An area specifically for port forwarding, firewalls and other (on-line) security related issues.
-
pierissimo
- Novice
- Posts: 15
- Joined: Thu Jul 10, 2008 6:47 pm
-
Contact:
Post
by pierissimo » Tue Jul 07, 2009 1:36 pm
Hi guys!!!
I just installed 2.9 release of routertech firmware.
The problem is that i'm not able to ssh my router from wan.
In the previous release i found a workaround, that was
Code: Select all
setenv ip3.sh ";/sbin/iptables -I FORWARD -i ppp0 -p tcp --dport 22 -j ACCEPT"
setenv ip4.sh ";/sbin/iptables -I INPUT -i ppp0 -p tcp --dport 22 -j ACCEPT"
This code no longer works....
ps. In "Access Control" section i marked "ssh" from wan, but this tool seems that it has never worked..
thanx!!!
Last edited by
pierissimo on Tue Jul 07, 2009 9:28 pm, edited 1 time in total.
-
mstombs
- RouterTech Team
- Posts: 3753
- Joined: Wed Jan 10, 2007 11:54 pm
Post
by mstombs » Tue Jul 07, 2009 4:31 pm
Hi,
This has always worked for me from the GUI - I enable only my fixed IP work computer, and use ddns IP. I can't think of a change in RT2.9 that would cause this change - are you sure you have the WAN IP correct?
To investigate further please advise exactly which version of firmware and the output of
Code: Select all
iptables -vnL
iptables -vnL -t nat
I do not see what iptables "FORWARD" can have to do with this!
-
tiepolo
- Experienced
- Posts: 162
- Joined: Sat Mar 03, 2007 10:10 pm
- Location: milan, Italy
Post
by tiepolo » Tue Jul 07, 2009 5:02 pm
hello,
I can confirm you that the FORWARD line is useless;
I have dropbear working and accessible on 2.9 with those 2 instructions in /proc/sys/dev/adam2/environment :
ip1.sh ;/usr/sbin/dropbear -i -a -p 2222
ip4.sh ;/sbin/iptables -I INPUT -i ppp0 -p tcp --dport 2222 -j ACCEPT
I opened port 2222 a dropbear session;
the instruction you gave from ssh (setenv ip4.sh ";/sbin/iptables -I INPUT -i ppp0 -p tcp --dport 22 -j ACCEPT" ) should work in order to write the correct line in the environment file - did you reboot the router? new environment is changed only after reboot.
Paolo
-
pierissimo
- Novice
- Posts: 15
- Joined: Thu Jul 10, 2008 6:47 pm
-
Contact:
Post
by pierissimo » Tue Jul 07, 2009 5:29 pm
tiepolo wrote:hello,
I can confirm you that the FORWARD line is useless;
I have dropbear working and accessible on 2.9 with those 2 instructions in /proc/sys/dev/adam2/environment :
ip1.sh ;/usr/sbin/dropbear -i -a -p 2222
ip4.sh ;/sbin/iptables -I INPUT -i ppp0 -p tcp --dport 2222 -j ACCEPT
I opened port 2222 a dropbear session;
the instruction you gave from ssh (setenv ip4.sh ";/sbin/iptables -I INPUT -i ppp0 -p tcp --dport 22 -j ACCEPT" ) should work in order to write the correct line in the environment file - did you reboot the router? new environment is changed only after reboot.
ok i'll give a look to
ip1.sh ;/usr/sbin/dropbear -i -a -p 2222
command...
-
pierissimo
- Novice
- Posts: 15
- Joined: Thu Jul 10, 2008 6:47 pm
-
Contact:
Post
by pierissimo » Tue Jul 07, 2009 7:46 pm
pierissimo wrote:tiepolo wrote:hello,
I can confirm you that the FORWARD line is useless;
I have dropbear working and accessible on 2.9 with those 2 instructions in /proc/sys/dev/adam2/environment :
ip1.sh ;/usr/sbin/dropbear -i -a -p 2222
ip4.sh ;/sbin/iptables -I INPUT -i ppp0 -p tcp --dport 2222 -j ACCEPT
I opened port 2222 a dropbear session;
the instruction you gave from ssh (setenv ip4.sh ";/sbin/iptables -I INPUT -i ppp0 -p tcp --dport 22 -j ACCEPT" ) should work in order to write the correct line in the environment file - did you reboot the router? new environment is changed only after reboot.
ok i'll give a look to
ip1.sh ;/usr/sbin/dropbear -i -a -p 2222
command...
sorry but I do not want to change sshd port....
cat /proc/sys/dev/adam2/environment return:
ip3.sh ;/sbin/iptables -I FORWARD -i ppp0 -p tcp --dport 22 -j ACCEPT
ip4.sh ;/sbin/iptables -I INPUT -i ppp0 -p tcp --dport 22 -j ACCEPT
It looks good... but if I try to connect to my no-ip router address it timeout...
-
tiepolo
- Experienced
- Posts: 162
- Joined: Sat Mar 03, 2007 10:10 pm
- Location: milan, Italy
Post
by tiepolo » Tue Jul 07, 2009 7:51 pm
can you please describe your network?
who's your internet access provider? does it use a firewall?
did you reboot after chenging environment?
the port doesn't need to be changed, it was an example.
Paolo
-
pierissimo
- Novice
- Posts: 15
- Joined: Thu Jul 10, 2008 6:47 pm
-
Contact:
Post
by pierissimo » Tue Jul 07, 2009 7:55 pm
tiepolo wrote:can you please describe your network?
who's your internet access provider? does it use a firewall?
did you reboot after chenging environment?
the port doesn't need to be changed, it was an example.
well.. my italian provider is tele2, It does not provides a firewall i think...
yes I rebooted after giving the command!!
-
pierissimo
- Novice
- Posts: 15
- Joined: Thu Jul 10, 2008 6:47 pm
-
Contact:
Post
by pierissimo » Tue Jul 07, 2009 8:07 pm
With the 2.7v modded by darkwolf, ssh session worked fine...
Now i flashed my dlink g604t router with 2.9v and no longer works!
-
pierissimo
- Novice
- Posts: 15
- Joined: Thu Jul 10, 2008 6:47 pm
-
Contact:
Post
by pierissimo » Tue Jul 07, 2009 9:27 pm
ok solved... the problem was not the sshd server, but the no-ip client... i marked
"Use Group Name" that gave me problems...
sorry!
thanx
-
rokafeller
- Regular
- Posts: 71
- Joined: Wed Jul 22, 2009 8:57 pm
- Location: Italy
Post
by rokafeller » Thu Jul 30, 2009 9:28 am
what do you exactly mean with no-ip client?
I have the same issue (no ssh connection over wan). Could you please elaborate a bit more about how you solved it?
thanx a lot
daniele
-
mstombs
- RouterTech Team
- Posts: 3753
- Joined: Wed Jan 10, 2007 11:54 pm
Post
by mstombs » Thu Jul 30, 2009 10:44 pm
I think pierissimo meant that the ddns client in the software failed to update the WAN IP address, so connecting with
router@no-ip.org didn't work - if not updated he won't have been trying to connect to the correct router!
-
Supermanglide
- Newbie
- Posts: 2
- Joined: Wed Aug 10, 2011 8:55 am
Post
by Supermanglide » Wed Aug 10, 2011 9:04 am
With the 2.7v modded by darkwolf, ssh session worked fine...
Now i flashed my dlink g604t router with 2.9v and no extended works!
[Edit: SPAM signature removed by thechief]
-
shyjack
- Newbie
- Posts: 5
- Joined: Thu Oct 20, 2011 5:09 am
Post
by shyjack » Sat Oct 22, 2011 12:37 am
Hi I got the same problem.
Just flashed my dlink G604T with 2.96 firmware and everything worked fine except wan ssh/telnet.
I got a static IP from isp and I accessed the modem from a static IP as well. but for some reason it just didn't work.
Advance->Access Control
Enable Access Control ticked
WAN: telnet/ssh ticked.
LAN group 1: telnet/web/ftp/ssh ticked
IP Access List: 4 internal IP addresses from LAN and 2 external IP addresses from office.
I also enabled Advance->Remote Web Access.
pretty sure I got the correct office IP, correct WAN IP (isp allocated static IP), I can open the remote web admin page from within the office, but ssh/telnet from office just hangs.
I had searched the forum but found nothing related, did I miss anything?
thanks
-
thechief
- RouterTech Team
- Posts: 12067
- Joined: Wed Feb 01, 2006 10:22 pm
- Location: England, the Centre of Africa
-
Contact:
Post
by thechief » Sat Oct 22, 2011 4:46 pm
If all else fails, use VPN. RT firmwares now support OpenVPN and pptp-based VPNs.
The Chief:
Be sure to
read the
Firmware FAQ and do a
Forum Search before posting!
No support via PM. Ask all questions on the open forum.
-
shyjack
- Newbie
- Posts: 5
- Joined: Thu Oct 20, 2011 5:09 am
Post
by shyjack » Sun Oct 23, 2011 10:39 pm
Thanks for answering but that is not a solution to me.
I might don't have vpn client on some my devices thus I still prefer a thin ssh client which does exactly what I need.
I might play with iptables command to get through wan ssh, but I'd definitely like to archive this all through the web gui and also make this setting permanent.
As such a wonderful firmware, I thought the wan ssh/telnet is a very standard setting, and indeed from web gui, the setting is so straightforward, though it is not working under some circumstances, that is why we need to find out the reason, fix it and improve this firmware.
But I have to say this routertech firmware is so fantastic and thanks to so many people are contributing to this.