OpenWrt Forum Archive

Topic: SSH behind another router

The content of this topic has been archived on 25 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
nexxt
2 Aug 2017, 20:59

Hello,
I know this has been discussed before, but I'm stuck.
I have OpenWRT router behind another router (Asus). I want to access my OpenWRT router from outside. The port forwarding works fine with HTTP, but not SSH. On the Asus I have set port-forwarding from internal_ip:22 to external:ip:2222, on the OpenWRT router I stopped (my last desperate effort) even the firewall process, still no access from outside. The OpenWRT router is D-link DR-505, which has one LAN port, which is not in use, because I use only WiFi, but I guess my config is messy somewhere there. Even the DMZ option on the Asus didn't work so I guess the problem is only in the OpenWRT router.

My config:

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd1c:efe5:911e::/48'

config interface 'lan'
        option force_link '1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '10.1.1.13'
        option gateway '10.1.1.1'
        option _orig_ifname 'eth1'
        option _orig_bridge 'false'
        option metric '10'

config interface 'nautilus2'
        option proto 'dhcp'
        option _orig_ifname 'wlan0'
        option _orig_bridge 'true'

root@OpenWrt:~# ifconfig
lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:1418408 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1418408 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:72468953 (69.1 MiB)  TX bytes:72468953 (69.1 MiB)

wlan0     Link encap:Ethernet  HWaddr C8:BE:19:5E:48:40
          inet addr:10.1.1.13  Bcast:10.1.1.255  Mask:255.255.255.0
          inet6 addr: fe80::cabe:19ff:fe5e:4840/64 Scope:Link
          inet6 addr: fd1c:efe5:911e::1/60 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3361277 errors:0 dropped:0 overruns:0 frame:0
          TX packets:313374 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:381333311 (363.6 MiB)  TX bytes:39533129 (37.7 MiB)


root@OpenWrt:~# cat  /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option syn_flood '1'
        option forward 'ACCEPT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan nautilus2'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option input 'ACCEPT'
        option network 'wan wan6 Acision nautilus'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fe80::/10'
        option src_port '547'
        option dest_ip 'fe80::/10'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'any'
        option reload '1'

root@OpenWrt:~# cat /etc/config/dropbear

config dropbear
        option PasswordAuth 'on'
        option Port '22'
        option GatewayPorts 'on'
        option Interface 'nautilus2'

config dropbear
        option Port '22'
        option PasswordAuth 'on'
        option GatewayPorts 'on'

Thank you in advance!

Post #2
nitroshift
2 Aug 2017, 21:29

You have to allow connections on port 22 in firewall.

nitroshift

The discussion might have continued from here.