I am trying to set up Haas on a Turris Omnia (Turris OS 5.3.11).
I think the part with the registration on haas.nic.cz is ok and I have used a token to create a device. The thing is I don’t see any session there and I guess that after 3 days I should.
I think (I’m no expert) that it’s more a firewall related issue. Here is a description of my internal network:
Internet ---- ISP router (1) ------ Turris Omnia (2) ------ Internal network (and a ssh server running on my linux server (3)).
On (1), all traffic is forwarded to (2).
On (2), I created a port forward rule so that all incoming ssh traffic goes to (3). I did that before trying to setup Haas. Traffic to port 22 of Turris goes to port 7777 to linux server. Works from outside as expected.
Now I created another rule on Turris in order to be able to connect to it via ssh from internal network. I need to do this since Haas listens on port 22 (right?). I tried setting external port of Turris to 22222 form source zone WAN to internal port 22 to destination zone lan. Restarted firewall. Now I can connect from internal network with -P 22 or -P 22222, which is strange.
That’s what I tried and is clearly not correct. Thinking about this, how can a traffic on port 22 go to Haas with the port forward rule to my linux server on port 7777 instead of going to the Haas honeypot? I’m doing something wrong but do not see what (again, no network expert here).
He describes the situation a bit, for my head :-), complicated and unintelligible
HaaS monitors ports 21, 22, 23, 25, 80 and 587. If any of your applications use one of these ports, HaaS will not monitor and forward them. If you want and your application allows it, you can redirect its traffic so that it does not conflict with the ports used for HaaS.
Choosing a new port is arbitrary, but we should still avoid common ports (which are used by common services and applications), i.e. in the range 0-1023. It is recommended to skip these. Other so-called registered ports have a range of 1024-49151. We can use them, but it is possible that problems could occur in some networks - so it is better to avoid them and use free (dynamic) ports in the range 49152-62535. (That’s why we used port 53033 as an example above, but of course you can use another one if it’s available.)
For example, for port 22: Incoming fromwan TCP port 53022 - Forward tolan IP 192.168.1.110 (linux server) port 22
I don’t understand your redirection “On (1), all traffic is forwarded to (2)” … do you direct all traffic from the WAN to your router only? Why ??
In your case, it probably depends on the order of the rules whether the forward rule for SSH is higher or lower than the one mentioned (meaningless forward wan all to lan router 192.168.1.1).
Thanks for your answer and sorry if my description was a bit erratic
All traffic goes through my ISP modem/router to the Turris router. From there, it is dispatched to my internal networks (wifi and rj45 lan). So the ISP modem/router is acting like a kind of bridge between Wan and Lan. I tried several different network configurations and it was the only one which let me access my ssh server from Wan. Maybe there exists other ones, I don’t know.
I am not sure of the exact terms in English I guess.
Anyway, I have given a fixed address to the Turris Omnia router from the ISP modem/router GUI and changed the port redirection from 22222 to 22222 on the Turris Omnia on which I changed SSH port to 22222 and created a port forward rule to my linux server port 7777.
Restarted ssh server and firewall on Turris Omnia and now I get the same REDIRECT rules shown on your image.
Crossing fingers to see if HaaS catches any traffic.
Nothing means what? Your information is too general. Please describe your HW setup and settings again.
I suppose, that:
your provider modem is in bridge mode
do you have your own port forward rules - write what exactly !!!
the necessary settings in reForis are enabled
1- Package Management (Advanced security & analytics - Turris Sentinel),
2 - Sentinel Components and HaaS Proxy Settings
Yes I checked Haas function et have inserted token. And yes I know my external IP, that’s what I entered from outside to try to connect via ssh. Last point, open ports, is where things goes wrong. Only one was open, the kdm thing… So it’s back to setting port forwarding correctly
In fact, this is not correct. There is no bridge mode on the ISP’s modem/router. What I did is attribute a fixed IP to the Omnia from the ISP’s modem/router. So I have:
Internet ------ ISP modem/routeur (192.168.1.2) ------ Turris Omnia (192.168.1.5)
There is s “Static route” fonction on the ISP modem/router. I have defined:
I have port forwarding like 192.168.1.2:22 → 192.168.1.5:22 and from there I redirect ssh traffic to my Linux ssh server on port 7777.
I can then Reforis or Luci on 2 IP: 192.168.1.5 and 192.168.2.1. The network 192.168.2.0/24 is my home network.
I think this network setup is not very “casher” because there is no bridge mode on the ISP modem/router.
After some investigation, I fell on a post saying that I might be able to remove the ISP modem/router in a plug this sfp module ( Turris RTROM01-RTSF-10G, SFP+ Copper module, 10 Gbps, RJ45) in Omnia.
Is this right? That would probably simplify my setup right?
I’m not a fully qualified expert, but I think that the modem-router that is upstream of the Turris Omnia should be in gateway mode … if it is not, problems may result. I feel that “removing” the modem-router of your ISp provider would simplify the whole setup a lot.
You must not believe my statement 100%.
It would be good if someone more knowledgeable entered the discussion.
Just for info, it started working last night, without any other changes. There has been no updates and I haven’t touch the config at all.
I’m seeing a lot of sessions now. Very interesting.
forward 
via port 53022.