Can't reach a device on my internal LAN from outside (via SSH)

Hi,

I have my ISP router in bridge mode, and Turris Omnia (v5.2.6) configured as my main router.

I want to reach a device which is on my internal LAN (so behind the Omnia) from the outside via SSH, but ssh -vvv tells me that it’s getting stuck at the debug1: Connecting to [external IP address] port 2288. - So I’m guessing it’s timing out.

I have these settings configured in my port forwards, are these the correct settings?

Thanks in advance.

Check firewall of your internal device. And assign static IP to that device so it always gets the same IP.

Also using OpenVPN i more secure than having open port with SSHD on it.

Consider running OpenVPN to connect to your LAN network and then from there reaching your LAN side devices.

Is the port really open on firewall? If the port is open, maybe you have issues with zone setup (input/output/forward directives).

That seems fine (from screenshot it is not clear which protocol, set TCP only). Check if you have correspond DNAT rule in your firewall config created (and applied after firewall service is restarted).

Another way is to setup OpenVPN (with subnet topology), so you can have all lan services available (so if you add sftp for example you won’t need another dnat rule and another port open on wan interface). And this approach is much safer.

ad_sshd: do you have AllowTcpForwarding remote in your sshd config? Also check sshd config option GatewayPorts >> SSH port forwarding/tunneling use cases and concrete examples. Client command, server configuration. Firewall considerations.

Thanks for the replies, I finally had some time to spend on this.

It has a static IP and I could connect to it without a problem before.

Do you mean to use OpenVPN in combination with SSH or to replace SSH with OpenVPN? If the former, then I’m not too eager about adding more complexity (and thus failure points) to my setup, but I’ll consider it since it adds more security as you described.
If the latter, I’m not really sure that’s wise since OpenVPN’s codebase is much larger and (according to reputable sources) built with lower quality standards than sshd.
WireGuard is something I’m also considering (especially for the first scenario), but I’ll have to figure out how I’d use WireGuard while I’m also using WireGuard as my “normal browsing” VPN. Is it even possible to do such a thing?

The sshd setup previously worked without any problems, but then I had a crappy ISP router on which I did the port forwarding.

I’ve checked iptables -L and although I have a basic understanding of it, the firewall table generated by the Omnia is a bit much. However, I couldn’t find the relevant port numbers anywhere in that table. It’s as if the firewall is completely oblivious to my port forwarding rules.

In various chains (called zones?) I have either:
ACCEPT all -- anywhere anywhere ctstate DNAT /* !fw3: Accept port forwards */

or

ACCEPT all -- anywhere anywhere ctstate DNAT /* !fw3: Accept port redirections */

But again, no mention of the ports I specified which are accessible from the WAN side or on my LAN side.