What's new

ssh port forward to router

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

jauling

Occasional Visitor
Just came from shibby-tomato, so apologies if this is a dumb question.

I did a quick search on port forwarding in this forum, but didn't find anything that specifically addresses my issue.

Running the just released 380.69 firmware on my N66U, and I would like to enable ssh on it using standard port 22 inside my LAN, but run it on a non-standard port on the WAN side. The UI doesn't support this but I thought maybe just enabling a port forward would do the trick, but it's not working as I thought it would.

The iptables rule looks proper to me, its the last DNAT rule in the VSERVER chain. Am I doing something wrong? FWIW, the other port forward rules below do work.

Code:
admin@crappy:/tmp/home/root# iptables -L -t nat -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
VSERVER    all  --  0.0.0.0/0            MY-WAN-IP

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
PUPNP      all  --  0.0.0.0/0            0.0.0.0/0
MASQUERADE  all  -- !MY-WAN-IP        0.0.0.0/0
MASQUERADE  all  --  MY-LAN-NET/24          MY-LAN-NET/24

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain DNSFILTER (0 references)
target     prot opt source               destination

Chain LOCALSRV (0 references)
target     prot opt source               destination

Chain PCREDIRECT (0 references)
target     prot opt source               destination

Chain PUPNP (1 references)
target     prot opt source               destination

Chain VSERVER (1 references)
target     prot opt source               destination
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:443 to:MY-NAS:443
DNAT       udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:1194 to:MY-OPENVPN:1194
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:5903 to:PC1:5900
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:5902 to:PC2:5900
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:2222 to:MY-ROUTER:22
VUPNP      all  --  0.0.0.0/0            0.0.0.0/0

Chain VUPNP (1 references)
target     prot opt source               destination
 
Just came from shibby-tomato, so apologies if this is a dumb question.

I did a quick search on port forwarding in this forum, but didn't find anything that specifically addresses my issue.

Running the just released 380.69 firmware on my N66U, and I would like to enable ssh on it using standard port 22 inside my LAN, but run it on a non-standard port on the WAN side. The UI doesn't support this but I thought maybe just enabling a port forward would do the trick, but it's not working as I thought it would.

You should be able to do this via the GUI. I do this on my network and it works fine... A non-standard port is used on the WAN side and forwarded to port 22 on a server inside my network.

In the router GUI go to WAN - Virtual Server / Port Forwarding. Have your "Port Range" be the non-standard WAN facing port, the "Local IP" as the system on your LAN, and the "Local Port" as 22. Should work...
 
Hey @Lost Dog, that's exactly what I did.

Can you tell me what values you use for these parameters in the GUI?
Advanced Settings -> Administration:
SSH Daemon -> Enable SSH: LAN + WAN or LAN only?
Allow SSH Port Forwarding: Yes or No?

I can't think of anything else that could screw this up on my end. The major difference is that I'm trying to expose the ssh port on my RT-N66U router, while it looks like you've got it setup for "a server inside my network".

Edit:
The port forwarding works fine if its NOT the router. It doesn't work if I try to forward port 2222 on the WAN side to port 22 on the LAN side of my router.
 
Last edited:
Hey @Lost Dog, that's exactly what I did.

Can you tell me what values you use for these parameters in the GUI?
Advanced Settings -> Administration:
SSH Daemon -> Enable SSH: LAN + WAN or LAN only?
Allow SSH Port Forwarding: Yes or No?

I can't think of anything else that could screw this up on my end. The major difference is that I'm trying to expose the ssh port on my RT-N66U router, while it looks like you've got it setup for "a server inside my network".

Edit:
The port forwarding works fine if its NOT the router. It doesn't work if I try to forward port 2222 on the WAN side to port 22 on the LAN side of my router.

@jauling,

I actually do both... I have ssh on my router exposed to a non-standard port as well as forward a different non-standard port to a server in my network.

My settings are:

Enable SSH: LAN + WAN
Allow SSH Port Forwarding: Yes
SSH service Port : (the non-standard port I use)
Allow SSH password login: No (I use SSH Authentication key)

Hmm... In "WAN - Virtual Server / Port Forwarding" are you setting up a forward to the router itself? If so, don't do this and just use the settings in the SSH Daemon section.
 
Ahh, @Lost Dog you're doing it slightly different than I am. This difference is substantial though.

What I'd like to accomplish:
  • ssh to non-standard port on WAN side to my router
  • ssh to standard port on LAN side to my router
Setting up port forwards to LAN addresses other than my router works perfectly fine with 380.69. It's the ssh port forward rule to my router that doesn't seem to work.

I think by default, the iptables chain that's used by the GUI when doing port forwarding is not correct for rules that are destined for the router itself.

The workaround looks to be documented in this thread from 2014. In that thread, issue #689 was closed already, but 3 years later we still don't see the functionality :confused:
 
I think by default, the iptables chain that's used by the GUI when doing port forwarding is not correct for rules that are destined for the router itself.
It's not iptables (although you need that as well)....the ssh configuration supported by the router gui only allows for a single listening port. So you need to kill and restart dropbear with the correct options.
(or switch to my LTS fork which has an nvram var you can set to allow for multiple addresses/ports)
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top