0

I have set up port forwarding for my network to be able to ssh into my server from outside the network (let's say external port 10122 maps to internal port 22 for 192.168.1.101).

Let's say my computer has the IP 192.168.1.102, the server has 192.168.1.101

I can do ssh root@192.168.1.101 and it will work. I can do ssh -p 10122 root@<public IP> and it will work ONLY if I'm not connected to the local network

Why is it that I can't invoke ssh -p 10122 root@<public IP> from within the network?

I googled around and only getting information on how to do port forwarding or use iptables to open ports (but this is all already working).

EDIT: I don't need to use the external IP to access an internal machine, I've hit this problem more than once and would like to know more and be able to explain why if someone were to ask me.

PGT
  • 163
  • 7
  • "Why is it that I can't invoke ssh -p 10122 root@ from within the network?" limitations of your networking hardware – Ramhound Sep 13 '17 at 21:45
  • @Ramhound: can you explain a bit more on why this would be a limitation? If the port forwarding policy is in place and the router can handle internal ssh as well as external ssh from outside the network, it seems to me that it should already be able to handle ssh using external IP from inside the network, especially if router is aware of its assigned IP, it can just handle an extra step in the network layer to route locally. – PGT Sep 13 '17 at 21:49
  • Why do you want to use the public IP address instead of the local intranet IP address anyways? As for the reason: https://en.m.wikipedia.org/wiki/Network_address_translation – Ramhound Sep 13 '17 at 22:09
  • You didn't mention the critical piece of information that is needed. What is your router? Software/Model? Your problem is a "Hairpin" NAT issue. You can never do what you are trying to do with a simple port forwarding rule, but many people think you can due to cheap home routers automatically configuring for hairpin NAT. Any higher end, more advanced router requires additional NAT rules to handle hairpin NAT. If you do have a cheap router and it doesn't work, there is likely nothing you can do about it. You can just use the internal IP, as already suggested. Or DNS / HOSTS file combinations. – Appleoddity Sep 14 '17 at 04:08
  • 3
    Reference here: https://en.m.wikipedia.org/wiki/Hairpinning – Appleoddity Sep 14 '17 at 04:10
  • @Appleoddity: Thanks. `Hairpinning` was the term I needed to google. @Ramhound: not so much I want to use the external IP to access a local network machine, more that I ran into this and wanted to know more about *why* it happens, and googling for the behaviour only gave me results on how to do port forwarding. – PGT Sep 14 '17 at 13:11
  • 3
    Possible duplicate of [Unable to outside access service from inside LAN](https://superuser.com/questions/135366/unable-to-outside-access-service-from-inside-lan) – Kamil Maciorowski Sep 14 '17 at 13:57

0 Answers0