[Security] SSH port opened to WAN even though "Enable SSH" is set to "LAN only"

[ppfoong]

Today I run a port scan to my Asus RT-AX86U router running firmware 3004.388.9_2.

To my surprise, I discovered that my SSH port is opened to WAN even though I have set it to "LAN only". Meaning, the "LAN only" setting is not in action at all!

When I try SSH to my external IP address, the connection established, and I am able to login using my login and password.

Please try SSH to your external IP address and check if this issue also happen to you as well.

 

[ColinTaylor]

When I try SSH to my external IP address, the connection established, and I am able to login using my login and password.

How are you testing this? You need to do the test from the internet, not from inside your LAN.

If you try to connect to your WAN IP from inside your LAN it will work. This is to be expected. However, you will not be able to connect to that IP from the internet because the router's firewall will block it. This is all by design.

Go to the following site to perform the test from the internet.

Open Port Check Tool - Test Port Forwarding on Your Router

Port checker is a utility used to identify your external IP address and detect open ports on your connection. This tool is useful for finding out if your port forwarding is setup correctly or if your server applications are being blocked by a firewall.

www.yougetsignal.com

 

[ppfoong]

Ah... OK, got it.

Thanks for the explanation.

No port is found open when accessed from mobile network.

 

[Viktor Jaep]

I see a similar issue. This is using nmap from inside the lan. Even though the setting is turned off per @ppfoong, it still shows up, but not reachable from the outside. It's just an annoyance, but it makes my heart skip a beat every time I see it, and wonder if something is tunneling through the firewall. This happened somewhere along the way, because a few firmware versions back, it was reporting 0 open ports on WAN0.