I'm trying to get connections working from the outside world into my SoHo LAN via my *second* ADSL. I'll try and explain the set-up.
The SoHo LAN all sits on a 192.168.1.x/32 subnet connected to a Draytek Vigor 2820n ADSL router which connects to the internet via a standard ADSL connection with UKFSN. That all works fine and I have set up 'pinholes' through the firewall to allow incoming ssh, SMTP and HTTP connections. Thus I seem to know how to set up the firewall on the 2820n.
The 2820n has a second WAN port which is an ethernet port, I have that connected to a BT Business Hub (2Wire 2700HGV) ADSL router which connects to the internet via a second phone line. The 2820n is set up to share the two connections and that works OK too. I.e. outgoing connections go via whichever of the two WANs is less busy. There are some things which are configured to use only one or the other WAN (e.g. SMTP, HTTPS).
What I am trying to do (and failing miserably at) is to get incoming connections for a couple of protocols working through the 2Wire router. I really want to get SMTP working but I am also trying to get ssh working as that is (possibly) easier to diagnose.
So, I have the 2Wire router set up so that it tells me the following 'pinholes' are set up in its firewall:-
Device Allowed Applications Application Type Protocol Port Number(s) Public IP 192.168.13.65 SMTP Server - TCP 25 81.158.147.90 SSH Server - TCP 22 81.158.147.90
Device 192.168.13.65 is the WAN port on the 2820 router so that ssh and SMTP connections from the outside should get routed to the 2820n.
I then have the 2820n set up (firewall and port forwarding) so that ssh and SMTP connections from WAN2 (the 2Wire WAN connection) get passed to my 'server' machine which is 192.168.1.2.
It all *seems* to be correct, when I try and ssh from outside to 81.158.147.90 then the 2820n shows a NAT route to 192.168.1.2. If I 'telnet 81.158.147.90 22' from the outside I actually get an SSH 'hello' from 192.168.1.2, exactly the same as the one I get if I 'telnet 192.168.1.2 22' from inside my LAN.
*BUT* ssh from outside doesn't work, no response at all, it just times out. ssh from inside works fine. I've tried winding up debug to maximum on ssh but it hasn't told me anything. I've stared intently at the port forwarding, NAT and firewall set-up on the 2820n and it all seems correct. Oh, and I can 'ping 81.158.147.90' OK from the outside.
I'm stumped, any ideas for how to diagnose this?
On 05 Nov 21:36, Chris G wrote:
I'm trying to get connections working from the outside world into my SoHo LAN via my *second* ADSL. I'll try and explain the set-up.
The SoHo LAN all sits on a 192.168.1.x/32 subnet connected to a Draytek Vigor 2820n ADSL router which connects to the internet via a standard ADSL connection with UKFSN. That all works fine and I have set up 'pinholes' through the firewall to allow incoming ssh, SMTP and HTTP connections. Thus I seem to know how to set up the firewall on the 2820n.
The 2820n has a second WAN port which is an ethernet port, I have that connected to a BT Business Hub (2Wire 2700HGV) ADSL router which connects to the internet via a second phone line. The 2820n is set up to share the two connections and that works OK too. I.e. outgoing connections go via whichever of the two WANs is less busy. There are some things which are configured to use only one or the other WAN (e.g. SMTP, HTTPS).
What I am trying to do (and failing miserably at) is to get incoming connections for a couple of protocols working through the 2Wire router. I really want to get SMTP working but I am also trying to get ssh working as that is (possibly) easier to diagnose.
So, I have the 2Wire router set up so that it tells me the following 'pinholes' are set up in its firewall:-
Device Allowed Applications Application Type Protocol Port Number(s) Public IP 192.168.13.65 SMTP Server - TCP 25 81.158.147.90 SSH Server - TCP 22 81.158.147.90Device 192.168.13.65 is the WAN port on the 2820 router so that ssh and SMTP connections from the outside should get routed to the 2820n.
I then have the 2820n set up (firewall and port forwarding) so that ssh and SMTP connections from WAN2 (the 2Wire WAN connection) get passed to my 'server' machine which is 192.168.1.2.
It all *seems* to be correct, when I try and ssh from outside to 81.158.147.90 then the 2820n shows a NAT route to 192.168.1.2. If I 'telnet 81.158.147.90 22' from the outside I actually get an SSH 'hello' from 192.168.1.2, exactly the same as the one I get if I 'telnet 192.168.1.2 22' from inside my LAN.
*BUT* ssh from outside doesn't work, no response at all, it just times out. ssh from inside works fine. I've tried winding up debug to maximum on ssh but it hasn't told me anything. I've stared intently at the port forwarding, NAT and firewall set-up on the 2820n and it all seems correct. Oh, and I can 'ping 81.158.147.90' OK from the outside.
I'm stumped, any ideas for how to diagnose this?
The packets are going back out the wrong route, and so getting dropped. (this makes the assumption that the default route is via the other router)... so, you'll need to do funkeh routing. Without actually thinking about the issue, I can't offer an easy solution... but if I get a chance in a bit I'll do some tests with a bunch of vms ;)
I think all you're going to need to do though is something like (on the machine that is accepting the ssh): ip route add default via <2wiresip> table 10 iptables -t mangle -A PREROUTING --proto tcp --source-port 22 -j MARK --set-mark 1 ip rule add fwmark 1 table 10
But that's guess work... should work though, probably.
Cheers,
On Thu, Nov 05, 2009 at 10:03:33PM +0000, Brett Parker wrote:
*BUT* ssh from outside doesn't work, no response at all, it just times out. ssh from inside works fine. I've tried winding up debug to maximum on ssh but it hasn't told me anything. I've stared intently at the port forwarding, NAT and firewall set-up on the 2820n and it all seems correct. Oh, and I can 'ping 81.158.147.90' OK from the outside.
I'm stumped, any ideas for how to diagnose this?
The packets are going back out the wrong route, and so getting dropped. (this makes the assumption that the default route is via the other router)... so, you'll need to do funkeh routing. Without actually thinking about the issue, I can't offer an easy solution... but if I get a chance in a bit I'll do some tests with a bunch of vms ;)
I think all you're going to need to do though is something like (on the machine that is accepting the ssh): ip route add default via <2wiresip> table 10 iptables -t mangle -A PREROUTING --proto tcp --source-port 22 -j MARK --set-mark 1 ip rule add fwmark 1 table 10
But that's guess work... should work though, probably.
Typically, after (or perhaps because of) explaining it all I hit on a solution, or at least a way to get to one. I turned the firewall off (not for long!) and it worked. So I have been removing and adding firewall rules one by one to find the culprit. It's something subtle to do with having two firewall rules for the same TCP port number but I can at least get it to work now without relaxing the firewall rules all that much and I think with a little further experimentation I'll heve it tied down tightly again.
Chris G wrote:
Typically, after (or perhaps because of) explaining it all I hit on a solution, or at least a way to get to one. I turned the firewall off (not for long!) and it worked. So I have been removing and adding firewall rules one by one to find the culprit. It's something subtle to do with having two firewall rules for the same TCP port number but I can at least get it to work now without relaxing the firewall rules all that much and I think with a little further experimentation I'll heve it tied down tightly again.
As a thought and to simplify your setup somewhat why don't you get a router that can do no-nat (the 2wire stuff can't ISTR) like a netgear DG834
Then your drayteks wan port could have the external ipaddress of your 2nd line and you could operate on one set of firewall rules and avoid the 2 layers of NAT you have to traverse for the 2nd connection.
* There is (well was last time I used it) a web interface bug with the netgear's when doing no nat with a single external IP address, even when no-nat is selected they won't let you assign the same address range to the internal interface as the external one so you have to set them up with the wan side disconnected..then it works. Otherwise get the dgteam firmware which has this issue fixed I believe.
On Fri, Nov 06, 2009 at 01:25:22AM +0000, Wayne Stallwood wrote:
Chris G wrote:
Typically, after (or perhaps because of) explaining it all I hit on a solution, or at least a way to get to one. I turned the firewall off (not for long!) and it worked. So I have been removing and adding firewall rules one by one to find the culprit. It's something subtle to do with having two firewall rules for the same TCP port number but I can at least get it to work now without relaxing the firewall rules all that much and I think with a little further experimentation I'll heve it tied down tightly again.
As a thought and to simplify your setup somewhat why don't you get a router that can do no-nat (the 2wire stuff can't ISTR) like a netgear DG834
Then your drayteks wan port could have the external ipaddress of your 2nd line and you could operate on one set of firewall rules and avoid the 2 layers of NAT you have to traverse for the 2nd connection.
The 2Wire can do 'no NAT' I think, it calls it DMZplus and presents the 'outside' IP to the LAN port on the Draytek. It was the mode I tried originally but didn't work (because of the issue with the 2820n firewall). I guess I can switch back to using it, as you say it does make much more sense in my situation.
-
Brett Parker -
Chris G -
Wayne Stallwood