Posted: Fri Jul 01, 2016 14:18 Post subject: Can't do outbound ssh on stock linksys 1900ac (v1)
I bought a Linksys 1900ac to replace my linksys 160nl.
I am currently running Firmware: DD-WRT v3.0-r28628 std (12/29/15)
After I flashed it, I set up the WiFi network. I didn't make any other configuration changes. I have both old and new router attached to my cable modem via a hub, so I can switch back and forth by changing the SSID I use.
On the old router, I can connect to some Amazon AWS servers via ssh - no problem. With the new router, I cannot. I'm using the new router right now - no other problems.
So I put tcpdump on it, and watched the packets arriving and leaving, and the ssh packet comes into the 1900ac, but does not leave the router.
The iptables output is very different from my old router, as it has dual bands, IPv6, etc. I'm not 100% confident in making changes in it.
Is this a bug in the version of the firmware I am using? A configuration error?
And what is even more puzzling, I also tried using OPENWRT on it, and it had the same problem.
So you have the routers connect to the ISP cable modem via a hub?
Recommended connection method is direct connect 1 host router to the ISP modem. Then connect a external switch or hub to the main host router and any wired devices to the switch from there...
Does this modem have a built in router by chance?
No - The doesn't have a built-in router.
And I don't understand your "recomendation."
Fist of all, I can't do A/B testing where I have the two WiFi routers side-by-side. If I use your suggestion, I affect everyone else in the house when I switch, as well as physically swapping cables.
Second - a Hub is a Hub. Actually it's a managed Hub/Switch. It works as designed. It's a powered hub.
Are you saying my configuration cannot work? It works fine.
Both WiFi routers work fine as NAT routers. I can switch between them and do everything EXCEPT outbound SSH connections. All I do is select a different SSID.
One more thing - when I run tcpdump monitoring the outgoing connections, I can see the SYN packets leaving the interface, but the SYN/ACK packets do not show up on the external interface in tcpdump.
That's why I think it's an IPTABLE issue.
If iptables is dropping the packet in the kernel, tcpdump won't see it.
And here's another reason to have a Hub/Switch where I have it - I can put a port sniffer on the wire to see if the packet is leaving the modem, and my DDWRT router is dropping it. Or else the server isn't responding to my SYN request. With a hub, I can determine which is happening.