This weird behavior has been haunting me since a few years, potentially it has always been the case, I am not sure. Initially, until I enabled the wan_https_turris_rule I basically lost access to my distant MOX because the enabledwan_ssh_turris_rule doesn’t seem to allow ssh traffic after a fresh boot.
Steps to reproduce:
in Luci → Network → Firewall → Traffic Rules: enable wan_ssh_turris_rule and click Save & Apply
restart MOX
ssh port is not accessible after boot even though checking the Traffic Rules again the wan_ssh_turris_rule is enabled
Recovery/workaround: In the Traffic Rules uncheck wan_ssh_turris_rule, click Save & Apply, wait till applied, check wan_ssh_turris_rule and once again click Save & Apply. Now ssh is finally accessible again. Fortunately the wan_https_turris_rule stays enabled over restarts, otherwise I would be losing access to my remote MOX with every restart.
The linked documentation is exactly referencing traffic rules in the firewall section of Luci - that’s what my issue is about. The existing rule isn’t persisted across reboot, while it should be.
That’s the thing, it is there and it is enabled. After restart, it is still there and still enabled. But I just can’t connect to SSH from outside until I disable and re-enable the rule via Luci. (I have just checked /etc/config/firewall after connecting to SSH through wireguard - the rule is there and enabled - but I can’t ssh directly.)
What you do by re-enabling rule in Luci, triggers firewall. But since as I think it is not enabled as Startup service, so doesn’t start during boots.
Normally that service should be enabled by default all the time, for your own security. Otherwise your system boots without generating firewall rules by iptables.
Yes, it is enabled, I have just checked. The weird thing is that wan_https rule works after reboot and wan_ssh doesn’t even though both are present and enabled in /etc/config/firewall.
I am almost certain I observed the same behavior on brand new MOX already after the first update reboot after purchasing it in 2019. There was at least one major TOS upgrade since. I cannot reflash the device remotely and I don’t visit the place often.
In any case thanks for trying to help.