Port Forwarding question

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Author Message
Skunkee
DD-WRT Novice


Joined: 04 Mar 2016
Posts: 5

PostPosted: Fri Mar 04, 2016 3:11    Post subject: Port Forwarding question Reply with quote
I am currently running DD-WRT v24-sp2 micro on a WRT54GS. According to the feature set for this build, it does not support SSH natively. I'm OK with this because I have a Raspberry Pi that I use as a SSH server when I'm on the road for web proxying. It sits behind my router, so theoretically I should be able to port forward the SSH traffic to it and have the router act as a pass-through device. I'm trying to set up port forwarding, but my connections consistently time out when I try and SSH to the WAN IP of my router on the port I've designated for this purpose.

I have the following configurations in the Port Forwarding tab of the GUI:
Application: SSH
Port from: <high port>
Protocol: Both
IP Address: <LAN IP of my SSH box>
Port To: <listening port for SSHD on my SSH box>
Enable: Y

I also verified that the rule looks good in IPTables from the Command tab:
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT gre -- <LAN IP RANGE>/24 anywhere
ACCEPT tcp -- <LAN IP RANGE>/24 anywhere tcp dpt:1723
ACCEPT 0 -- anywhere anywhere
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
lan2wan 0 -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere <LAN IP OF SSH> tcp dpt:<high port>
ACCEPT udp -- anywhere <LAN IP OF SSH> udp dpt:<high port>
TRIGGER 0 -- anywhere anywhere TRIGGER type:in match:0 relate:0
trigger_out 0 -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere state NEW
DROP 0 -- anywhere anywhere

I can verify with 100% certainty that my ISP is *NOT* blocking SSH tunneling, as I was able to do this previously on my Tomato router. I switched to DD-WRT recently because I like the way that DD-WRT does QoS better than the way Tomato handles it.

I've also tried forwarding a port range of 1-65535 to the destination IP of my SSH box, but that doesn't seem to work either. All connections to my WAN IP on the SSH port time out.

So, this is where I'm at in my troubleshooting. This leads me to believe one of two things is happening:

1. I'm failing to understand how port forwarding works in DD-WRT and am misconfiguring it.

2. Since the Micro build does not support SSH, it is unable to process or recognize SSH traffic at all; even in a "forward these packets to this destination" sense.

Anyone got any ideas?
Sponsor
Skunkee
DD-WRT Novice


Joined: 04 Mar 2016
Posts: 5

PostPosted: Sat Mar 05, 2016 3:09    Post subject: Reply with quote
For what it's worth, and I don't know if this will matter or not; the WRT54GS is a v5. Not my first choice for hardware but beggars can't be choosers.
LOM
DD-WRT Guru


Joined: 28 Dec 2008
Posts: 7647

PostPosted: Sat Mar 05, 2016 5:32    Post subject: Reply with quote
iptables -vnL FORWARD

will show you if any packets matching the port has arrived for getting forwarded.

_________________
Kernel panic: Aiee, killing interrupt handler!
Skunkee
DD-WRT Novice


Joined: 04 Mar 2016
Posts: 5

PostPosted: Sat Mar 05, 2016 18:41    Post subject: Reply with quote
eibgrad wrote:
There's no reason port forwarding shouldn't work.

Are you actually testing this from the internet side of the WAN, or only referencing the WAN ip while still inside the LAN on which the ssh server is running?

Also, what's your dd-wrt build? I know the dd-wrt database tends to recommend very old builds, but imo you should be using the latest BrainSlayer builds.

ftp://ftp.dd-wrt.com/betas/


I am testing this from a WAN connection. I have Connectbot on my android phone, and was able to SSH to my Pi while connected on cellular data without issue when my router was running Tomato.

The DD-WRT build is 12548M NEWD Eko. Probably pretty old, but then again so is this router.

I see lots of cautionary messages about installing the proper version of DD-WRT for your device whenever I read the wiki. Will those Brainslayer builds work on the WRT54GS v5?
Skunkee
DD-WRT Novice


Joined: 04 Mar 2016
Posts: 5

PostPosted: Sat Mar 05, 2016 18:48    Post subject: Reply with quote
LOM wrote:
iptables -vnL FORWARD

will show you if any packets matching the port has arrived for getting forwarded.


Interesting. The output of that command is showing bursts of 3 packets every time I try to connect. The output below is from when I ran the command and had 2 rounds of timeouts. Notice the pkts column on the ACCEPT rule has a count of 6.

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 47 -- * vlan1 <LAN IP RANGE>/24 0.0.0.0/0
0 0 ACCEPT tcp -- * vlan1 <LAN IP RANGE>/24 0.0.0.0/0 tcp dpt:1723
0 0 ACCEPT 0 -- br0 br0 0.0.0.0/0 0.0.0.0/0
94 4800 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
3905 2776K lan2wan 0 -- * * 0.0.0.0/0 0.0.0.0/0
3856 2773K ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
6 360 ACCEPT tcp -- * * 0.0.0.0/0 <SSH IP> tcp dpt:<desired port>
0 0 ACCEPT udp -- * * 0.0.0.0/0 <SSH IP> udp dpt:<desired port>

0 0 TRIGGER 0 -- vlan1 br0 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
43 2260 trigger_out 0 -- br0 * 0.0.0.0/0 0.0.0.0/0
43 2260 ACCEPT 0 -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
Skunkee
DD-WRT Novice


Joined: 04 Mar 2016
Posts: 5

PostPosted: Sat Mar 05, 2016 20:14    Post subject: Reply with quote
eibgrad wrote:
At least it's getting through. Try dumping connection tracking and looking for either the client's public IP or the ssh server's local IP to see if the server replied.

cat /proc/net/ip_conntrack | grep <public-ip|local-ip>

If not, it will report UNREPLIED. If it did, it will report ASSURED.


I found the problem. Traffic was getting through the router; the issue was that the SSH box still had the IP of the old router as its default gateway. Kind of hard to respond to external connection requests when the gateway is an IP that doesn't exist anymore Smile

Thanks for all the help, forumgoers!
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum