1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

4g Carrier-Grade NAT port forwarding, reverse ssh?

Discussion in 'Asuswrt-Merlin' started by itpp20, May 30, 2020.

  1. itpp20

    itpp20 Occasional Visitor

    Joined:
    May 30, 2020
    Messages:
    16
    Hello, been reading for a long time, got 6x RT-AC68U with 384.17
    No problems but an annoying issue, so lets jump in at the deep end.

    4g providers are more and more going for Carrier-Grade NAT.
    Currently I have 4g internet via Orange and their flybox modem which still has its own IP v4 address and where port forwarding works (ssh).
    However this will not to be the case forever and I am switching provider soon which I know already switched to Carrier-Grade NAT.

    The issue: I use SSH with ssh-port forwarding on the Asus, once I ssh into Asus I can map ports to devices at the other end (putty) which works perfect, I even have a smb loopback adapter allowing 445 to be forwarded to 445 on the Asus where I can map an usb3 disk as a drive (and robocopy data back and forth).
    This one is a remote setup 2500km away from homebase.

    The question: can I setup from the Asus a reverse SSH connection which automatically starts and remains persistent? If so how? And how do I use this remote?
    Ea. A (homebase), B (remote)
    SSH to B from A, when connection is established port forwarding is also done.
    SSH to A from B, this should be a persistent connect but how do I assign local ports later on from A ?

    Somewhere else I use this to access a router web interface:
    plink -ssh -2 -v -C -N -batch -L 127.0.0.1:80:127.0.0.1:5580 -hostkey xx:xx:xx [email protected] -P 443 -pw password

    Then I connect to the ssh server and add a listen port for 5580, locally this reverse SSH port then connects, this works but needs someone on the other end to initiate the connect, if this could work on Asus(Merlin) how would I do this (persistently) ?

    Any other ideas for Carrier-Grade NAT issues? (Ipv6 is not an option)
     
    Vexira likes this.
  2. itpp20

    itpp20 Occasional Visitor

    Joined:
    May 30, 2020
    Messages:
    16
    I haven’t sat still and made some progress.

    On the Asus box via Ssh shell run:
    ssh <Url> -l <user> -p 443 -g -K 450 -N -R 48443:localhost:8443
    (asks for passphrase)

    On the SSH server:
    For the <user>: s2c, allow listening 0.0.0.0: 48443 -> 127.0.0.1:8443

    On other Ssh client add (putty) port forward: 4L58443=127.0.0.1:48443

    On other Ssh client run putty and access url: https://127.0.0.1:58443/

    And be amazed by the login box! (asus wan web interface runs on https and port 8443)
    This is an actual reverse SSH session which I got working about an hour ago.

    Ssh has -f (Run in background after auth).
    -R can be repeated for the box ssh command line to add more forwarders, don’t forget to mirror these ports/addresses on your ssh server.

    On to the next challenges.

    1. How to run ssh on the Asus box at startup
    2. How to automatically test if the ssh link is active and restart it if not
    3. The old fashioned password issue with ssh (see 1)
     
  3. itpp20

    itpp20 Occasional Visitor

    Joined:
    May 30, 2020
    Messages:
    16
    1. /jffs/configs/cron, 0 * * * * /jffs/scripts/checkrssh.sh

    cp on boot: cp /jffs/configs/cron /var/spool/cron/crontabs/admin
    (in /jffs/scripts/init-start)

    2. chmod a+rx /jffs/scripts/*
    /jffs/scripts/checkrssh.sh:
    #!/bin/bash
    if netstat|grep -i url.*estab
    then
    exit
    else
    echo restart rssh
    killall ssh
    ssh -f url -l user -p 443 -g -K 450 -N -R 48443:localhost:8443
    fi

    3. I'll have to use a ssh key or hack ssh :D
    (-i /jffs/scripts/id_dropbear)

    Place files in unix mode (notepad++) via winscp (scp mode)