On 05 Nov 21:36, Chris G wrote:
I'm trying to get connections working from the outside world into my SoHo LAN via my *second* ADSL. I'll try and explain the set-up.
The SoHo LAN all sits on a 192.168.1.x/32 subnet connected to a Draytek Vigor 2820n ADSL router which connects to the internet via a standard ADSL connection with UKFSN. That all works fine and I have set up 'pinholes' through the firewall to allow incoming ssh, SMTP and HTTP connections. Thus I seem to know how to set up the firewall on the 2820n.
The 2820n has a second WAN port which is an ethernet port, I have that connected to a BT Business Hub (2Wire 2700HGV) ADSL router which connects to the internet via a second phone line. The 2820n is set up to share the two connections and that works OK too. I.e. outgoing connections go via whichever of the two WANs is less busy. There are some things which are configured to use only one or the other WAN (e.g. SMTP, HTTPS).
What I am trying to do (and failing miserably at) is to get incoming connections for a couple of protocols working through the 2Wire router. I really want to get SMTP working but I am also trying to get ssh working as that is (possibly) easier to diagnose.
So, I have the 2Wire router set up so that it tells me the following 'pinholes' are set up in its firewall:-
Device Allowed Applications Application Type Protocol Port Number(s) Public IP 192.168.13.65 SMTP Server - TCP 25 81.158.147.90 SSH Server - TCP 22 81.158.147.90Device 192.168.13.65 is the WAN port on the 2820 router so that ssh and SMTP connections from the outside should get routed to the 2820n.
I then have the 2820n set up (firewall and port forwarding) so that ssh and SMTP connections from WAN2 (the 2Wire WAN connection) get passed to my 'server' machine which is 192.168.1.2.
It all *seems* to be correct, when I try and ssh from outside to 81.158.147.90 then the 2820n shows a NAT route to 192.168.1.2. If I 'telnet 81.158.147.90 22' from the outside I actually get an SSH 'hello' from 192.168.1.2, exactly the same as the one I get if I 'telnet 192.168.1.2 22' from inside my LAN.
*BUT* ssh from outside doesn't work, no response at all, it just times out. ssh from inside works fine. I've tried winding up debug to maximum on ssh but it hasn't told me anything. I've stared intently at the port forwarding, NAT and firewall set-up on the 2820n and it all seems correct. Oh, and I can 'ping 81.158.147.90' OK from the outside.
I'm stumped, any ideas for how to diagnose this?
The packets are going back out the wrong route, and so getting dropped. (this makes the assumption that the default route is via the other router)... so, you'll need to do funkeh routing. Without actually thinking about the issue, I can't offer an easy solution... but if I get a chance in a bit I'll do some tests with a bunch of vms ;)
I think all you're going to need to do though is something like (on the machine that is accepting the ssh): ip route add default via <2wiresip> table 10 iptables -t mangle -A PREROUTING --proto tcp --source-port 22 -j MARK --set-mark 1 ip rule add fwmark 1 table 10
But that's guess work... should work though, probably.
Cheers,