OpenSSH - SSH forwarding to the world

Hello.

I have problem with OpenSSH, more precisely, SSH redirection to the world.
I have set the connection to authorized_keys, and local network it’s work.
I add rule to firewall:

config rule
        option target 'ACCEPT'
        option src 'wan'
        option proto 'tcp'
        option dest_port '2222'
        option name 'SSH'

And still does not work.

My config:

root@TurrisOmnia:~/.ssh# cat /etc/config/sshd
#Copyright (C) 2013 CZ.NIC z.s.p.o. (http://www.nic.cz/)

package openssh

config openssh
    list Port 22
    list Port 2222
    #option AddressFamily any
    list ListenAddress 0.0.0.0
    #list ListenAddress ::
    #option Protocol 2
    #list HostKey /etc/ssh/ssh_host_rsa_key
    #list HostKey /etc/ssh/ssh_host_dsa_key
    #list HostKey /etc/ssh/ssh_host_ecdsa_key
    #list HostCertificate /etc/ssh/ssh_host_rsa_key.crt
    #list HostCertificate /etc/ssh/ssh_host_dsa_key.crt
    #option HostKeyAgent ""

    # Lifetime and size of ephemeral version 1 server key
    #option KeyRegenerationInterval 1h
    #option ServerKeyBits 1024

    # Logging
    option SyslogFacility AUTH
    option LogLevel DEBUG

    # Authentication
    #option LoginGraceTime 2m
    option PermitRootLogin yes
    #option StrictModes yes
    #option MaxAuthTries 6
    #option MaxSessions 10
    #option AuthenticationMethods ""
    #option RSAAuthentication yes
    #option PubkeyAuthentication yes
    option AuthorizedKeysFile .ssh/authorized_keys
    #option AuthorizedPrincipalsFile none
    #option AuthorizedKeysCommand none
    #option AuthorizedKeysCommandUser nobody

    # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
    #option RhostsRSAAuthentication no
    # similar for protocol version 2
    #option HostbasedAuthentication no
    # Change to yes if you don't trust ~/.ssh/known_hosts for
    # RhostsRSAAuthentication and HostbasedAuthentication
    #option IgnoreUserKnownHosts no
    # Don't read the user's ~/.rhosts and ~/.shosts files
    #option IgnoreRhosts yes

    # Cryptology
    #option Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
    #option KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
    #option MACs umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512
    #option RekeyLimit default none
    #option RevokedKeys RevokedKeys ""

    # To disable tunneled clear text passwords, change to no here!
    #option PasswordAuthentication yes
    #option PermitEmptyPasswords no


    # Change to no to disable s/key passwords
    #option ChallengeResponseAuthentication yes

    # Kerberos options
    #option KerberosAuthentication no
    #option KerberosOrLocalPasswd yes
    #option KerberosTicketCleanup yes
    #option KerberosGetAFSToken no

    # GSSAPI options
    #option GSSAPIAuthentication no
    #option GSSAPICleanupCredentials yes


    # Set this to 'yes' to enable PAM authentication, account processing,
    # and session processing. If this is enabled, PAM authentication will
    # be allowed through the ChallengeResponseAuthentication and
    # PasswordAuthentication.  Depending on your PAM configuration,
    # PAM authentication via ChallengeResponseAuthentication may bypass
    # the setting of "PermitRootLogin without-password".
    # If you just want the PAM account and session checks to run without
    # PAM authentication, then enable this but set PasswordAuthentication
    # and ChallengeResponseAuthentication to 'no'.
    #option UsePAM no

    #option AllowAgentForwarding yes
    option AllowTcpForwarding yes
    option GatewayPorts yes
    option X11Forwarding yes
    #option X11DisplayOffset 10
    #option X11UseLocalhost yes
    #option PrintMotd yes
    #option PrintLastLog yes
    #option TCPKeepAlive yes
    #option UseLogin no
    option UsePrivilegeSeparation sandbox
    #option PermitUserEnvironment no
    #option Compression delayed
    #option ClientAliveInterval 0
    #option ClientAliveCountMax 3
    #option UseDNS yes
    #option PidFile /var/run/sshd.pid
    #option MaxStartups 10:30:100
    #option PermitTunnel no
    #option PermitTTY yes
    #option ChrootDirectory none
    #option VersionAddendum none


    # no default banner path
    #option Banner none

    #list IPQoS AF21
    #list IPQoS AF11

    # allow user to set certain ENV variables
    #list AcceptEnv LANG
    #list AcceptEnv LC_*

    # allow/deny users/groups
    #list AllowGroups group1
    #list AllowUsers user1
    #list DenyGroups group1
    #list DenyUsers user1

    #option TrustedUserCAKeys ""

    list Subsystem "sftp /usr/lib/sftp-server"

#config match
    #option type User #User Group Host Address
    #option match root

    option AllowAgentForwarding
    #option AllowTcpForwarding
    #option AuthorizedKeysFile
    #option AuthorizedPrincipalsFile
    #option Banner
    #option ChrootDirectory
    #option ForceCommand
    #option GatewayPorts
    #option GSSAPIAuthentication
    #option HostbasedAuthentication
    #option HostbasedUsesNameFromPacketOnly
    #option KbdInteractiveAuthentication
    #option KerberosAuthentication
    #option MaxAuthTries
    #option MaxSessions
    #option PasswordAuthentication
    #option PermitEmptyPasswords
    #option PermitOpen
    #option PermitRootLogin
    #option PermitTunnel
    #option PubkeyAuthentication yes
    #option RhostsRSAAuthentication
    #option RSAAuthentication
    #option X11DisplayOffset
    #option X11Forwarding
    #option X11UseLocalHost
    #option XAuthLocation /usr/bin/xauth

#config match
    #option type User #User Group Host Address
    #option match nobody

    #option AllowAgentForwarding
    #option AllowTcpForwarding
    #option AuthorizedKeysFile
    #option AuthorizedPrincipalsFile
    #option Banner
    #option ChrootDirectory
    #option ForceCommand
    #option GatewayPorts
    #option AuthenticationMethods
    #option GSSAPIAuthentication
    #option HostbasedAuthentication
    #option HostbasedUsesNameFromPacketOnly
    #option KbdInteractiveAuthentication
    #option KerberosAuthentication
    #option MaxAuthTries
    #option MaxSessions
    #option PasswordAuthentication
    #option PermitEmptyPasswords
    #option PermitOpen
    #option PermitRootLogin
    #option PermitTunnel
    #option PubkeyAuthentication yes
    #option RhostsRSAAuthentication
    #option RSAAuthentication
    #option X11DisplayOffset
    #option X11Forwarding
    #option X11UseLocalHost

On other LEDE router my SSH dropbear on WAN connection is woking.

Has anyone set up an SSH connection to the WAN port?
Maybe someone has an idea?

Im not sure it is a good idea to have 2 listening ports in the same config

i am sure it isn’t :wink:
perhaps you can use a dnat for this case…