Can't reach a device on my internal LAN from outside (via SSH)

Hi,

I have my ISP router in bridge mode, and Turris Omnia (v5.2.6) configured as my main router.

I want to reach a device which is on my internal LAN (so behind the Omnia) from the outside via SSH, but ssh -vvv tells me that it’s getting stuck at the debug1: Connecting to [external IP address] port 2288. - So I’m guessing it’s timing out.

I have these settings configured in my port forwards, are these the correct settings?

Thanks in advance.

Check firewall of your internal device. And assign static IP to that device so it always gets the same IP.

Also using OpenVPN i more secure than having open port with SSHD on it.

Consider running OpenVPN to connect to your LAN network and then from there reaching your LAN side devices.

Is the port really open on firewall? If the port is open, maybe you have issues with zone setup (input/output/forward directives).

That seems fine (from screenshot it is not clear which protocol, set TCP only). Check if you have correspond DNAT rule in your firewall config created (and applied after firewall service is restarted).

Another way is to setup OpenVPN (with subnet topology), so you can have all lan services available (so if you add sftp for example you won’t need another dnat rule and another port open on wan interface). And this approach is much safer.

ad_sshd: do you have AllowTcpForwarding remote in your sshd config? Also check sshd config option GatewayPorts >> SSH port forwarding/tunneling use cases and concrete examples. Client command, server configuration. Firewall considerations.

Thanks for the replies, I finally had some time to spend on this.

It has a static IP and I could connect to it without a problem before.

Do you mean to use OpenVPN in combination with SSH or to replace SSH with OpenVPN? If the former, then I’m not too eager about adding more complexity (and thus failure points) to my setup, but I’ll consider it since it adds more security as you described.
If the latter, I’m not really sure that’s wise since OpenVPN’s codebase is much larger and (according to reputable sources) built with lower quality standards than sshd.
WireGuard is something I’m also considering (especially for the first scenario), but I’ll have to figure out how I’d use WireGuard while I’m also using WireGuard as my “normal browsing” VPN. Is it even possible to do such a thing?

The sshd setup previously worked without any problems, but then I had a crappy ISP router on which I did the port forwarding.

I’ve checked iptables -L and although I have a basic understanding of it, the firewall table generated by the Omnia is a bit much. However, I couldn’t find the relevant port numbers anywhere in that table. It’s as if the firewall is completely oblivious to my port forwarding rules.

In various chains (called zones?) I have either:
ACCEPT all -- anywhere anywhere ctstate DNAT /* !fw3: Accept port forwards */

or

ACCEPT all -- anywhere anywhere ctstate DNAT /* !fw3: Accept port redirections */

But again, no mention of the ports I specified which are accessible from the WAN side or on my LAN side.

Hello,
have you tried to look at it with tcpdump?
Try this:

  • Log in the Omnia via ssh.
  • run tcpdump -i eth2 tcp port 2288, try to connect from outside to this port and see if any packets are dumped on the screen
  • run tcpdump -i br-lan host 192.168.1.23 and see if any packets are leaving Omnia towards the 192.168.1.23

Thanks a lot for your reply. Finally had the time to do this, and here are the results. It seems that my Omnia is seeing something when I try to connect via SSH, but not sure what.

Assume 93.184.216.34 is where I’m connecting from.

root@rawter:~# tcpdump -i eth2 tcp port 2288
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2, link-type EN10MB (Ethernet), capture size 262144 bytes

19:57:57.760168 IP 93.184.216.34.55098 > redacted-ip-example.org.2288: Flags [S], seq 1459565480, win 64860, options [mss 1380,sackOK,TS val 1879415677 ecr 0,nop,wscale 7], length 0
19:57:58.781224 IP 93.184.216.34.55098 > redacted-ip-example.org.2288: Flags [S], seq 1459565480, win 64860, options [mss 1380,sackOK,TS val 1879416700 ecr 0,nop,wscale 7], length 0
19:58:00.838735 IP 93.184.216.34.55098 > redacted-ip-example.org.2288: Flags [S], seq 1459565480, win 64860, options [mss 1380,sackOK,TS val 1879418748 ecr 0,nop,wscale 7], length 0
19:58:04.863293 IP 93.184.216.34.55098 > redacted-ip-example.org.2288: Flags [S], seq 1459565480, win 64860, options [mss 1380,sackOK,TS val 1879422780 ecr 0,nop,wscale 7], length 0
19:58:13.371790 IP 93.184.216.34.55098 > redacted-ip-example.org.2288: Flags [S], seq 1459565480, win 64860, options [mss 1380,sackOK,TS val 1879431292 ecr 0,nop,wscale 7], length 0
19:58:29.760700 IP 93.184.216.34.55098 > redacted-ip-example.org.2288: Flags [S], seq 1459565480, win 64860, options [mss 1380,sackOK,TS val 1879447676 ecr 0,nop,wscale 7], length 0
19:59:02.012349 IP 93.184.216.34.55098 > redacted-ip-example.org.2288: Flags [S], seq 1459565480, win 64860, options [mss 1380,sackOK,TS val 1879479932 ecr 0,nop,wscale 7], length 0
^C
7 packets captured
7 packets received by filter
0 packets dropped by kernel



###



root@rawter:~# tcpdump -i br-lan host 192.168.1.23
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br-lan, link-type EN10MB (Ethernet), capture size 262144 bytes
20:04:58.795296 IP 192.168.1.5.60394 > 192.168.1.23.22: Flags [P.], seq 2461020285:2461020361, ack 3741546364, win 501, options [nop,nop,TS val 384295157 ecr 81564835], length 76
20:04:58.795782 IP 192.168.1.23.22 > 192.168.1.5.60394: Flags [P.], seq 1:133, ack 76, win 1026, options [nop,nop,TS val 81566845 ecr 384295157], length 132
20:04:58.796662 IP 192.168.1.5.60394 > 192.168.1.23.22: Flags [.], ack 133, win 500, options [nop,nop,TS val 384295158 ecr 81566845], length 0
# ... Lots of similar seq/ack log entries omitted.
20:05:11.006489 IP 93.184.216.34.55304 > 192.168.1.23.22: Flags [S], seq 3705302969, win 64860, options [mss 1380,sackOK,TS val 1879848919 ecr 0,nop,wscale 7], length 0
20:05:11.006758 ARP, Request who-has 192.168.1.254 tell 192.168.1.23, length 46
20:05:12.062612 IP 93.184.216.34.55304 > 192.168.1.23.22: Flags [S], seq 3705302969, win 64860, options [mss 1380,sackOK,TS val 1879849980 ecr 0,nop,wscale 7], length 0
20:05:12.062775 ARP, Request who-has 192.168.1.254 tell 192.168.1.23, length 46
# ... Lots of similar seq/ack log entries omitted.
20:05:14.108864 IP 93.184.216.34.55304 > 192.168.1.23.22: Flags [S], seq 3705302969, win 64860, options [mss 1380,sackOK,TS val 1879852028 ecr 0,nop,wscale 7], length 0
20:05:14.109027 ARP, Request who-has 192.168.1.254 tell 192.168.1.23, length 46
20:05:14.896919 IP 192.168.1.5.60394 > 192.168.1.23.22: Flags [P.], seq 660:736, ack 1133, win 501, options [nop,nop,TS val 384311258 ecr 81580933], length 76
20:05:14.897467 IP 192.168.1.23.22 > 192.168.1.5.60394: Flags [P.], seq 1133:1265, ack 736, win 1026, options [nop,nop,TS val 81582946 ecr 384311258], length 132
20:05:14.898761 IP 192.168.1.5.60394 > 192.168.1.23.22: Flags [.], ack 1265, win 500, options [nop,nop,TS val 384311260 ecr 81582946], length 0
20:05:16.049207 ARP, Request who-has 192.168.1.23 tell 192.168.1.1, length 28
20:05:16.049471 ARP, Reply 192.168.1.23 is-at [redacted-mac-address] (oui Unknown), length 46
20:05:16.909122 IP 192.168.1.5.60394 > 192.168.1.23.22: Flags [P.], seq 736:812, ack 1265, win 501, options [nop,nop,TS val 384313271 ecr 81582946], length 76
20:05:16.909633 IP 192.168.1.23.22 > 192.168.1.5.60394: Flags [P.], seq 1265:1397, ack 812, win 1026, options [nop,nop,TS val 81584958 ecr 384313271], length 132
20:05:16.910341 IP 192.168.1.5.60394 > 192.168.1.23.22: Flags [.], ack 1397, win 500, options [nop,nop,TS val 384313272 ecr 81584958], length 0
20:05:16.931795 ARP, Request who-has 192.168.1.254 tell 192.168.1.23, length 46
20:05:18.139573 IP 93.184.216.34.55304 > 192.168.1.23.22: Flags [S], seq 3705302969, win 64860, options [mss 1380,sackOK,TS val 1879856060 ecr 0,nop,wscale 7], length 0
20:05:18.139861 ARP, Request who-has 192.168.1.254 tell 192.168.1.23, length 46
# ... Lots of similar seq/ack log entries omitted.
20:05:21.148834 ARP, Request who-has 192.168.1.254 tell 192.168.1.23, length 46
20:05:21.995809 ARP, Request who-has 192.168.1.254 tell 192.168.1.23, length 46
20:05:22.952229 IP 192.168.1.5.60394 > 192.168.1.23.22: Flags [P.], seq 964:1040, ack 1661, win 501, options [nop,nop,TS val 384319314 ecr 81588985], length 76
20:05:22.952767 IP 192.168.1.23.22 > 192.168.1.5.60394: Flags [P.], seq 1661:1793, ack 1040, win 1026, options [nop,nop,TS val 81591001 ecr 384319314], length 132
20:05:22.954104 IP 192.168.1.5.60394 > 192.168.1.23.22: Flags [.], ack 1793, win 500, options [nop,nop,TS val 384319315 ecr 81591001], length 0
20:05:24.412143 ARP, Request who-has 192.168.1.254 tell 192.168.1.23, length 46
20:05:24.966038 IP 192.168.1.5.60394 > 192.168.1.23.22: Flags [P.], seq 1040:1116, ack 1793, win 501, options [nop,nop,TS val 384321328 ecr 81591001], length 76
20:05:24.966590 IP 192.168.1.23.22 > 192.168.1.5.60394: Flags [P.], seq 1793:1925, ack 1116, win 1026, options [nop,nop,TS val 81593015 ecr 384321328], length 132
20:05:24.967650 IP 192.168.1.5.60394 > 192.168.1.23.22: Flags [.], ack 1925, win 500, options [nop,nop,TS val 384321329 ecr 81593015], length 0
20:05:26.527025 IP 93.184.216.34.55304 > 192.168.1.23.22: Flags [S], seq 3705302969, win 64860, options [mss 1380,sackOK,TS val 1879864444 ecr 0,nop,wscale 7], length 0
20:05:26.527303 ARP, Request who-has 192.168.1.254 tell 192.168.1.23, length 46
20:05:26.859673 IP 192.168.1.23.5353 > 224.0.0.251.5353: 0*- [0q] 1/0/1 (Cache flush) A 192.168.1.23 (55)
20:05:26.975487 IP 192.168.1.5.60394 > 192.168.1.23.22: Flags [P.], seq 1116:1192, ack 1925, win 501, options [nop,nop,TS val 384323337 ecr 81593015], length 76
20:05:26.976042 IP 192.168.1.23.22 > 192.168.1.5.60394: Flags [P.], seq 1925:2057, ack 1192, win 1026, options [nop,nop,TS val 81595024 ecr 384323337], length 132
20:05:26.976878 IP 192.168.1.5.60394 > 192.168.1.23.22: Flags [.], ack 2057, win 500, options [nop,nop,TS val 384323338 ecr 81595024], length 0
20:05:27.698264 ARP, Request who-has 192.168.1.254 tell 192.168.1.23, length 46
# ... Lots of similar seq/ack log entries omitted.
20:05:42.909274 ARP, Request who-has 192.168.1.254 tell 192.168.1.23, length 46
# ... Lots of similar seq/ack log entries omitted.
20:05:47.959207 ARP, Request who-has 192.168.1.23 tell 192.168.1.1, length 28
20:05:47.959433 ARP, Reply 192.168.1.23 is-at [redacted-mac-address] (oui Unknown), length 46
# ... Lots of similar seq/ack log entries omitted.
^C
112 packets captured
113 packets received by filter
0 packets dropped by kernel

Do you run a firewall on host 192.168.1.23? Can you run the tcpdump on it and try to connect to it from the Internet?