SSH to AP Nat'd

someuser · June 17, 2010, 10:28pm

Hi,
I’m able to get to my devices which are inside of my Hotspot and are NAT’d, have different ports forwarded to each AP or Station behind my RB750G.
So, to get to my AP from outside, I just use my Public IP or domain name on Wan interface of router: http://domain_name.com:1234.
My problem is trying to SSH into it.
I’m lost as to how to keep from SSH’ing into the RB750G.
Tried changing ssh ports 22, 23, 24 and disabling the SSH service on the RB itself.
Am I missing someting in the firewall rule, or not using the correct interface, porting incorrectly, or?
Thanks

fewi · June 17, 2010, 10:36pm

Am I missing someting in the firewall rule, or not using the correct interface, porting incorrectly, or?

Hard to say without you posting the actual rules you configured. Also post how you bypassed the APs in the Hotspot.

Generally speaking it would be a better idea to separate the customer address space and the management access space. If your APs support VLANs that shouldn’t be very hard to do.

tricer · June 18, 2010, 1:45am

you should do this are your headend router.

internet -->RB1 (port NAT) -->x.x.1.x/24 network -->rb2 (not nat) → x.x.2.x/24

on RB1 do your port NAT to x.x.2.x/24 and make sure you have routing in place so RB1 knows where the x.x.2.x/24 is

if you need help e-mail me at rtrice81@gmail.com or hit me up on skype, I will help you out for free.

Rich

someuser · June 18, 2010, 4:31am

Thanks for the insight fewi.
I’ll get a better descript of the config posted shortly.
I’m having issues with the Bullet (ubnt) which is the AP for my hotspot.
So, need to get SSH access to coders, to trouble shoot the beta firmware.

someuser · June 19, 2010, 3:22am

Here's the few rules I created.
Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough

1 ;;; Rocket AP
chain=dstnat action=dst-nat to-addresses=192.168.88.98 to-ports=80 protocol=tcp
dst-address=98.173.*.28 dst-port=8098

2 ;;; NSM5 (Mast)
chain=dstnat action=dst-nat to-addresses=192.168.88.97 to-ports=80 protocol=tcp
dst-address=98.173.*.28 dst-port=8097

3 ;;; Added by webbox
chain=srcnat action=masquerade out-interface=ether1-gateway

4 ;;; Bullet (Want to SSH into this AP)
chain=dstnat action=dst-nat to-addresses=192.168.88.99 to-ports=80 protocol=tcp
dst-address=98.173.*.28 dst-port=8099

Bypass rules;

Flags: X - disabled, P - bypassed, B - blocked

MAC-ADDRESS ADDRESS TO-ADDRESS SERVER

0 P ;;; Dlink router (DHCP disabled)
00:1C:F0:F2:12:52 192.168.88.2 192.168.88.2 hotspot1
1 P ;;; Bullet (This is the AP I'm trying to SSH into)
00:15:6D:F0:21:F2 192.168.88.99 192.168.88.99 hotspot1
2 P ;;; Rocket
00:15:6D:E6:D8:50 192.168.88.98 192.168.88.98 hotspot1
3 P ;;; NSM5
00:15:6D:DE:FE:A5 192.168.88.97 192.168.88.97 hotspot1

SurferTim · June 19, 2010, 10:40am

I think you are missing the srcnat rules to convert the ports back.

/ip firewall nat
add chain=srcnat action=src-nat src-address=192.168.88.98 src-port=80 protocol=tcp
to-addresses=98.173.*.28 to-ports=8098

Move the rule just after the dstnat for that ip/port. Same with the other dstnats. Otherwise, the ports are not being translated back to the original. If it is changed from port 8098 to port 80 in the dstnat, the srcnat must change it back from port 80 to port 8098.

ADD: And if it is ssh you want, that is port 22. Port 80 is http. And when you ssh to the router from the internet, set your ssh software to connect on port 8098 instead of port 22.

someuser · June 19, 2010, 3:38pm

AaaHaa,
Thanks SurferTim!.

I knew it had to do with srcnat rules, I’d tried it but was all over the board, wasn’t quite sure how to do it exactly.
Although, I am able to get to each device mentioned above via internally and externally.
Just can’t get into the 192.168.88.99 device via ssh REMOTELY. I CAN get to it internally (SSH) if i use the 192.168.88.99 IP.

So, hows the surf in Florida? little Oily?
We’re expecting a big clean south swell here in So.Cal.

SurferTim · June 19, 2010, 6:12pm

I don’t understand what you mean by externally and remotely. Can you get a ssh login prompt if you use port 8089 from the internet?

Did you change the port on the srcnats and dstnats from 80 to 22?

No oil yet. Could be any day.
I know about SoCal surf. I’m a transplant. I attended the same high school as the Beach Boys (Hawthorne High, Hawthorne, Calif.). In 1963, my favorite beach was Manhatten Beach just down from the “Surfboards by Greg Noll” shop, between Rosecrans and the Manhatten Beach pier. 26th Street to be exact.

ADD: It may help if you show me your new edited “/ip firewall nat”.

someuser · June 19, 2010, 8:02pm

Sorry, meant to say Externally or Internally.
U know, from inside or outside the router.

I’m going to get on the changing srcnat and dstnats shortly.

Oh yeah, I remember you guys coming down to try and surf my beach (Wind n Sea). Of course there was nothing to worry about.
Just surfed circles around you.
We called you all speed bumps, cause we had to slow down to surf over you.

SurferTim · June 19, 2010, 11:02pm

I don’t think you’ll be surfing over me. I know it isn’t “The Big Surf” like out west, but I do have a rather unusual reputation here. This is my favorite article about one of my exploits:
http://www.myhero.com/go/hero.asp?hero=Dicus_T_sjh_05_ul
Let me know how the new srcnat/dstnats do.

someuser · June 19, 2010, 11:13pm

Wow, that’s so very honorable Tim, I admire you for having done that!.
Good to see the family was also. Sad about the little girl.

I’m still running around, going to try to get this finished before too long.
Thanks,
And again,
That’s Huge what you’ve done!
Wasn’t the @5 years ago?

SurferTim · June 20, 2010, 1:49am

Thanks. Yes, 5 years ago this coming Friday. If there is not a lot of oil in the water, I will paddle out Friday and take her a flower. I do every year.

someuser · June 20, 2010, 2:26am

That’s really really sweet.

someuser · June 20, 2010, 3:44pm

So, I’ve corrected the rules, added src natting to the 192.168.88.99 device (AP) I want to ssh into from outside.
But, you mention “when I ssh to the router from the internet… connect on port 8099 instead of port 22”
Do you mean for me to change the port on the Access Point itself from 22 to 8099 ?
Or connecting with port 8099 through PUTTY software?

SurferTim · June 20, 2010, 6:39pm

Only on the Putty software use port 8099. The remote router stays on 22.

someuser · June 20, 2010, 10:28pm

Thanks, Tim.
So, Rtricer got it changed for me. Really super nice of him, as he remote’d in and did exactly what you just described.
Actually he added another port: 9099 and forwarded to 22 on the AP and that was it.
funny how simple it seems in hindsight.
I’m getting/learning alot from great helpful guys like your-self, Rich and others here.
Thanks
How bout that Kevin Costner, what a dude! Hope his machines work!!!
Best,
Tim