Hi, I'm quite new to openwrt. I'm trying to setup SSH for WAN. My WAN is on eth1.
I ssh'd into the router using the private IP and tried monitoring traffic from WAN to port 22 using tcpdump -i eth1 tcp port 22. Then I ssh'd from my machine using the public IP of the router. I can see a lot of SYN packets arriving at the router but that's it. No ssh connection. Tried pinging from portscan and it says the packet was "filtered", meaning the it did reach port 22 but filtered by the firewall, which matches my previous observation.
I checked my firewall rule and it doesn't seem to be wrong.
config rule
option target 'ACCEPT'
option src 'wan'
option proto 'tcp'
option dest_port '22'
option name 'SSH'
What else can go wrong here? I'm out of ideas.
It should be stated that it is generally not recommended to expose ssh to the internet. A vpn is the preferred method.
But that said, let’s see your complete firewall file.
2 Likes
here is the whole config
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'LAN3 lan lan2'
config zone
option name 'wan'
option output 'ACCEPT'
option input 'ACCEPT'
option forward 'ACCEPT'
option network 'wan wan6'
option masq '1'
option mtu_fix '1'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config include 'zerotier'
option type 'script'
option path '/etc/zerotier.start'
option reload '1'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
config include 'adbyby'
option type 'script'
option path '/var/etc/adbyby.include'
option reload '1'
config rule 'adblock'
option name 'adblock'
option target 'DROP'
option src 'wan'
option proto 'tcp'
option dest_port '8118'
config include 'ipsecvpn'
option type 'script'
option path '/var/etc/ipsecvpn.include'
option reload '1'
config include 'passwall'
option type 'script'
option path '/var/etc/passwall.include'
option reload '1'
config include 'passwall_server'
option type 'script'
option path '/var/etc/passwall_server.include'
option reload '1'
config include 'pptpd'
option type 'script'
option path '/var/etc/pptpd.include'
option reload '1'
config include 'softethervpn'
option type 'script'
option path '/var/etc/softethervpn.include'
option reload '1'
config include 'ssr_mudb_server'
option type 'script'
option path '/var/etc/ssr_mudb_server.include'
option reload '1'
config include 'timecontrol'
option type 'script'
option path '/var/etc/timecontrol.include'
option reload '1'
config rule 'kms'
option name 'kms'
option target 'ACCEPT'
option src 'wan'
option proto 'tcp'
option dest_port '1688'
config include 'unblockmusic'
option type 'script'
option path '/var/etc/unblockmusic.include'
option reload '1'
config forwarding
option dest 'wan'
option src 'lan'
config forwarding
option dest 'lan'
option src 'wan'
config rule
option target 'ACCEPT'
option src 'wan'
option proto 'tcp'
option dest_port '22'
option name 'SSH'
Your wan zone is already completely open. This is a very dangerous configuration. Input should always be set to reject unless the wan is actually connected to a trusted network.
2 Likes
This is also a dangerous forward.
What version of OpenWrt are you using?
ubus call system board
yeah I set it like that out of desperation, i was running out of ideas...
here is the version info
{
"kernel": "5.4.52",
"hostname": "OpenWrt",
"system": "Intel(R) Core(TM) i3-7100U CPU @ 2.40GHz",
"model": "Intel(R) Core(TM) i3-7100U CPU @ 2.40GHz : 2 Core 4 Thread",
"release": {
"distribution": "OpenWrt",
"version": "SNAPSHOT",
"target": "x86/64",
"revision": "SNAPSHOT",
"description": "OpenWrt SNAPSHOT "
}
}
also, i was planning on doing some port forwarding for ssh access from wan to a server in lan. I think this wan -> lan forwarding is necessary for this need?
You should install a stable release. 22.03.2 is the latest as of this writing.
Thanks, I'll check that out. But normally that shouldn't matter right? I thought opening up firewall for traffic from wan to port 22 should be a very simple config...
Snapshots can have various bugs. Opening a port should be easy, but there can be issues unique to a specific snapshot that make it hard or impossible.
Also, have you verified that you have a public ip on your openwrt wan?
Sorry I'm very noob on this, what do you mean by having a public ip on the wan? I ran curl checkip.amazonaws.com to get my public IP, then I ran tcpdump on eth1 which is my wan, then I ran ssh on another machine using that public IP. tcpdump showed packets for that ssh, does that mean i have a public ip on my wan?
What does eth1 say for its ip address if you run ifconfig? Just post the first 2 octets.
1 Like
is it this one you talking about?
inet addr:192.168.2.2
That is not a public ip address. Is there another router in front of your openwrt system? Is so, you need to port forward port 22 to your openwrt wan ip. And tat also assumes that the wan ip of your main router is publicly routable.
2 Likes
OK, thank you so much sir, at least now I know what part is wrong. also noob question: changing the ip of eth1 from what it is now to the public IP i got is not going to work, right?
I don’t understand what you are asking or tying to do.
nvm, if it doesn't make sense then it's probably wrong lol. but thank you sir for the answers. my routers setup is a bit messy now i need to figure out which router is the one that has the public IP first...
Was the test SRC machine connected to LAN or WAN?