How to debug SSH port forwarding
Solution 1
I am thinking you problem is not in the port forwarding, but another option in the NAT config in the router.
First, ensure if you use your LAN IP, you can successfully SSH from another machine on the network. This ensures SSH works at all.
Second, test from another machine outside the network using the public IP. This ensures that port forwarding works.
Third, test from that same machine outside the network and use the DynDNS URL. This ensures that DynDNS is working properly.
If all of those succeed, then nothing is wrong with your configuration (which I'll assume is correct) and you problem is only accessng the public IP (either directly or through DynDNS) from inside the network. This means that your router needs to have NAT reflection enabled (if possible) to route internal requests as if they were external requests for the public IP.
Solution 2
Is your sshd server listening on port 22, try adding:
Port 22
to your config.
If that doesn't work try forwarding a port above 1024 (Some ISP's don't allow non business subscriber traffic on ports below 1024). Also make sure if you do this you change the line in the conf I just told you about to reflect the same value.
Related videos on Youtube
hari
Updated on September 18, 2022Comments
-
hari over 1 year
This is an extension to ssh port forward to access my home machine from anywhere
I tried things mentioned there but I am not able to
ssh
to my machine.Netgear router settings for port forwarding:
Start Port: 22 End Port: 22 Server IP Address: IP address of by FreeBSD box
/etc/ssh/sshd_conf
of my FreeBSD box:PasswordAuthentication yes AllowUsers root X11Forwarding yes AllowTcpForwarding yes
How I am trying to connect:
I've signed up for
dyndns.com
and got a URL that maps to my external IP address.From another machine in my home network, I do:
ssh -l root my_dyndns_ip
Which is just timing out.On the other hand, I can ping
my_dyndns_url
successfully.Debugging:
How can I fix this so that I can
ssh
from anywhere tomy_dnydns_url
?I tried to look into logs of my Netgear router but on failed ssh attempt, no log in generated on the router.
I also looked into
/var/log/messages
but could not finding anything.Edit:0 Running ssh in verbose mode (as per @jasonwryan suggested):
I am noticing a weird thing: When I do ssh to the dyndns.com provided url, its trying to connect to other IP address than what I get from whatismyip.com. Isn't that wrong?
Edit:1 Problem with dyndns is now solved.
Now when I try to ssh, it times out and I get error: Connection timed out
Edit:2 Does iptables or NAT has anything to do with it?
Edit:3 I started
ssh
with-d option
to capture debug messages.When I ssh to the freebsd box from any other machine in wlan, It works fine and I can see logs.
But when I ssh to external ip (which should forward that to my freebsd box), I do not even see any logs - that means, request is not even reaching freebsd box. And it times out.
-
Admin over 12 yearsRouters can be buggy. When they are buggy they are a nightmare. What is the brand of your router and are you using the original firmware? If possible I suggest trying with a router which has (for example) Tomato installed. Tomato is not perfect, but is a long way better than the proprietary router firmwares. Note: I'm not suggesting this is the source of your problem, but I've found buggy routers can greatly complicate things.
-
Admin over 12 yearsI think your use of the term URL above is incorrect. You mean a Fully Qualified Domain Name (FQDN) I assume. What does
host my_dyndns_ip
show? -
Admin over 12 yearsThanks @Faheem Mitha. I've netgear WPN824v3. How can I make sure if its buggy? And what is Tomato? :)
-
Admin over 12 years@hari: If your router appears to be behaving in a way that you would not expect, then consider that it may be buggy. Are you using the original firmware?Tomato - first google hit for Tomato.
-
Admin over 12 yearsI am using original firmware.
-
Admin over 12 years@hari:What does
host my_dyndns_ip
show? Note that you need to prefix your comment with @user if you want "user" to see it. -
Admin over 12 years@Faheem Mitha: Thanks. dyndns part is not the problem currently. (even if it is, I can look at it later). Main issue is I cannot ssh even by using my external IP (from whatismyip.com). It times out.
-
Admin over 12 years@hari: You mean you cannot connect to your computer through the router from outside? That would suggest a problem with port forwarding. In that case, try third party firmware as I suggested above. Can you connect to your router on your external IP?
-
Admin over 12 years@Faheem Mitha: Thanks for your help. BTW, what do you mean by "Can you connect to your router on your external IP?"
-
Admin over 12 years@hari: When you connect to your external ip, you are actually connecting to your router. a ssh connection to the router will forward to your machine if port forwarding is enabled. However, it is possible to connect to the router directly, for example to the management interface (if configured to be accessible externally). Can you do that?
-
Admin over 12 yearsCan you run tcpdump on the client and server and make sure you're seeing the right packets leave the client and seeing the same right packets appear at the server? That will help you narrow this down.
-
Admin over 12 years@Faheem Mitha: How can I test that? I have netgear router.
-
Admin over 12 years@hari: Access the routers web interface from your computer, and see if there is an option (there usually is) to access the web interface remotely. If there is, turn it on, and then try connecting to the router via http(s) from a remote machine. If this works, then the problem is most likely with port forwarding.
-
Admin over 12 years@Faheem Mitha: Thanks for continuous help. I enabled that management port for my netgear router but I cannot connect to it via the specified external_ip:port. What can be wrong here? Something wrong with the router?
-
Admin over 12 years@hari: Make sure you are using the right numbers. Are you using the external ip number to connect? That would be preferable. And http will be port 80, https 443.
-
Admin over 12 years@Faheem Mitha: I am just trying to open http://<external_ip>:8080 - to access the management interface. Which is not loading up.
-
Admin over 12 years@hari: from an external computer (not on the local subnet), it will just be http://<external_ip> or https://<external_ip>. Probably the latter. Just to be clear, this is to connect to the router's management inferface.
-
Admin over 12 years@Faheem Mitha: I cannot access it from outside or inside of the network.
-
Admin over 12 years@hari: That's strange. Usually one needs to be connected to the the router, otherwise you don't have networking. The typical setup is to have a dhcp server on the router, and your machine gets an ip from the router as a client. Static addresses are also possible. In summary, I wonder how you could have networking without being connected to the router, and if you are connected to the router, the management interface should come up. Can you post the output of ifconfig? If you can't figure this out, I suggest posting a separate question.
-
Admin over 12 years@Chris Down: How do I check if I am using it or not? I came across this terms NAT loopback while searching solutions to this problem.
-
Admin over 12 yearsLook at the way that your router handles packets designated for a public port binding that maps to a local machine.
-
-
hari over 12 yearsThanks @Mike. I just encountered an interesting issue that I logged as Edit:0
-
hari over 12 yearsI changed the port to > 1024. I tried sshing to the IP address I get from whatismyip.com (my external ip) but my connection is timing out. Getting error: "Connection timed out"
-
MaQleod over 12 yearsCan you setup something to listen for port 22 on another machine and change the port forward rule to point towards the second machine? You need to rule out whether it is something in the router or something on the machine that is blocking it.