Posted: Sun Aug 14, 2022 16:01 Post subject: [SOLVED] SSH from laptop to LAN device on secondary router
I'm going to go ahead and admit my amateur status in working with dd-wrt. Okay the set up so far.
1. Main router provided by ATT ISP.
2. Old Cisco Valet running DD-WRT (build v3.0-r44715 mini) in client mode in a separate room on a different subnet 192.168.2.X but with a static IP 192.168.1.X as WAN IP from the main router.
3. One machine connected to Valet router LAN port to eventually become a prototype game server (on a static IP)
4. One laptop for administration currently using DHCP being issued by main router.
What I am wanting to is to be able to use the laptop to SSH into the prototype game server. I've tried to set up port forwarding on the dd-wrt machine which seems pretty straight forward. The issue is more on setting up the port forwarding on the main router which I believe I need to do in order for this all to work. According to the documentation, I need to essentially forward a port from the main router to the client mode dd-wrt router and then port forward the port I want for SSH from the dd-wrt router to the prototype game server.
I initially did a simple port forward on the DD-WRT with my laptop plugged into one of the LAN ports. However this never showed as being opened. I checked back with the following link https://wiki.dd-wrt.com/wiki/index.php/Port_Forwarding_Troubleshooting and sure enough it said I needed to set both routers to use port forwarding.
Then I tried setting the port forwarding on the main router to use the same port that I had set for the port forwarding on the DD-WRT router..
So to clarifty. ISP Router port forwarding set with DD-WRT WAN IP on port 1234 and the DD-WRT router set with port fowarding to the box I want to ssh in with port 1234. The box I want to ssh into has had the port it is listening for SSH on set to 1234 too.
What I am unsure about is if I need to initialize IP Passtrhough on my main router in addition to the NAT/Gaming option, but also which IP address am I looking to use on the main router open the port? That is am I looking for the shown WAN IP on the DD-WRT router? Additionally, should I use the same port number for the main router to dd-wrt router port forward as I will between the dd-wrt and the prototype game server?
I'm guessing I've over stepped somewhere or should have stated 22 for somewhere ot be mapped to 1234
Can attach screenshots as needed but will need to edit photos to remove any identifying information.
Joined: 18 Mar 2014 Posts: 12877 Location: Netherlands
Posted: Mon Aug 15, 2022 12:23 Post subject:
Welcome to the forum.
The Cisco Valet can be an M10 or M20, which one do you have?
Furthermore the build you are running is outdated current is 49741
See the forum guidelines with helpful pointers about how to research your router, where and what firmware to download, where and how to post and many other helpful tips:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
You might consider upgrading although in your specific use case it probably does not matter.
to recap
your laptop is connected to the ISP router
Your Cisco Valet is connected to the ISP router in Client mode on its own subnet
Your Game server is connected to the Cisco.
You wanted to SSH from your laptop to your game server
If so a simple port forward on your Cisco should suffice.
From your laptop you should be able to reach your game server with <wan-ip-address-cisco>:<ssh-port>
Note your game server might have its own firewall which blocks access.
The scenario where you want to reach clients on a downstream router on your own network is fairly common, it is possible to reach all your clients on the down stream router if you disable the firewall of said router (the Cisco in your case) and set a static route on the primary router (your ISP router) to the Cisco.
If you can set static routes on your ISP router and are interested how to setup i can send you some more detailed instrucitons _________________ Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399 Install guide R7800/XR500:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614 Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
I have the Cisco M10. It was just collecting dust and thought I could put it to good use.
As things stand right now.
The ISP router has been set to give the Cisco router a static IP on it's WAN IP address that was being shown on the DD-WRT GUI. I have also given the laptop a static IP address.
The game machine has a static IP address given by the cisco router on that subnet and is connected via wire.
The laptop unless connected via wire to Cisco router is using the wifi from ISP router.
I used the given firmware based on searching the forum for Cisco M10 and finding the latest thread dated in 2020 has having tested that firmware and having it known to be good. As you have stated, I don't think the firmware will make a difference for this task
Both my laptop and the gaming machine are running Ubuntu Focal Fossa (20.04 LTS) and to my knowledge there is no running UFW (?) or apparmor or IPTables.
Cisco router with WW-DRT has SPI turned off now.
Ex. Let's assume I changed the port on the game server that ssh was listening on to 1234 than the entry in the Cisco server should something like
GameServer Both Port from 1234 <IP Address of game machine> Port To 1234 and enable. Is that wrong?
But again, according to the link in my original post.. it is indicating that I need to set up port forwarding on both routers.
Well, having gone back tried the example I mentioned with a different number than 1234.. I can not ssh between the subnets to get to the game box. If I try to use ssh -p <port number> username@gameserverhostname. It says "ssh: Could not resolve hostname <hostname> Temporary failure in name resolution"
(maybe I need DDNS?) If I try to use the IP address of the box I want to ssh into then it hangs.
Okay in Cisco Router QoS/NAT I now have the following
SSH BOTH No Source Port From 1234 <Cisco Router WAN IP> Port To 1234 and the Enable box checked.
Still, nothing when on the ISP router subnet. Just hangs at terminal (using puTTY or otherwise) using the IP address of the game machine when trying to SSH in. If I try to use the hostname, it can't resolve.
The ISP router has been reset to what it was before I started all this with the exception of Fixed IP address allocations. I can double check the game server box for firewall settings but I don't think that happens on a basic Ubuntu install and I should have mentioned that SSH Server is running on the game server. Don't think I need anything running on the laptop as I can ssh into other machines on the same subnet just fine.
What else might I be overlooking? Thank you again for your time in trying to help me solve this oddity.
Joined: 18 Mar 2014 Posts: 12877 Location: Netherlands
Posted: Tue Aug 16, 2022 15:53 Post subject:
No you cannot use the IP address of the gameserver (or its hostname) you must use the IP address of the Cisco and then the Cisco forwards that to your game server that is what port forward is all about
Okay so I try to connect to the WAN IP of the Cisco router with the port that I have opened (1234) which will forward me to the game server. I try that but says it connection refused.
ssh <username>@<ciscoWAPIP>:1234 or ssh -p 1234 <username>@ciscoWAPIP>
Do I have the QoS/NAT form set correctly or is one supposed to be 22 and the other supposed to be the port on the GameServer(1234) that is listening for SSH?
Joined: 18 Mar 2014 Posts: 12877 Location: Netherlands
Posted: Tue Aug 16, 2022 16:13 Post subject:
If the gameserver also listens on port 1234 than that is fine otherwise you can port forward from 1234 to 22.
I would really check if the firewall of the gameserver allows connections from other subnets, I have a NAS to which I can SSH (with a port forward from my main router) and I have to specifically tell the NAS to allow these connections.
I would check if you can SSH in from the Cisco's subnet, if you can then instead of tweaking the firewall you can add this rule to the cisco's iptables:
Joined: 18 Mar 2014 Posts: 12877 Location: Netherlands
Posted: Wed Aug 17, 2022 12:47 Post subject:
As your laptop is already behind the ISP router and on the same subnet as the Cisco your ISP router has nothing to do with that.
But the Cisco has a firewall which will stop incoming connections, enter the port forward this opens up the firewall for that port and direct traffic for that port further down your Cisco's network
As we speak I am doing this, my PC (192.168.0.59) is on my main subnet.
That subnet has a secondary router which has its WAN IP 192.168.0.5
The subnet of that secondary router is 192.168.5.0 and on that secondary routers subnet is an appliance with IP address 192.168.5.7
I wanted to SSH into my appliance (192.168.5.7) from my PC
So on the secondary router I set up a port forward see attachment
I use Putty to SSH to my router on port 2222 (because that is what I am using for the Port Forward) see attachment and the I am greeted by the login.
Okay. I will do one last check to see what is going on and align it with your photos. Thank you for taking the time to try and get this working with me. If I can get this working than the next step further down the line is opening up the server for specific users to access and lock everything else down. Guess I have my work cut out for me.