The officially official Devuan Forum!

You are not logged in.

#1 2020-08-07 12:58:44

Devuman
Member
Registered: 2018-02-27
Posts: 29  

Port forwarding issue

I'm trying to set up router port forwarding for the following setup:

                                                PC1
                                                  |
WWW --- R1 --- LAN 1 --- R2 --- LAN 2
                          |                       |
                         LT2                   LT1

WWW: Internet                         
R1: router 1 (EG8145V5)
R2: router 2 (TL-WR841N)

PC1: desktop pc with openssh-server running
LT1: laptop 1
LT2: laptop 2, currently using LT1 as LT2

No changes were made to /etc/ssh/sshd_config and /etc/ssh/ssh_config.

Currently using password authentication.

I can SFTP from LT1 into PC1.

Not from LT2 into PC1.

So I set up port forwarding in R1: screenshot.

Still unable to SFTP from LT2 into PC1.

What's wrong or missing to make this work?

Offline

#2 2020-08-07 15:08:51

GNUser
Member
Registered: 2017-03-16
Posts: 561  

Re: Port forwarding issue

Devuman wrote:

I can SFTP from LT1 into PC1.

That's not surprising because they're both on the same network (LAN2).

Devuman wrote:

Not from LT2 into PC1.

That's because LT2 and PC1 are on different networks, so it's not trivial to establish a connection. We have to go through R2. Let's see if we can SSH from LT2 to PC1 (if you can do SSH, then you can do SFTP).

At the risk of stating the obvious, remember that a router by definition stands between two networks, so it should have at least two IP addresses. R2 in your example has an IP address on LAN1 and a different IP address on LAN2.

Try this:

1. Make sure R2 and PC1 are both running SSHD (I'm assuming those two devices are not running a firewall, or at least have the SSH port open)

2. Run this command on LT2:

ssh -t <R2user>@<R2address-on-LAN1> "ssh <PC1user>@<PC1address-on-LAN2>"

Here is an example with made-up passwords and ip addresses:

ssh -t devuman@192.168.1.150 "ssh devuman@192.168.2.135"

You will be prompted for a password twice (first your password on R2, then your password on PC1).

P.S. Nice diagram!

EDIT: If you can establish an SSH connection from LT2 to PC1 using this long method, then we can be optimistic that with the right port forwarding rules we can achieve an SFTP connection without too much fuss. See my subsequent post below.

Last edited by GNUser (2020-08-07 15:41:35)

Offline

#3 2020-08-07 15:26:20

GNUser
Member
Registered: 2017-03-16
Posts: 561  

Re: Port forwarding issue

If the above "double ssh" command works, then we've established that our assumptions about ports (that the default port 22 is being used everywhere) and firewalls (that R2 and PC1 are allowing incoming on port 22) are correct.

To achieve SFTP via port forwarding, you have to tell R1 to take incoming traffic on port 22 and forward it to R2. Then you have to tell R2 to take incoming traffic on port 22 and forward it to PC1. I think that should do it.

Last edited by GNUser (2020-08-07 15:43:05)

Offline

#4 2020-08-08 00:32:14

ralph.ronnquist
Administrator
From: Clifton Hill, Victoria, AUS
Registered: 2016-11-30
Posts: 1,106  

Re: Port forwarding issue

An alternative could be to declare port 22 on PC1 to be a "virtual server" on R2, the TL-WR841N router.

https://www.tp-link.com/us/user-guides/ … ub-title-7

EDIT: Note that then LT2 would access PC1 by using the IP address of R2 on LAN1 rather than the PC1 IP address on LAN2.

Offline

#5 2020-08-08 19:15:17

Devuman
Member
Registered: 2018-02-27
Posts: 29  

Re: Port forwarding issue

Thanks to both.

R1 is an ISP provided router so I'll have to ask the ISP to open port 22 (it's currently closed). Is it possible to open a port on the LAN side only, instead of WAN + LAN?

Last edited by Devuman (2020-08-08 19:36:17)

Offline

#6 2020-08-08 23:18:31

ralph.ronnquist
Administrator
From: Clifton Hill, Victoria, AUS
Registered: 2016-11-30
Posts: 1,106  

Re: Port forwarding issue

If the ISP has port 22 closed outside of R1 then you probably need to contact them to open it. But that's only to get access to PC1 from the Internet.

The R1 virtual server set up you show on the screenshot makes it possible to access port 22 on PC1 from the Internet, provided that R2 is set up similarly, and that it has that IP address 192.168.18.8 mentioned on the screenshot as its WAN side IP address.

sftp access from LT2 to PC1 only requires the R2 set up (not the R1 set up), and PC1 would then be accessed using that same IP address.

Offline

#7 2020-08-09 13:35:35

Devuman
Member
Registered: 2018-02-27
Posts: 29  

Re: Port forwarding issue

ralph.ronnquist wrote:

The R1 virtual server set up you show on the screenshot makes it possible to access port 22 on PC1 from the Internet, provided that R2 is set up similarly, and that it has that IP address 192.168.18.8 mentioned on the screenshot as its WAN side IP address.

R1 auto-detected R2's WAN IP address when selecting "TL-WR841N" in the "Internal Host" drop down list.

R2:

Screenshots: Virtual Servers, Security/Firewall, Status

PC1:

$ ip -4 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    inet 192.168.1.101/24 brd 192.168.1.255 scope global dynamic eth0
       valid_lft 6991sec preferred_lft 6991sec

LT2 / terminal:

$ ssh -t <R2user>@192.168.18.8 "ssh <PC1user>@192.168.1.101"

gives:

   <R2user>@192.168.18's password:
   Permission denied, please try again.
   <R2user>@192.168.18's password:

LT2 / FileZilla:

Host = 192.168.18.8
User = <R2user>
Password = <R2password>

gives:

   Status: disconnected from server
   Status: Connecting to 192.168.18.8...
   Response: fzSftp started, protocol_version=8
   Command: Open "<R2user>@192.168.18.8" 22
   Command: Trust new HostKey: Once
   Command: Pass: ******
   Error: Authentication failed
   Error: Critical Error. Could not connect to server.

LT2 keyboard Caps Lock = off, no numeric keypad

and currently, for testing purposes:

- <R2user> is my first name (all lowercase)
- <R2password> is 3 lowercase chars + 3 digits
and
- <PC1user> is my first name (all lowercase)
- <PC1password> is alphanumeric

EDIT: corrected < and > symbols, following GNUser's comment below.

Last edited by Devuman (2020-08-10 12:04:15)

Offline

#8 2020-08-09 18:48:38

GNUser
Member
Registered: 2017-03-16
Posts: 561  

Re: Port forwarding issue

Hi, Devuman. Two quick things that may or may not be obvious:

1. For my double-ssh exercise to work, make sure R2 is not forwarding port 22.

2. The < and > symbols in my posts (and everything between them) are just placeholders. This will never work:

$ ssh -t <bob>@<192.168.18.8> "ssh <bob>@<192.168.1.101>"

The proper syntax would be something like this:

$ ssh -t bob@192.168.18.8 "ssh bob@192.168.1.101"

P.S. Actually, before trying do do fancy stuff (two-hop ssh), it's best to establish that your setup is allowing the easy stuff. Can you ssh from LT2 to R2? How about from LT1 to PC1? Those should be trivial. If not, fix this first.

Last edited by GNUser (2020-08-09 18:55:01)

Offline

#9 2020-08-10 00:04:46

ralph.ronnquist
Administrator
From: Clifton Hill, Victoria, AUS
Registered: 2016-11-30
Posts: 1,106  

Re: Port forwarding issue

@GNUser: please note that R2 is an off-the-shelf router (TL-WR841N) and it offers only an http(s) admin panel rather than shell access.

@Devuman: with forwarding set up, you should use only

ssh <PC1user>@192.168.18.8

That's the whole idea of forwarding. It makes R2 to channel tcp connections on its port 22 WAN side (ie 192.168.18.8:22) onto port 22 on PC1 (ie 192.168.1.101:22) without involving itself in the traffic.

The double-hop is used when you have ssh access to an intermediate host, to use that as a temporary forwarding channel.

Offline

#10 2020-08-10 12:21:11

Devuman
Member
Registered: 2018-02-27
Posts: 29  

Re: Port forwarding issue

GNUser wrote:

2. The < and > symbols in my posts (and everything between them) are just placeholders.

Indeed, I corrected my previous post accordingly.

GNUser wrote:

Can you ssh from LT2 to R2?

Initially <PC1user> and <R2user> were identical, my first name.

I changed <R2user> to <R2user> = r2user.

LT2.

$ ssh <R2user>@192.168.18.8

- R2 Virtual Server disabled:

ssh: connect to host 192.168.18.8 port 22: Operation timed out

- R2 Virtual Server enabled:

<R2user>@192.168.18.8's password:
Permission denied, please try again.
<R2user>@192.168.18.8's password:

GNUser wrote:

How about from LT1 to PC1?

That works.

ralph.ronnquist wrote:

with forwarding set up, you should use only

$ ssh <PC1user>@192.168.1.8

LT2.

R2: Virtual Server enabled.

$ ssh <PC1user>@192.168.18.8

<PC1user>@192.168.18.8's password:
Linux p182 4.19.0-10-686 #1 SMP Debian 4.19.132-1 (2020-07-24) i686
...
$

It works.

SFTP / FileZilla:

LT2.

R2: Virtual Server enabled.

Host = 192.168.18.8
User = <PC1user>
Password = <PC1password>

This works also.

Thanks for helping understand how this works.

Offline

#11 2020-08-10 13:58:40

GNUser
Member
Registered: 2017-03-16
Posts: 561  

Re: Port forwarding issue

Hi, Devuman. Sorry for leading you on a wild goose chase trying to ssh into R2. It seems ralph.ronnquist was right and your router does not offer ssh access into it.

I'm glad you were able to achieve what you needed by setting up a "virtual server" on R2.

P.S. In the future, if you ever have to choose between ralph.ronnquist's advice and someone else's, save yourself some trouble and just go with ralph.ronnquist's wink

Offline

#12 2020-08-10 15:10:56

Devuman
Member
Registered: 2018-02-27
Posts: 29  

Re: Port forwarding issue

No worries GNUser.
I learned something new from both.
Made my day. :-)

Offline

Board footer