Ssh remote access rt-ax86u

nukememobile

New Around Here
Hi, I'm a recent convert from freshtomato (just got ax router and freshtomato doesn't support it unfortunately) and use remote ssh access to be able to tunnel to my lan (and vice versa) with putty but for security reasons i only allow specific IPs to have access. Trying to accomplish this in merlin has met 2 issues. 1: can't seem to allow more than 4 specific ips. 2: can't seem to make that list work at all since trying to save keeps popping a message "please select at least one access type. enable access restriction list". Is there a way to accomplish this!? I have not had time (family lol) to go through all the menus and will probably have other things that I'll have questions on (like if there's a way to configure dynamic dns with afraid.org, for instance). Any help will be greatly appreciated. Thanks!
 
Last edited:

nukememobile

New Around Here
1. That's a limit imposed by Asus' design of the GUI.
2. You have to select which access types you're restricting, ssh, https, or both.

You can find other useful information in the Wiki: https://github.com/RMerl/asuswrt-merlin.ng/wiki
The thing is, i selected ssh so i don't get what it wants. Is there another way to achieve what I'm trying to do? Here's a pic of a sample of what I had tried to apply. I looked through the wiki but what I'm trying to do is not really covered there. If really like to add my 10ish IPs to the list of allowed remote ssh clients as they are the locations i proxy from....
 

ColinTaylor

Part of the Furniture
I think I see the problem. I think there's a mistake in the language translation to English.

Instead of saying "Please select at least one Access Type. Enable access restriction list." it should say something like "Please select at least one host with an Access Type of Web UI to enable access restriction list". It's a warning that if you don't do that you'll lock yourself out of the Web UI.

Depending on what kind of access you need it might be better to either use the router's VPN server, or you can use WAN>Port Forwarding to access the SSH server on the router's LAN IP address.
 
Last edited:

nukememobile

New Around Here
. Wow. I thought that access restriction only applied to wan access like in freshtomato... as I mentioned in op, I'll clarify,i basically want the webui to be completely accessible from lan and inaccessible from wan and want ssh accessible only from specific wan ips so I can set up a tunnel that allows me to also have access to the remote machine for rdp etc like I currently do with freshtomato. so. 1: ssh access only to specific wan ips that have a cert (already working in fresh) 2: set up dynamic dns with my afraid.org account so I don't have to manage my current ip everywhere(ill dig a bit for this since I haven't tried yet) 3:eventually recreate my isolated vlan that allowed web access to iot devices without access to my main lan or the web gui, yet allowed traffic from my lan to the vlan since iot really can't be trusted. I'm obviously a little paranoid but that's my current fresh setup that I'm seeking to recreate with merlin. thanks for the assistance, I'll get the hang of this eventually, I'm just used to freshtomato and the way options were laid out in that fw.
 
Last edited:

ColinTaylor

Part of the Furniture
1. I don't use SSH tunnelling myself but I'd still suggest you try the port forwarding method I suggested as a simple workaround for the limitations of the GUI. Or are you saying that you only want SSH access from the WAN and not from the LAN?

2. There's already an option for afraid.org in the GUI. I suggest you try that first. If it doesn't suit your needs there's a chapter in the Wiki about customising DDNS.

3. Asuswrt and Asuswrt-Merlin don't support VLANs. When people ask on here about VLANs we usually tell them to use FreshTomato. Asus does provide "guest" WiFi networks which are similar, but only work for WiFi devices.
 

nukememobile

New Around Here
1. I don't use SSH tunnelling myself but I'd still suggest you try the port forwarding method I suggested as a simple workaround for the limitations of the GUI. Or are you saying that you only want SSH access from the WAN and not from the LAN?

2. There's already an option for afraid.org in the GUI. I suggest you try that first. If it doesn't suit your needs there's a chapter in the Wiki about customising DDNS.

3. Asuswrt and Asuswrt-Merlin don't support VLANs. When people ask on here about VLANs we usually tell them to use FreshTomato. Asus does provide "guest" WiFi networks which are similar, but only work for WiFi devices.
1: I'll see how i I can get it to work via port forward. I basically only want specific wan IPs and any lan ips to be able to tunnel. My fear is that enabling ssh automatically makes it visible to wan at large which is really not what I want hence my access restriction config attempts.
2: sweet, I'll try that out!
3: yeah, tomato does not support ax routers. I would have gone with tomato since that's my jam, but it's not an option on this router unfortunately... Guess I'll have to live without vlan until something better comes along.. Thanks again for the hints. I might be back if this port forward idea doesn't pan out.
 

Martinski

Senior Member
... I basically only want specific wan IPs and any lan ips to be able to tunnel. My fear is that enabling ssh automatically makes it visible to wan at large which is really not what I want hence my access restriction config attempts.
...
Because of the greater security & configuration options, especially when allowing SSH access over the WAN, I highly recommend installing/using the OpenSSH Server over Dropbear. The OpenSSH Server configuration file /opt/etc /ssh/sshd_config has "DenyUsers" & "AllowsUsers" optional parameters that allow you to set up specific access restrictions based on username & IP addresses.

DenyUsers !AdminUserNameForRouter
AllowUsers *@LAN_IP_Address/24 *@WAN_IP_Address1/32 *@WAN_IP_Address2/32

Yes, installing & setting up the OpenSSH Server is a bit more work, but it's worth the effort, IMO.

Just my 2 cents.
 

nukememobile

New Around Here
an update, so far port forwarding does not seem to work. If I set ssh to be open wan and lan, I can connect no problem (which is not what I want, since I'm basically open for anyone who's got too much time on their hands) Adding port forward rules such as (note: source ip is just for example purpose here, and the ssh service is in fact listening on an equivalent port so this is pretty much how my rule is setup) Any Idea why this does not work? Martinski: yeah, I saw that in the wiki, but oof, I'm not sure I have enough chops to set that up in any functional way...
Service NameExternal PortInternal PortInternal IP AddressProtocolSource IP
tunnel82222222222192.168.0.1TCP111.111.111.111
 

ColinTaylor

Part of the Furniture
Did you set SSH back to LAN only before testing the tunnel (via the port forwarding rule)? What about a normal (not tunnelled) SSH connection, does that work? I tried the later yesterday and it worked OK for me.


What tunnelling command are you using on the client? I'll try to recreate it here.
 

nukememobile

New Around Here
Did you set SSH back to LAN only before testing the tunnel (via the port forwarding rule)? What about a normal (not tunnelled) SSH connection, does that work? I tried the later yesterday and it worked OK for me.


What tunnelling command are you using on the client? I'll try to recreate it here.
Yes I set ssh back to lan only to test after having confirmed that I could ssh when wan+lan was selected. It essentially times out (I don't even have a chance to login)
Using putty and a cert for connection (not password access) I have the following tunnels setup:
Dynamic port 12345 (for proxy support on client to my lan)
Local port 6666 destination : 192.168.0.xxx : 3389 (rdp from client to a machine on my lan)
Remote port 5555 destination localhost:3389 (remote desktop access from my lan to the client)

again thanks for the help

fwiw, I tried a non-tunneling connection and the result is the same.

Update: did some more testing, the firewall seems to be the issue, if I turn it off, then it works. And if the firewall is off and I remove the port forward, my connection is refused, so the port forward works fine, the issue is with the firewall, is there a way to make this work with the firewall on (I'm kind of paranoid, but I really would like to keep it on with the dos protection etc)
 
Last edited:

ColinTaylor

Part of the Furniture
fwiw, I tried a non-tunneling connection and the result is the same.
Yes you are correct. Sorry, I made an error when I was doing my test. Even with the port forwarding rule I need to create an exception in the firewall rules for the SSH traffic.

Let me think about what would be the best/simplest approach.
 

ColinTaylor

Part of the Furniture
The simplest solution I can think of is as follows:

1) Set SSH access to "LAN only". This makes dropbear only listen on the LAN interface.
2) Because of 1) it should be safe to create a firewall-start script that makes the router accept incoming traffic to port 22 (this is also what the GUI does when enabling WAN access):
Code:
#!/bin/sh
iptables -I INPUT -p tcp --dport 22 -j ACCEPT
3) Create the port forwarding rules in the GUI with restrictions on the source address.
 

nukememobile

New Around Here
The simplest solution I can think of is as follows:

1) Set SSH access to "LAN only". This makes dropbear only listen on the LAN interface.
2) Because of 1) it should be safe to create a firewall-start script that makes the router accept incoming traffic to port 22 (this is also what the GUI does when enabling WAN access):
Code:
#!/bin/sh
iptables -I INPUT -p tcp --dport 22 -j ACCEPT
3) Create the port forwarding rules in the GUI with restrictions on the source address.
Ok, I'll try that as soon as I have some time, too bad there's no way of doing this directly in the interface (firewall scripts) tomato allowed this as well... it was frankly, much simpler :p Now I'll have to get winscp or something to to this from what I've read so I'll have to do this a little later... I'll report back when I've tried. I'll use the rule however I will keep my non-standard port. Thanks again btw! Very helpful.
 

nukememobile

New Around Here
So
-I installed winscp,
-connected to the router in scp and added the script which did not exist,
-changed the port in your suggestion to the one I was using and set the properties to 777.
-Had to enable the custom jffs scripts in the admin options (which I had not done the first time, leading to no success)
-finally connected ssh from my lan to restart the firewall service without having to reboot (for anyone interested, that can be done via "service restart_firewall")
-tested from remote wan WITH firewall on including ddos protection etc and IT WORKS!!!!! Thanks so much! :)
Now to see if there are any other things that were working that I took for granted that now don't :p
Again, thanks for the help.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top