4g Carrier-Grade NAT port forwarding, reverse ssh?

[itpp20]

Hello, been reading for a long time, got 6x RT-AC68U with 384.17
No problems but an annoying issue, so lets jump in at the deep end.

4g providers are more and more going for Carrier-Grade NAT.
Currently I have 4g internet via Orange and their flybox modem which still has its own IP v4 address and where port forwarding works (ssh).
However this will not to be the case forever and I am switching provider soon which I know already switched to Carrier-Grade NAT.

The issue: I use SSH with ssh-port forwarding on the Asus, once I ssh into Asus I can map ports to devices at the other end (putty) which works perfect, I even have a smb loopback adapter allowing 445 to be forwarded to 445 on the Asus where I can map an usb3 disk as a drive (and robocopy data back and forth).
This one is a remote setup 2500km away from homebase.

The question: can I setup from the Asus a reverse SSH connection which automatically starts and remains persistent? If so how? And how do I use this remote?
Ea. A (homebase), B (remote)
SSH to B from A, when connection is established port forwarding is also done.
SSH to A from B, this should be a persistent connect but how do I assign local ports later on from A ?

Somewhere else I use this to access a router web interface:
plink -ssh -2 -v -C -N -batch -L 127.0.0.1:80:127.0.0.1:5580 -hostkey xx:xx:xx user@url.eu -P 443 -pw password

Then I connect to the ssh server and add a listen port for 5580, locally this reverse SSH port then connects, this works but needs someone on the other end to initiate the connect, if this could work on Asus(Merlin) how would I do this (persistently) ?

Any other ideas for Carrier-Grade NAT issues? (Ipv6 is not an option)

 

[itpp20]

I haven’t sat still and made some progress.

On the Asus box via Ssh shell run:
ssh <Url> -l <user> -p 443 -g -K 450 -N -R 48443:localhost:8443
(asks for passphrase)

On the SSH server:
For the <user>: s2c, allow listening 0.0.0.0: 48443 -> 127.0.0.1:8443

On other Ssh client add (putty) port forward: 4L58443=127.0.0.1:48443

On other Ssh client run putty and access url: https://127.0.0.1:58443/

And be amazed by the login box! (asus wan web interface runs on https and port 8443)
This is an actual reverse SSH session which I got working about an hour ago.

Ssh has -f (Run in background after auth).
-R can be repeated for the box ssh command line to add more forwarders, don’t forget to mirror these ports/addresses on your ssh server.

On to the next challenges.

1. How to run ssh on the Asus box at startup
2. How to automatically test if the ssh link is active and restart it if not
3. The old fashioned password issue with ssh (see 1)

 

[itpp20]

1. /jffs/configs/cron, 0 * * * * /jffs/scripts/checkrssh.sh

cp on boot: cp /jffs/configs/cron /var/spool/cron/crontabs/admin
(in /jffs/scripts/init-start)

2. chmod a+rx /jffs/scripts/*
/jffs/scripts/checkrssh.sh:
#!/bin/bash
if netstat|grep -i url.*estab
then
exit
else
echo restart rssh
killall ssh
ssh -f url -l user -p 443 -g -K 450 -N -R 48443:localhost:8443
fi

3. I'll have to use a ssh key or hack ssh
(-i /jffs/scripts/id_dropbear)

Place files in unix mode (notepad++) via winscp (scp mode)

 

[itpp20]

Lets wrap this up in a howto.

/jffs/scripts/services-start

#!/bin/sh
# /jffs/scripts/services-start
# This script get called after all other system services
# have been started at boot on router
# ---------------------------------------------------------
# Sample cron job to install after reboot
cru a rssh "0 * * * * sh /jffs/scripts/checkrssh.sh"

/jffs/scripts/checkrssh.sh

#!/bin/sh
# /jffs/scripts/checkrssh.sh
chkmip=<YOUR-DNS-SSH-REVERSE-GATEWAY-ADDRESS>
chklog=/jffs/scripts/rssh.log

chkip=$(ping -c 1 -w 1 $chkmip | awk -F'[()]' '/PING/{print $2}')
barchkip=${chkip//./-}
# if netstat|grep -i $barchkip.*https.*estab
if netstat -n|grep -i $chkip:443.*estab
then
exit
else

echo "$(date) : restart runrssh" >>$chklog
logger "rSsh : restart runrssh"
kill $(ps | grep '[r]unrssh.sh' | awk '{print $1}')
# killall runrssh.sh
killall ssh
sleep 3
sh /jffs/scripts/runrssh.sh &
exit

fi

/jffs/scripts/runrssh.sh

#!/bin/sh
# /jffs/scripts/runrssh.sh
chkmip=<YOUR-DNS-SSH-REVERSE-GATEWAY-ADDRESS>
chklog=/jffs/scripts/rssh.log

chkusr=<YOUR-SSH-REMOTE-USERNAME>
chkkpf=/jffs/scripts/<YOUR-SSH-PASSPHRASEFILE>
# YOUR PORT FORWARDERS
chkpfp='-R 48422:localhost:443'
chkdely=300

while :
do

ssh -y $chkmip -l $chkusr -p 443 -g -K 450 -N $chkpfp -i $chkkpf
killall ssh
sleep $chkdely
echo "$(date) : restart rssh" >>$chklog
logger "rSsh : restart rssh"

done

# Note: we don't use the back-ground option, when ssh fails it will exit and the while loop restarts it all.

 

[AsusNovice]

itpp20

Thanks VERY much for posting those. As an Asus scripting newcomer, real scripts are great to learn of commands available and how to use the options. The original "aim" I had is not only now achieved, but far more learnt as well

I assume the 3 script approach was learned by hard experience, and how things fail in practive?

Best wishes
AN

 

[itpp20]

When you have many such devices across the planet you don't have the option to drive by when something falls over it needs to be resilient as no ones there to reboot/fix it. I also use keepalive and dns scripts to make sure the ISP is behaving as most don't like unmanned access.