Wan_ssh_turris_rule not working after restart

This weird behavior has been haunting me since a few years, potentially it has always been the case, I am not sure. Initially, until I enabled the wan_https_turris_rule I basically lost access to my distant MOX because the enabled wan_ssh_turris_rule doesn’t seem to allow ssh traffic after a fresh boot.

Steps to reproduce:

  1. in Luci → Network → Firewall → Traffic Rules: enable wan_ssh_turris_rule and click Save & Apply
  2. restart MOX
  3. ssh port is not accessible after boot even though checking the Traffic Rules again the wan_ssh_turris_rule is enabled

Recovery/workaround: In the Traffic Rules uncheck wan_ssh_turris_rule, click Save & Apply, wait till applied, check wan_ssh_turris_rule and once again click Save & Apply. Now ssh is finally accessible again. Fortunately the wan_https_turris_rule stays enabled over restarts, otherwise I would be losing access to my remote MOX with every restart.

Has anybody experienced the same behaviour?

I’d like to understand: a) what you expect this rule will do / enable / facilitate. and b) legacy-IP or IPv6 is your use case?

a) allow SSH from WAN (which I would prefer persisted across restarts)
b) IPv4



is old and not the answer to your question; my be inspires some other solution?

The linked documentation is exactly referencing traffic rules in the firewall section of Luci - that’s what my issue is about. The existing rule isn’t persisted across reboot, while it should be.

You can verify if persisted in /etc/config/firewall

It is by default should be there as disabled and once you enable from Luci it should be enabled.

That’s the thing, it is there and it is enabled. After restart, it is still there and still enabled. But I just can’t connect to SSH from outside until I disable and re-enable the rule via Luci. (I have just checked /etc/config/firewall after connecting to SSH through wireguard - the rule is there and enabled - but I can’t ssh directly.)

Is your firewall service enabled?
Check it from Luci → System → Startup

What you do by re-enabling rule in Luci, triggers firewall. But since as I think it is not enabled as Startup service, so doesn’t start during boots.
Normally that service should be enabled by default all the time, for your own security. Otherwise your system boots without generating firewall rules by iptables.

Yes, it is enabled, I have just checked. The weird thing is that wan_https rule works after reboot and wan_ssh doesn’t even though both are present and enabled in /etc/config/firewall.

Then it sounds really weird, something might be wrong with the system.
You can try to re-flash your system.

I am almost certain I observed the same behavior on brand new MOX already after the first update reboot after purchasing it in 2019. There was at least one major TOS upgrade since. I cannot reflash the device remotely and I don’t visit the place often. :slightly_frowning_face:
In any case thanks for trying to help.