2

I would like to access my Ubuntu PC remotely via SSH. The SSH daemon is currently listening on port [x]. My router is a ASUS DSL-N12E.

I have created a rule for the firewall with the following parameters:

  • Protocol: TCP
  • Direction: Downstream
  • Source Port: [x]
  • Dest IP/Mask: 192.168.1.100/255.255.255.255
  • Dest Port: [x]

and a NAT Virtual Server rule with the following parameters:

  • Protocol: TCP
  • Local IP: 192.168.1.100
  • Local Port: [x]
  • WAN IP: pppoe1
  • WAN Port: [x]

I'm able to connect to the SSH server from the local network, using ssh -p [x] myuser@192.168.1.100, but I can't do it using ssh -p [x] myuser@mypublicip. I'm guessing there's something wrong with the router configuration although canyouseeme.org says that port [x] is open.

Any ideas about what I might be doing wrong?

Frank Breitling
  • 635
  • 1
  • 11
  • 25
Delfad0r
  • 123
  • 1
  • 3
  • try ssh -v. but that aside, set a key or super strong password and temporarily remove the firewall rules I wonder if `Dest IP/Mask: 192.168.1.100/255.255.255.255` is wrong. what firewall is it? though normally if the online port svanner syas it can see it then the firewall is fine. do telnet or nc to it see if it says openssh or what. – barlop Jan 04 '15 at 23:57

2 Answers2

3

This is a common issue on a lot of routers.

It sounds simply like you need to enable NAT reflection, Nat hairpin or NAT loopback, the name changes on different routers - but be warned that not all routers support it.

... Please check your firmware version, it looks like your router either didn't support it out the box, or has been buggy... I just found this, although 6 months old, it indicates a firmware fix where loopback wasn't always working. (Don't get from here - check Asus directly for even newer).

William Hilsum
  • 116,650
  • 19
  • 182
  • 266
  • I will definitely check that out, but please tell me if I have understood correctly: without NAT reflection, I will still be able to remotely connect to my SSH server - just not from home; is that correct? – Delfad0r Jan 04 '15 at 22:51
  • 1
    Yep. Every connection that goes through the router has to be processed by different chains - one chain would be WAN in, another would be LAN in... Nat by default is only applied to WAN in, so, when you attempt to access your external IP (which exists on WAN), your router has no idea how to connect it back to you.. Nat reflection is basically a little addon that tells the router to apply the NAT rules to packets that originate from the LAN side... (Ok... not exactly, but, hopefully this gets the basics across to you!?) – William Hilsum Jan 04 '15 at 22:54
  • Thank you! Sadly, even though I'm running the (almost) most recent firmware version, I can't seem to be able to find anything about "NAT loopback" or similar. No big deal though, my biggest concern was being able to access it remotely - which I am :) – Delfad0r Jan 04 '15 at 23:08
  • I would update to the latest firmware to rule out issues - on most consumer routers, it isn't always an option - most likely it is either off or on by default and it requires ssh/telnet in order to change... hopefully the firmware update will give it the kick it needs – William Hilsum Jan 04 '15 at 23:29
  • @Delfad0r you could try from your phone. make your phone a wireless hotspot. – barlop Jan 05 '15 at 00:02
  • @WilliamHilsum I will try that, but - as I said - no big deal: I can always use myuser@192.168.1.100 to connect from local network and myuser@mypublicip from outside – Delfad0r Jan 05 '15 at 00:12
  • @Delfad0r +1 for him for his suggested solution, but Try it before you accept the answer, otherwise you haven't verified that this is the solution to your question. Though it likely is the solution. You can test if that was the issue by going to an Internet Cafe. Or by connecting a computer to your phone set as wireless hotpsot so your computer isn't behind your LAN. – barlop Jan 05 '15 at 02:18
  • @barlop I have already tried connecting from my phone that and it works, I wouldn't have accepted the answer otherwise ;) – Delfad0r Jan 05 '15 at 09:24
0

You can able to connect your machine with ssh access on local network but unable to access remotely.

you can connect through ;ocal network is because the port[x] was opened in your machine and you using local ip to access it

Please check your port forwarding setting was perfect.

Also cross check the listening port from remote ip to your public ip with telnet

telnet [remote_ip] [port_number]

Hope this helps!

BDRSuite
  • 6,228
  • 1
  • 19
  • 21