask '255.255.255.0'
option delegate '0'

config interface 'wan'
option device 'eth1'
option proto 'static'
option ipaddr '77.92.206.19'
option netmask '255.255.255.0'
option gateway '77.92.206.1'
option delegate '0'
list dns '94.140.14.14'

config device
option type 'bridge'
option name 'connect'
option bridge_empty '1'
option ipv6 '0'
option promisc '0'
option acceptlocal '0'
option sendredirects '1'
option arp_accept '0'
option drop_gratuitous_arp '0'

config interface 'connect'
option proto 'static'
option device 'connect'
option ipaddr '192.168.66.99'
option netmask '255.255.255.0'
option gateway '192.168.77.99'
option broadcast '192.168.66.255'
option delegate '0'
list dns '192.168.77.99'

config device
option type 'bridge'
option name 'Televize'
list ports 'lan2'
option mtu '1500'
option promisc '0'
option acceptlocal '0'
option sendredirects '1'
option arp_accept '0'
option drop_gratuitous_arp '0'
option ipv6 '0'

config device
option type 'bridge'
option name 'domaciwifi'
option mtu '1500'
option ipv6 '0'

config interface 'domaciwifi'
option proto 'static'
option device 'domaciwifi'
option ipaddr '192.168.11.1'
option netmask '255.255.255.0'
option gateway '192.168.77.99'
option broadcast '192.168.11.255'
option delegate '0'
list dns '192.168.11.1'

config interface 'Televize'
option proto 'static'
option device 'Televize'
option ipaddr '192.168.22.1'
option netmask '255.255.255.0'
option gateway '192.168.77.99'
option delegate '0'
list dns '192.168.77.99'

config device
option type 'bridge'
option name 'Brother-printer'
option bridge_empty '1'
option ipv6 '0'

config interface 'Brother'
option proto 'static'
option device 'Brother-printer'
option ipaddr '192.168.60.80'
option netmask '255.255.255.0'
option gateway '192.168.77.99'
list dns '192.168.77.99'
option delegate '0'

etc/config/dropbear

config dropbear 'main'
option PasswordAuth 'on'
option Port '2008'
option Interface 'connect'

/etc/config/dhcp

config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '0'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
option port '54'
list server '192.168.77.99'
option quietdhcp '1'

config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '24h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
list dhcp_option '6,192.168.77.99'
list dhcp_option '3,192.168.77.99'

config dhcp 'wan'
option interface 'wan'
option ignore '1'
option start '100'
option limit '150'
option leasetime '12h'

config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
option piofolder '/tmp/odhcpd-piofolder'

config dhcp 'domaciwifi'
option interface 'domaciwifi'
option start '100'
option limit '150'
option leasetime '12h'

config dhcp 'connect'
option interface 'connect'
option start '100'
option limit '110'
option leasetime '12h'

config dhcp 'Televize'
option interface 'Televize'
option start '100'
option limit '105'
option leasetime '12h'

config host
option name 'ax52u'
option ip '192.168.66.130'
option leasetime 'infinite'
list mac 'redacted'

config host
option name 'Luki-NTB'
list mac 'redacted'
option ip '192.168.11.121'
option leasetime 'infinite'

config host
option name 'iPad9gen'
list mac 'redacted'
option ip '192.168.11.161'
option leasetime 'infinite'

config dhcp 'Brother'
option interface 'Brother'
option start '100'
option limit '105'
option leasetime '12h'

config host
option name 'Brother'
option ip '192.168.60.183'
list mac 'redacted'
option leasetime 'infinite'

/etc/config/firewall

config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'

config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'

config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'

config zone
option name 'domaciwifi'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'domaciwifi'
option family 'ipv4'

config zone
option name 'connect'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'DROP'
list network 'connect'

config zone
option name 'Televize'
option input 'REJECT'
option output 'DROP'
option forward 'REJECT'
list network 'Televize'
option family 'ipv4'

config zone
option name 'Brother'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'Brother'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config rule
option src 'domaciwifi'
option name 'Umožni-DNS-domaciwifi'
option family 'ipv4'
option dest_port '53'
option target 'ACCEPT'

config rule
option src 'domaciwifi'
option name 'Umožni-DHCP-domaciwifi'
option family 'ipv4'
option dest_port '67'
option target 'ACCEPT'

config rule
option src 'connect'
option name 'Umožni-DNS-connect'
option family 'ipv4'
option dest_port '53'
option target 'ACCEPT'

config rule
option src 'connect'
option name 'Umožni-DHCP-connect'
option family 'ipv4'
list proto 'udp'
option dest_port '67'
option target 'ACCEPT'

config rule
option src 'Televize'
option name 'Umožni-DNS-Televize'
option family 'ipv4'
option dest_port '53'
option target 'ACCEPT'

config rule
option src 'Televize'
option name 'Umožni-DHCP-Televize'
option family 'ipv4'
option dest_port '67'
option target 'ACCEPT'
list proto 'udp'

config forwarding
option src 'connect'
option dest 'wan'

config forwarding
option src 'lan'
option dest 'wan'

config forwarding
option src 'domaciwifi'
option dest 'wan'

config forwarding
option src 'Televize'
option dest 'wan'

config forwarding
option src 'connect'
option dest 'Brother'

config forwarding
option src 'connect'
option dest 'domaciwifi'

config forwarding
option src 'domaciwifi'
option dest 'Televize'

config forwarding
option src 'connect'
option dest 'lan'

It is not port 22

I tried to change the port … no matter of port number, the result is the same. SSH access is not possible.

How did you arrive at this config? There are many things that look suspect.

What foes gw parameter mean here`

config interface 'connect'
option proto 'static'
option device 'connect'
option ipaddr '192.168.66.99'
option netmask '255.255.255.0'
option gateway '192.168.77.99'
option broadcast '192.168.66.255'
option delegate '0'
list dns '192.168.77.99'

Anywy no firewall rule permits your ssh in that network.
Youd probably want ssh in old lan not in fresh iot network.

currently works as configured - you deny connections using a firewall and they dont happen.

The entire config is malformed. That section alone has multiple major issues.

when I was having issues with ssh

this seemed to work (but I did need to hard reset my router unfortunately)

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks!

I created a multiple devices and separated lan.
Main idea is to allow connection only through interface “connect” directly to main router (192.168.77.99) via SSH and ban the other interfaces.
Maybe I was wrong with the implementation.

Any help will be highly appeciated.
Thank you, guys and wish you a happy new year.