Can't access with SSH from the WAN my Asus AC68 with FW 380.64_2

[Juglar]

Hi:

I resort to the forum after hours of trying by myself:

I have configured the Merlin in the WebGui to accept SSH from the WAN and a JuiceSSH APP in my android mobile. I'm using the real WAN IP address reported by http://myip.es/ and others.

If I try to connect from the mobile by the router's WIFI LAN, it works OK and fast. I can launch shell commands perfectly. However, if I connect by the internet, from my mobile by the 3G data service or by a different WIFI, the SSH stays without reply up to some timeout expiry (more than 2 minutes). However, if I try to connect from the same mobile and APP by https (from the WIFI LAN or from the same 3G data or from the same different WIFI, to the same WAN IP), it connects OK.

Anyone can help, please?
Thanks,
Juglar.

 

[yk101]

Didn't you say you configured specific IPs to be able to connect? That part should work.
When you connect using various providers or other WiFi, then you are using a different NETed IP that is being rejected by the router. This setting applies only to SSH, so your SSL connection is to a different service and port, and therefore accepted.

 

[Juglar]

Didn't you say you configured specific IPs to be able to connect? That part should work.
When you connect using various providers or other WiFi, then you are using a different NETed IP that is being rejected by the router. This setting applies only to SSH, so your SSL connection is to a different service and port, and therefore accepted.

The router WAN IP, I doesn't choose, but is provided by the ISP. I just "learn it" through MyIp.es or other internet services. I explain that I do connect through https to prove that at least the access to the IP from internet is possible.

I don't know if there is a problem with the ports for SSH (I use 2222) . That is why I enquire in the forum, but I also assert that SSH is configured as open for the LAN + WAN (and, just in case, SSH port forwarding enabled, I don't know if it's necessary) .

 

[yk101]

Please try removing port forwarding for SSH if you want to access the router itself. IP of the router WAN is only relevant in allowing you to get there from outside. Did you also set IP restriction for clients that allowed to connect? If yes, that is what I was referring to in my first post. That has to be set to specific IP *from* which you are trying to connect.

 

[Juglar]

Please try removing port forwarding for SSH if you want to access the router itself. IP of the router WAN is only relevant in allowing you to get there from outside. Did you also set IP restriction for clients that allowed to connect? If yes, that is what I was referring to in my first post. That has to be set to specific IP *from* which you are trying to connect.

Ok, I disable port forwarding, that I had in doubt (but I had already tried with it both disabled and enabled).

I have always had "Allow only specific address" off and the "Specified IP address" client list empty.

I have most Network Protection options enabled.

I have DDNS active and have tried with different settings of WAN - NAT Passthrough, but the normal ones are all disabled except for RTSP Passthrough, which my IPTV needs to have set to "Enabled + NAT helper".

 

[yk101]

Ok, I disable port forwarding, that I had in doubt (but I had already tried with it both disabled and enabled).

I have always had "Allow only specific address" off and the "Specified IP address" client list empty.

I have most Network Protection options enabled.

I have DDNS active and have tried with different settings of WAN - NAT Passthrough, but the normal ones are all disabled except for RTSP Passthrough, which my IPTV needs to have set to "Enabled + NAT helper".

Then I would say there may be another issue - it is possible that your provider blocks access to port 22. You said that you can access SSH from the internal network, correct? You also said that you can resolve your DDNS name from outside. That being the case, I would try to move the port on the SSH page of the router from 22 to something high - let's say 22222. Please make sure that you specify that port in your SSH client when trying to connect.

 

[Juglar]

Then I would say there may be another issue - it is possible that your provider blocks access to port 22. You said that you can access SSH from the internal network, correct? You also said that you can resolve your DDNS name from outside. That being the case, I would try to move the port on the SSH page of the router from 22 to something high - let's say 22222. Please make sure that you specify that port in your SSH client when trying to connect.

I already used the 2222 set by default by the webGuy. Recently, just in case, I tried with 4444. Always setting in the SSH client the same port as set in the router.

Thank you.

 

[yk101]

I already used the 2222 set by default by the webGuy. Recently, just in case, I tried with 4444. Always setting in the SSH client the same port as set in the router.

Thank you.

Try setting the port as I suggested - above 10000. My ISP blocks ports 9999 and below.

 

[RMerlin]

Try setting the port as I suggested - above 10000. My ISP blocks ports 9999 and below.

If that's really the case, then someone at your ISP is an idiot. Ephemeral ports are between 1024 and 65535, so any TCP connection can use any port within that range. It makes zero sense to block ports 1024 through 9999, unless you want to randomly break all kind of things.

 

[yk101]

I don't disagree! My ISP is going to great lengths to cause trouble. DNS leaks, port blocks and arbitrary throttling is just the tip of an iceberg!

 

[redhat27]

Time to change ISP? Have you tested it works (with a port outside the blocked range)?

EDIT: Oops, the OP is a different person. @Juglar You can troubleshoot using nmap to your external IP from outside

 

[Juglar]

I've tried with port 44445 with the same result: It connects from WIFI LAN and doesn't from WAN.

Then, I have tried with 8443, through which I correctly accessed from WAN with https, with the same result (after having changed https to port 8442 and checked that it also goes ok) .

Are there any settings anywhere else that have to be set in any specific way (like snmp, )?

I have:
Enable SSH: LAN+WAN
Allow SSH port forwarding: No
SSH service port 8443 (now)
Allow SSH password login: Yes
Enable SSH Brute Force Protection: No
SSH Authentication key: Empty. (but as I already said, JuiceSSH achieves to connect to the routers WAN IP from a PC in the WLAN).

The nmap test, I don't know how to pass. But, will it use SSH protocol? If it just tests ports, I've already used the 8443, which is clearly open to the WAN for https. I don't know if my ISP is blocking SSH, but it seems quite unprobable to me.

Thanks all for your help.

 

[Juglar]

I've located the problem and I think it must probably be a bug:

The problem is that, if I configure "Static IP" for "WAN Connection Type" (and, then, fill-in all the required IPs) , a connection through SSH from the WAN cannot be stablished. However, if I configure there "Automatic IP" (and leave everything else the same) the connection is stablished and working well.

I thank Redhat27 very much, who recommended me to do a FW reinstalation. I did it and, quite luckyly, for this time I didn't begin by configuring all IPTV as I did all previous times, guided by the wizard, SSH began connecting from the WAN. Then, I went configuring everything, checking connection every few new settings and it was when I configured that IPTV setting when it failed. Then I checked a few times that what make the difference is just that particular setting.

I use Movistar Triple VLAN IPTV configuration, to watch IPTV in Spain. For it to work, I need to configure LAN, IPTV, "IPTV connection", "WAN Connection Type" as "Static IP" (and, then, fill all the required IPs). So, watching IPTV and allowing WAN SSH connections, both of which are requirements for me, seem incompatible, I think probably due to a bug in the firmware.

Could the developer(s) (I understand, Merlin) correct it, please, in a near version (even Beta)? As told in the thread title, the problem appeared to me with FW 380.64_2, but it has been in the currently installed 380.65_4 where I've checked its dependence from WAN Connection Type setting.

I'm at your disposal if you want me to do any checking or launch shell commands, etc (I connect through telnet and can also transfer files through SFTP), though I suppose it can be reproduced by configuring Movistar Triple VLAN or maybe other IPTV (even if not going to use it) (internet access is through one VLAN in the WAN) .

Or, should I report the probable bug anywhere else?

Thank you very much.
Juglar

 

[sfx2000]

I resort to the forum after hours of trying by myself:

I have configured the Merlin in the WebGui to accept SSH from the WAN and a JuiceSSH APP in my android mobile. I'm using the real WAN IP address reported by http://myip.es/ and others.

Running SSH access into the router directly is a big security risk these days, and you really should take that seriously with recent attention on various Router OEM's having significant security issues with any services exposed to the WAN side.

port forwarding to an internal SSH host, if one really needs this, is nicely done with a low power singleboard computer like a Pi2 or similar... even then, one needs to take some time to properly configure the SSH server side...

BTW - not a bug, it's a feature in AsusWRT related to how services hairpin in and out, and how they're shared within in the LAN hosts.

 

[Juglar]

BTW - not a bug, it's a feature in AsusWRT related to how services hairpin in and out, and how they're shared within in the LAN hosts.

If you have read my previous post, SSH WAN access IS already available with "Automatic IP" IPTV and not with "Static IP" IPTV.

Do you seriously think that it is a deliberate, intended behaviour?

Then, do you think that it is a bug that SSH WAN access IS possible when IPTV "WAN Connection Type" is "Automatic IP"? Or, does this type of IPTV configuration add any security to the SSH WAN access, so that it is secure with "Automatic IP" IPTV and it would be unsecure with "Static IP" IPTV, if it were allowed?

Running SSH access into the router directly is a big security risk these days, ...

I could always disable WAN SSH access, but it's for my HOME LAN, where attackers have little to gain and I little to lose.

But, please, let ME take care about my security and take the balancing decision between functionality and risk.

...is nicely done with a low power singleboard computer like a Pi2 or similar... even then, one needs to take some time to properly configure the SSH server side...

My ASUS router already has more than enough available resources for that and it already offers SSH WAN access, proudly implemented (at least, now, for "Automatic IP" IPTV). I value it a lot and that is the way-in that RMerlin recommended me to launch User Scripts from the WAN, instead of https WebGui configurable buttons.

So, please, don't try to disguise or cover a misbehaviour (if it finally is) pretending that it is an intended security feature.

Ah, and, please, please, don't "solve" the issue by completely taking out WAN SSH ! I (the same as many, I suppose) need it and it is almost there!

Thank you.