Port Forwarding and Firewall - not working as I expect

[chrisisbd]

I have just changed my VDSL connection from my old Draytek 2860n to an Asus DSL-AC68U, it was remarkably painless getting the connection up and running.

Currently I have DHCP and DNS turned off in the DSL-AC68U because I have a computer on my LAN providing these services. Ultimately I want the
DSL-AC68U to provide DHCP/DNS but 'one step at a time'.

I have incoming ssh and SMTP connections so I have set up port forwarding on the DSL-AC68U but it's not working as I would expect. I have three port forwarding entries for ssh, as follows:-

ssh    22        192.168.1.3    TCP    93.93.131.118        
ssh    22        192.168.1.3    TCP    46.226.106.243        
ssh    22        192.168.1.3    TCP    46.235.227.111

I can successfully ssh from those addresses but I can also connect from other addresses. I have tried turning port forwarding off and I am **still** able to make ssh connections.

So, what on earth am I doing wrong?

 

[chrisisbd]

Ah, I think I see the problem. I have ssh connection to the DSL-AC68U enabled so when the port forwarding from specific IP addresses fails I get an ssh connection to the DSL-AC68U itself. (I do have a different password, the logins were failing when I put the ssh password for 192.168.1.3).

OK, I can turn off 'ssh from WAN' for the DSL-AC68U and that should sort this particular issue! Or I can change some of the ssh ports from the default 22.

Sorry for the noise.

 

[L&LD]

You should turn off ssh from WAN entirely. Use OpenVPN to connect to your home network instead. You're leaving a huge entry point into your network with WAN access enabled.

 

[bennor]

OK, I can turn off 'ssh from WAN' for the DSL-AC68U and that should sort this particular issue!

Why would you enable SSH from WAN? That is opening up a potential huge security vulnerability. Use VPN instead if you need to gain access to the router's GUI administration screen from outside the local network. Setup a VPN server within the router then use a VPN client to connect remotely to the router and the local network. Many will recommend setting SSH to LAN only and also may recommend changing the SSH port value.

 

[chrisisbd]

You should turn off ssh from WAN entirely. Use OpenVPN to connect to your home network instead. You're leaving a huge entry point into your network with WAN access enabled.

Yes, yes, of course. However, being a command line junkie I prefer to be 'all ssh'. The ssh pinhole is set up to allow connections from only three specific IP addresses. One of those is a virtual server that is mine so that's unlikely to get unwanted attacks. The second is from a login I have at Mythic Beasts who are my ISP, only a few users have access there, the third is with another Mythic Beasts customer.

So, when it's configured as intended, it's pretty secure. An attacker needs to break into another system before even being able to attempt to break into mine.

The ssh login open to outside was just left over from when the router wasn't being used as my VDSL router. ... and as I replied to the thread myself I realised what had happened pretty quickly.