Asus RT-AC68U - LAN client can't ssh to another LAN client

[Michael Berg]

Hello,

I recently upgraded my very old Linksys router to an Asus RT-AC68U. Everything has been great until now, where I have run into a strange problem.

Before I go on let me just say that the router is running in "Wireless router mode / AiMesh Router mode (Default)" mode, using the latest available firmware, which at the time of writing is 3.0.0.4.385_20252-ga052d4c

My network setup is pretty much default all around. I have a bunch of mixed clients which uses the router as an access point, primarily on the 5Ghz band. And in this case I have two Linux computers where I would like to SSH from one of them to the other. This does not appear to be possible, but only in one direction.

First computer: 192.168.1.187
Second: 192.168.1.143

First computer$ ping 192.168.1.143 (no problem)
Second computer$ ping 192.168.1.187 (no problem)
First computer$ ssh username@192.168.1.143 (no problem)
Second computer$ ssh username@192.168.1.187 - hangs

And when I say "hangs", here's what happens:

michael@michael-kontor:~$ ssh -vvv -X -C michael@192.168.1.187
OpenSSH_8.0p1 Ubuntu-6build1, OpenSSL 1.1.1c 28 May 2019
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: resolve_canonicalize: hostname 192.168.1.187 is address
debug2: ssh_connect_direct
debug1: Connecting to 192.168.1.187 [192.168.1.187] port 22.

Then it just sits there. In the other direction the connection works fine. I should mention that yes, the openssh server is of course running. No there are no firewall issues, this all worked just fine on the old Linksys router. No firewalls are active.

On the computer where the ssh hangs:

michael@michael-kontor:~$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default RT-AC68U-1C68 0.0.0.0 UG 600 0 0 wlp4s0
link-local 0.0.0.0 255.255.0.0 U 1000 0 0 wlp4s0
172.16.59.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet8
192.168.1.0 0.0.0.0 255.255.255.0 U 600 0 0 wlp4s0
192.168.112.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet1
michael@michael-kontor:~$ traceroute 192.168.1.187
traceroute to 192.168.1.187 (192.168.1.187), 30 hops max, 60 byte packets
1 * * *
2 * * *
3 * * *
4 * * *

The traceroute should stop immediately and show just one hop over to the other pc' but for some reason it doesn't.

I'm no network expert here. Anyone got some tips for me? Things to try?

-Michael

 

[ColinTaylor]

Is one of your computers connecting to a guest WiFi network on the router by mistake?

 

[Michael Berg]

Is one of your computers connecting to a guest WiFi network on the router by mistake?

No. In fact I have my guest network disabled entirely.

Also it should be noted that both machines can ping each other successfully. But one of them cannot ssh to the other.

I fear this may not be a router problem but a Linux network issue of some sort. Yet, the only thing that was changed in my setup is precisely the router. Everything else is the same.

 

[ColinTaylor]

I fear this may not be a router problem but a Linux network issue of some sort. Yet, the only thing that was changed in my setup is precisely the router. Everything else is the same.

I suspect this is the case. Are the IP addresses of the PCs the same as before? You might need to look at the SSH known_hosts, authorized_keys, hosts.allow, etc.

 

[Michael Berg]

I suspect this is the case. Are the IP addresses of the PCs the same as before? You might need to look at the SSH known_hosts, authorized_keys, hosts.allow, etc.

No they are not the same as before. The 192.168.1.x part is the same but they vary on the last number. Which I suppose is expected, how can the new router know what numbers were assigned by the old router.

I don't actually think there is an authentication problem. I can tell that the ssh command is trying to connect to port 22, and fails so it never gets to try any sort of authentication.

One little tidbit of information. Remember that traceroute from the 143 machine to the 187 machine fails? well, if I use the -I parameter, it works:

$ sudo traceroute -I 192.168.1.187

traceroute to 192.168.1.187 (192.168.1.187), 30 hops max, 60 byte packets
1 michael-laptop (192.168.1.187) 300.406 ms 301.195 ms 301.235 ms

So UDP is for some reason being blocked by the 187 machine, or by the router. Tempted to think it's the latter, since this did actually work before I switched routers.

I can't seem to find anything in the router configuration that would somehow block UDP for LAN clients. Also that would not explain why the "other direction" works fine (i.e. ssh'ing from the 187 machine to the 143 machine).

-Michael

 

[ColinTaylor]

Which I suppose is expected, how can the new router know what numbers were assigned by the old router.

It can't.

I can't seem to find anything in the router configuration that would somehow block UDP for LAN clients. Also that would not explain why the "other direction" works fine (i.e. ssh'ing from the 187 machine to the 143 machine).

Can you connect these PC's to the router by Ethernet instead of WiFi? That would eliminate any WiFi related issues. Ethernet connections go via the switch so the router has no effect on the traffic between the hosts.

 

[Michael Berg]

Can you connect these PC's to the router by Ethernet instead of WiFi? That would eliminate any WiFi related issues. Ethernet connections go via the switch so the router has no effect on the traffic between the hosts.

I guess so, but the router is situated in our attic while the computers are down on the main level of our house. It would be extremely inconvenient to run wires to establish that setup.

Edit: Also it occurs to me that the laptop (the 143 machine) doesn't actually have a physical LAN port. I would need an USB<->Ethernet adapter to make it work, and even then I wonder if perhaps I would not just get a lot of other problems.

- Michael

 

[ColinTaylor]

I guess so, but the router is situated in our attic while the computers are down on the main level of our house. It would be extremely inconvenient to run wires to establish that setup.

Edit: Also it occurs to me that the laptop (the 143 machine) doesn't actually have a physical LAN port. I would need an USB<->Ethernet adapter to make it work, and even then I wonder if perhaps I would not just get a lot of other problems.

- Michael

I can't think of any reason why/how the router would block UDP traffic, let alone in just one direction. Are you absolutely sure there isn't a firewall active on 192.168.1.187?

What about connecting to 192.168.1.187 using some other service? Does it have a web server, DLNA, ftp, telnet?

 

[Michael Berg]

Figured it out. Oh boy I feel stupid now.

Your suggestion to try other servers was actually very helpful, because it showed that in fact nothing whatsoever was available on my 187 machine. Not even a simple web server.

So I went in and investigated the firewall setup again and - this is the embarrassing part, ufw was indeed active. As soon as I killed it, everything started working again.

Thanks a lot for helping out and sorry again for wasting everyone's time. Beer's on me next time meet

- Michael