Wan_ssh_turris_rule not working after restart

geronime · October 2, 2023, 7:15pm

This weird behavior has been haunting me since a few years, potentially it has always been the case, I am not sure. Initially, until I enabled the wan_https_turris_rule I basically lost access to my distant MOX because the enabled wan_ssh_turris_rule doesn’t seem to allow ssh traffic after a fresh boot.

Steps to reproduce:

in Luci → Network → Firewall → Traffic Rules: enable wan_ssh_turris_rule and click Save & Apply
restart MOX
ssh port is not accessible after boot even though checking the Traffic Rules again the wan_ssh_turris_rule is enabled

Recovery/workaround: In the Traffic Rules uncheck wan_ssh_turris_rule, click Save & Apply, wait till applied, check wan_ssh_turris_rule and once again click Save & Apply. Now ssh is finally accessible again. Fortunately the wan_https_turris_rule stays enabled over restarts, otherwise I would be losing access to my remote MOX with every restart.

Has anybody experienced the same behaviour?

Dietmar · December 21, 2023, 9:06pm

I’d like to understand: a) what you expect this rule will do / enable / facilitate. and b) legacy-IP or IPv6 is your use case?

geronime · December 21, 2023, 9:19pm

a) allow SSH from WAN (which I would prefer persisted across restarts)
b) IPv4

Dietmar · December 22, 2023, 9:42am

this

https://wiki.turris.cz/en/howto/accessing_turris_from_wan

is old and not the answer to your question; my be inspires some other solution?

geronime · January 5, 2024, 8:42pm

The linked documentation is exactly referencing traffic rules in the firewall section of Luci - that’s what my issue is about. The existing rule isn’t persisted across reboot, while it should be.

iron-maiden · January 7, 2024, 12:22pm

You can verify if persisted in /etc/config/firewall

It is by default should be there as disabled and once you enable from Luci it should be enabled.

geronime · January 8, 2024, 8:15pm

That’s the thing, it is there and it is enabled. After restart, it is still there and still enabled. But I just can’t connect to SSH from outside until I disable and re-enable the rule via Luci. (I have just checked /etc/config/firewall after connecting to SSH through wireguard - the rule is there and enabled - but I can’t ssh directly.)

iron-maiden · January 8, 2024, 8:31pm

Is your firewall service enabled?
Check it from Luci → System → Startup

What you do by re-enabling rule in Luci, triggers firewall. But since as I think it is not enabled as Startup service, so doesn’t start during boots.
Normally that service should be enabled by default all the time, for your own security. Otherwise your system boots without generating firewall rules by iptables.

geronime · January 8, 2024, 8:40pm

Yes, it is enabled, I have just checked. The weird thing is that wan_https rule works after reboot and wan_ssh doesn’t even though both are present and enabled in /etc/config/firewall.

iron-maiden · January 8, 2024, 8:43pm

Then it sounds really weird, something might be wrong with the system.
You can try to re-flash your system.

geronime · January 8, 2024, 8:57pm

I am almost certain I observed the same behavior on brand new MOX already after the first update reboot after purchasing it in 2019. There was at least one major TOS upgrade since. I cannot reflash the device remotely and I don’t visit the place often.
In any case thanks for trying to help.