1

I wish to set up a configuration on my home network on one of my machines. Namely, I wish to make it feasible to access it via ssh (the machine runs dropbear for ssh) but externally. Here's an "image" of the scenario I wish to achieve:

+---+  +---+  #1: has the static local IP of 1.2.3.4 and listens to port 22 for incoming ssh connections
|#1 |  |#2 |  #2: has a non-static local IP (DHCP given)
+---+  +---+  #3: 3 wishes to connect to #1
  |      |    GATE: the home modem. Its WAN IP is 5.6.7.8
-----  -----        
  \      \                  +------+
   \______\_________________| GATE |
                            +------+
                               |
  +---+                        |
  |#3 |                     __ | _
  +---+                   _(  )_( )__
    |                    (_ internet_)
  -----                    (_) (__)
    \_________________________/

I have followed up and read a similar question here but I am having some trouble setting up my port-forwarding rules on my router's admin web interface and I would like to have some assistance if possible.

In the following image, you can see the options available in order to formulate a port forwarding rule on my modem. Port Forwarding Menu

I have specified the imaginary IP address of #1 (for the sake of simplicity) as 1.2.3.4. But now, I am not completely sure about the following options. Okay lets say that the WAN Host Start/End is the valid range of incoming connections. But then, I am not sure how to proceed with the

  1. WAN START/END ports
  2. LAN START/END ports

The ssh client running on #1 listen's to port 22 and thus, I have added that value there. But I am not once again sure on which of START/END it should fall into.

The manual for the displayed fields on the port forwarding menu says the following about those fields:

Port Forwarding Manual

Thank you in advance.

Update:

After specifying a WAN port range of (START,END):=(1,22) I tried to connect to the machine via:

ssh root@5.6.7.8 -p 22

But I got a timeout:

ssh: connect to host 5.6.7.8 port 22: Connection timed out

ex1led
  • 155
  • 6
  • Add '22' to the WAN Start Port and WAN End Port fields also – user535733 Apr 11 '21 at 17:22
  • @user535733 after adding ```22``` to both start/end wan fields and trying to connect to the machine via ```ssh root@5.6.7.8 -p 22``` I got a timeout. As far as I know I must bind the WAN port to the LAN port but are we sure that end/start should be the same? – ex1led Apr 11 '21 at 17:24
  • See the little 'enable' box at the top of your Port Forwarding window? Remember to turn it on. – user535733 Apr 11 '21 at 17:27
  • @user535733 Yes, the button (on the actual rule) is turned on obviously. My bad though..on the example here I forgot to tick it. I will update the image. – ex1led Apr 11 '21 at 17:30
  • try WAN start ip 0.0.0.0 and WAN end ip 255.255.255.255. actually, is the text confusing and really means WAN source port and destination port? If yes then WAN source port should be 1-65535. – Doug Smythies Apr 11 '21 at 17:35
  • @DougSmythies I tried this as well, setting the range ```0.0.0.0``` and ```255.255.255.254``` but in any case, the router explicitly says that if you do not define a range of IP's then any WAN-side computer is allowed to make a request. I am still getting a timeout. I will update the post to include (as a new image)what the manual says about those entries. – ex1led Apr 11 '21 at 17:38
  • assuming "WAN Start Port" really means source port, then it can be anything, only the destination port has to be 22. – Doug Smythies Apr 11 '21 at 17:44
  • @DougSmythies that was my feeling as well, but I cannot leave the ```WAN Start Port``` field empty. I mean the interface prohibits me to leave the field empty. – ex1led Apr 11 '21 at 17:46
  • Can you ssh from System #2 to System #1? – Terrance Apr 11 '21 at 18:27
  • @Terrance I can yes. I can ssh to it via ```ssh root@1.2.3.4 -p 22``` that prompts me the root password query. – ex1led Apr 11 '21 at 18:36
  • As long as you can ssh internally to the system, then that part is working correctly. So, without knowing what type of internet connection setup you have it can be super tough for us to know how you are supposed to configure it. From here it looks like you have it setup correctly for your router, but do you have a modem between your router and the internet? If you do, is your modem setup in Transparency mode so all internet traffic is going straight to your router? There can be other factors blocking why it isn't working. Does your ISP allow port 22 to your connection? – Terrance Apr 11 '21 at 18:42
  • @Terrance There is no router, please do excuse me, by router I meant my modem. All the devices are connected to the modem. I will look up about what you said on the menus available at the web interface. But...as far as I looked, the port-forwarding on my modem is just this setting and it ''should'' work. Do you think that monitoring traffic with ```wireshark``` while attempting connections externally would help to debug this? I mean, If I see packages on the local network then this means that the forwarding worked. Correct? – ex1led Apr 11 '21 at 18:45
  • @Terrance yep...It's definitely the port forwarding rule that gets blundered. After monitoring the network via ```wireshark``` under the ```ssh``` filter, I can see the activity when the machine ```#2``` attempts to connect to ```#1``` but not when I try to connect via WAN from ```#3``` – ex1led Apr 11 '21 at 19:07
  • Yep, there isn't a lot of configuration when it comes to forwarding a port to in internal IP address. Looks like you have done it correctly by setting a Reserved or Static IP to the system so that it doesn't change. The issue has to be with the modem or the ISP themselves maybe not allowing port 22. You can always try non-standard ports like 65534 or anything else. SSH can work on any port you want it to work on. Just make sure that you change your `/etc/sshd_config` file to match whatever port you want it to listen on. – Terrance Apr 11 '21 at 20:11
  • @Terrance I tried binding the ```dropbear``` to another port e.g., ```1821``` and also changed the respective forwarding rule via the admin web interface on the modem in order to match the port id range value. Still I got a timeout. Its so weird... – ex1led Apr 11 '21 at 20:20
  • @Terrance the ISP of mine had my network firewall settings to ```strict``` which prohibits me to enable any kind of port forwarding rule, even though I enable the rule from my web-admin interface. I asked them to explicitly open the specific ports and they told me that its their policy to not allow ad-hoc forwarding rules from the users unless told otherwise. So you were kinda right when you spoke about Transparency mode. If you like, create an answer to this post for other users to also be aware and I will accept it since you found the issue. :) Once again, thanks! – ex1led Apr 13 '21 at 16:29

1 Answers1

2

All settings in the modem / router are correct, and you can ssh from internally to your host meaning that your ssh / dropbear is working. The issue is not your internal network or modem. Unfortunately, your ISP has a hardened firewall not allowing forwarding traffic into your network making it so you cannot access your host externally.

Terrance
  • 39,774
  • 7
  • 116
  • 176