extradudeguy
@verizon.net
| [northwest] SSH port forwarding with FiOS Actiontec Router
A bit confused by something, perhaps you can help me.
I have successfully setup SSH on a server (desktop) and client (notebook) computers. Within the LAN itself, I am able to SSH right into the server (desktop) with zero issues. Works great, no problems at all.
And I do so in a Linux shell as:
ssh name@LAN-IP
Works perfectly....
However, doing the same outside of the LAN, does not work.
ssh name@WAN-IP
I have also gone into the FIOS Actiontec router's config and setup port forwarding as follows.
SSH - Secured Remote Login TCP Any -> 22
This was done as SSH was one of the options given under "specify protocol" already.
Being as this setup clearly works on the LAN, but fails outside of the LAN both from Comcast to FiOS and FiOS to FiOS, my only conclusion is that I am not opening up ports right somehow on this crazy router? Even weirder, other ports forward just fine. It's just SSH via the WAN giving me grief.
Have done plenty of searching here, not finding any posts that deal with working SSH LAN but not with the WAN. Help is appreciated. |
|
extradudeguy
@verizon.net | Even putting the server, which is using a static LAN IP btw out in a DMZ fails... |
|
extradudeguy
@verizon.net | reply to extradudeguy
Checking in here for a solution. Surely I am missing something obvious? Really need to get this port forwarding issue resolved, never had this problem before and have already tried anything obvious.
Please, any suggestions appreciated. |
|
extradudeguy
@verizon.net
| reply to extradudeguy
Tested things out with CanYouSeeMe.com, port 22 is not accessible whatsoever despite me opening up the port on the Actiontec router?? It states the connection is refused.
Is the router really this poor at forwarding ports? Anyone, seriously, I need remote access here. Anyone? |
|
extradudeguy
@verizon.net
| reply to extradudeguy
Confirmed. Either the router or some ISP is blocking the port. Just scanned, port 23 is opened while 22 is invisible and not even listed on the WAN for my box.
Really interested in an explanation for this, being no one has said "boo" yet. This cannot really be "that" convoluted, can it? |
|
extradudeguy
@verizon.net
|  Okay, apparently no one here is going to help with the port forwarding issue. That has been made pretty clear. Forget it, moving on then....sigh.
-------
Next question, I have established that it is the router creating problems, port 22 just times out when trying to connect to it over the WAN and this has been tested on three different ISPs now. It's either Verizon or the router.
I think it is the router Verizon gave me and frankly, I am sick of it. Interested in trading up losing the coax and going CAT5 instead. How expensive its this for Verizon to come out to do in most cases? Ball park figure? |
|
batsona
Maryland
join:2004-04-17
Ellicott City, MD
 ·Verizon FIOS
 ·Vonage
| reply to extradudeguy
Same problem here. I need TCP/22 open from the internet but ONLY when sourced from my static IP at work "single-source-to-single destination". I received instruction on how to do it, but it didn't work & everyone's lost interest. I'm still experimenting though.
The Actiontec has all these crazy zones that [I think] represent the 'local network', like "Home Office/Network", and "Ethernet". I took my rule, and put a copy under each zone that wasn't obviously related to the Internet.
Gee, this was so much more straight-foward on my Cisco PIX; I had it working in 5 mins.. |
|
darcilicious
Cyber Librarian
Premium
join:2001-01-02
Forest Grove, OR
·Verizon FIOS
 ·Comcast
| said by batsona  :Gee, this was so much more straight-foward on my Cisco PIX; I had it working in 5 mins.. Is it an option for you then to switch to ethernet and use the Cisco PIX? |
|
darcilicious
Cyber Librarian
Premium
join:2001-01-02
Forest Grove, OR
·Verizon FIOS
·Comcast
| reply to batsona
Can you get it working without specifying a single-source IP?
Can you limit the connection (by IP address) via software on the ssh server instead of via the router (e.g. via /etc/hosts.allow)?
In the time since I last posted, I installed and configured sshd on my XP box via cygwin and set up the forward in the actiontec router. It's working fine. (I also checked my work email, watched some TV, fed the dog, and chit-chatted with the hubby when he got home. I think I have ADD or something  ) |
|
VirtualSlew
join:2008-01-18
Ambler, PA
·ooma
·Verizon FIOS
| reply to extradudeguy
I have a bunch of ports forwarded to various servers/pc's on my LAN. It's pretty easy to setup. Hopefully your Actiontec has the same options as mine. Here's what you need to do:
1. Logon to your router web interface.
2. On the left side of the page under Quick Links, click "Enable Applications (Games, IM and Others)".
3. At the bottom of the page, click "Add".
4. On the Port Forwarding Page, Specify Address from the dropdown, or enter the LAN IP of the device you want to forward to.
5. Select SSH from the Specify Protocol dropdown menu.
6. WAN Connection Type: All
7. Forward to Ports: Same as incoming
8. When should this rule occur: Always
9. Click the Apply button
You should then see the port forwarding rule listed. I have a host name registered with dyndns.org, so I can always get to my servers and pcs. If my FiOS IP Address changes, the DynDNS functions on the router will update my host record. Just click Advanced => Dynamic DNS on your Actiontec and fill in your hostname and your dyndns account information to get it to auto update your host record. You'll then be able to get to your LAN devices using the host name, even if your IP Address changes. I hope this helps. Best of luck. |
|
darcilicious
Cyber Librarian
Premium
join:2001-01-02
Forest Grove, OR
·Verizon FIOS
·Comcast
| reply to extradudeguy
See also: »portforward.com/english/routers/···/SSH.htm for pretty pictures version (though I didn't find it necessary to set up the UDP bit). |
|
More Fiber
Premium,MVM
join:2005-09-26
West Chester, PA
 ·Bay Area Internet ..
| reply to batsona
From the last post in your other thread, you were going to capture the traffic on the outside of the Actiontec.
»Re: Lck Actiontek down to single SRC / DST traffic flow...
I read that post and was waiting for you to post back.
Since you're already on cat5, why not put the PIX in front of the Actiontec per the instructions here?
»Verizon Online FiOS FAQ »Replacing the Actiontec (part 4): LAN-to-LAN keeps MediaShare DVR |
|
batsona
Maryland
join:2004-04-17
Ellicott City, MD
·Verizon FIOS
·Vonage
| reply to darcilicious
The PIX suddenly & unexpectedly stopped working in late May. I suspect VZ changed some settings. I had three other routers that wouldn't work on PPPOE to get an IP. This is the reason for being forced into the Actiontec. I called VZ, and they immediatly said I needed one.
Cisco PIX, 3COM, DLink and Linksys router - none would pick up an IP. Now I have to live with an Actiontec.
To answer the other question, yes, I can do a port-forward, and I can get into SSH from work, but Internet-based port scanners indicate that I'm open to the world on TCP/22 (not what I want). |
|
batsona
Maryland
join:2004-04-17
Ellicott City, MD
·Verizon FIOS
·Vonage
| reply to VirtualSlew
It's apparent that I need some sort of a.)port-forward in conjunction with a b.)firewall rule. I just don't have all the pieces properly set up yet.
In the Cisco, you need two things: first, a statement that allows TCP/22 inbound thru the Outside Interface. Secondly, you need a statement that essentially says, "every time you see a packet enter the Outside interface, on TCP/22, forward it to 10.10.10.10 on the internal LAN. |
|
darcilicious
Cyber Librarian
Premium
join:2001-01-02
Forest Grove, OR
·Verizon FIOS
·Comcast
| reply to batsona
said by batsona :tion, yes, I can do a port-forward, and I can get into SSH from work, but Internet-based port scanners indicate that I'm open to the world on TCP/22 (not what I want). So using a hosts.allow file isn't an option? |
|
batsona
Maryland
join:2004-04-17
Ellicott City, MD
·Verizon FIOS
·Vonage
| I guess I could get that to work (even thought this is OpenSSH running on a WinXP system  Plus, I come from a security background, so I'm paranoid about allowing foreign packets into my inner-sanctum. I'd feel better if the foreign packets were on the Outside side of the firewall, and never allowed in.
When I had my 3com router running, it only had an option to port-forward (which opens me to the world) In my event viewer, I'd see messages like
Attempting authentication for user "Adam"
Attempting authentication for user "Barry"
Attempting authentication for user "Chris"
Attempting authentication for user "David"
Attempting authentication for user "Edward"
etc etc etc..
Then my SSH daemon would die... I know hosts.allow would prevent SSHD from even answering the foreign hosts... |
|
darcilicious
Cyber Librarian
Premium
join:2001-01-02
Forest Grove, OR
·Verizon FIOS
·Comcast
| That's exactly what I have setup: OpenSSH running on WinXP (from the cygwin package). You should be able to add the IP address to the hosts.allow just before the PARANOID line and be good to go.
Also, if you like, PM me an IP address you want to test from and I'll see if I can't get my Actiontec to limit to single src IP... |
|
