View Single Post
  #1   (View Single Post)  
Old 23rd July 2013
pttymuth's Avatar
pttymuth pttymuth is offline
Port Guard
 
Join Date: Jul 2013
Posts: 13
Default SSH from WAN fails, LAN works OK. Why?

Hi All,

Help! This is a fresh install. I want to SSH remotely to it from outside my home network. Port forwarding on my home router is set up. Network is set up with two physical ports re0 and re1 with bridge0 connecting them. The re0 port goes to the home router while the re1 port goes to an unmanaged switch with more machines connected. On bridge0 there is also vether0 and vether1. I created vether1 specifically to ssh into the box with a decent terminal so to copy and paste the tcpdumps from vether0. The only evidence of any connection is visible in tcpdump - not in anything inside of /var/log. The firewall rules are the defaults so I doubt they're to blame, but I'll post them here anyways.

Code:
$ ssh openbsduser@openbsd53host1.wan -vvv
OpenSSH_5.9p1, OpenSSL 0.9.8x 10 May 2012
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 20: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to openbsd53hosta [WAN Address] port 22.
debug1: connect to address WAN Address port 22: Operation timed out
ssh: connect to host openbsd53host1.wan port 22: Operation timed out
Below is the tcpdump for the ssh session above. WAN Address is the IP address of my home router. The LAN IP address of the vether0 is 192.168.0.150. There are several lines which appeared that I'm certain aren't related to this session but they happened to show up anyways in the network chatter. Only the ones with the vether0 address 192.168.0.150 are important, I think...

Code:
$ tcpdump: listening on vether0, link-type EN10MB
tcpdump: WARNING: compensating for unaligned libpcap packets
22:33:12.676796 192.168.0.102.5353 > 224.0.0.251.5353: 0 [2a] [2q] PTR? _airplay._tcp.local. PTR? _raop._tcp.local. (108)
22:33:12.678168 fe80::62fa:cdff:fe53:b8a6.5353 > ff02::fb.5353: 0 [2a] [2q] PTR? _airplay._tcp.local. PTR? _raop._tcp.local. (108)
22:33:13.002828 WAN Address.49885 > 192.168.0.150.ssh: S 2849765595:2849765595(0) win 65535 <mss 1420,nop,wscale 4,nop,nop,timestamp 1686268040 0,sackOK,eol> (DF)
22:33:14.148384 WAN Address.49885 > 192.168.0.150.ssh: S 2849765595:2849765595(0) win 65535 <mss 1420,nop,wscale 4,nop,nop,timestamp 1686269116 0,sackOK,eol> (DF)
22:33:14.554318 192.168.0.102.5353 > 224.0.0.251.5353: 0*- [0q] 8/0/4[|domain]
tcpdump: WARNING: compensating for unaligned libpcap packets
22:33:14.555724 fe80::62fa:cdff:fe53:b8a6.5353 > ff02::fb.5353: 0*- [0q] 8/0/4[|domain]
22:33:15.252514 WAN Address.49885 > 192.168.0.150.ssh: S 2849765595:2849765595(0) win 65535 <mss 1420,nop,wscale 4,nop,nop,timestamp 1686270204 0,sackOK,eol> (DF)
22:33:16.355518 WAN Address.49885 > 192.168.0.150.ssh: S 2849765595:2849765595(0) win 65535 <mss 1420,nop,wscale 4,nop,nop,timestamp 1686271299 0,sackOK,eol> (DF)
22:33:17.458050 WAN Address.49885 > 192.168.0.150.ssh: S 2849765595:2849765595(0) win 65535 <mss 1420,nop,wscale 4,nop,nop,timestamp 1686272396 0,sackOK,eol> (DF)
22:33:18.562520 WAN Address.49885 > 192.168.0.150.ssh: S 2849765595:2849765595(0) win 65535 <mss 1420,nop,wscale 4,nop,nop,timestamp 1686273495 0,sackOK,eol> (DF)
22:33:20.665826 WAN Address.49885 > 192.168.0.150.ssh: S 2849765595:2849765595(0) win 65535 <mss 1420,nop,wscale 4,nop,nop,timestamp 1686275589 0,sackOK,eol> (DF)
22:33:24.709605 WAN Address.49885 > 192.168.0.150.ssh: S 2849765595:2849765595(0) win 65535 <mss 1420,sackOK,eol> (DF)
22:33:29.553760 192.168.0.102.5353 > 224.0.0.251.5353: 0*- [0q] 1/0/0 PTR[|domain]
22:33:29.555123 fe80::62fa:cdff:fe53:b8a6.5353 > ff02::fb.5353: 0*- [0q] 1/0/0 PTR[|domain]
22:33:29.621421 arp who-has 192.168.0.151 tell 192.168.0.131
22:33:30.555293 192.168.0.102.5353 > 224.0.0.251.5353: 0*- [0q] 7/0/0[|domain]
22:33:30.556651 fe80::62fa:cdff:fe53:b8a6.5353 > ff02::fb.5353: 0*- [0q] 7/0/0[|domain]
22:33:33.169637 WAN Address.49885 > 192.168.0.150.ssh: S 2849765595:2849765595(0) win 65535 <mss 1420,sackOK,eol> (DF)
22:33:49.265922 WAN Address.49885 > 192.168.0.150.ssh: S 2849765595:2849765595(0) win 65535 <mss 1420,sackOK,eol> (DF)
22:33:49.621584 arp who-has 192.168.0.151 tell 192.168.0.131
22:34:21.482557 WAN Address.49885 > 192.168.0.150.ssh: S 2849765595:2849765595(0) win 65535 <mss 1420,sackOK,eol> (DF)
22:34:21.621502 arp who-has 192.168.0.151 tell 192.168.0.131
22:37:01.732737 arp who-has 192.168.0.129 tell 192.168.0.131
22:37:02.621576 arp who-has 192.168.0.151 tell 192.168.0.131
^C
24 packets received by filter
0 packets dropped by kernel
I can tell from this that a connection is being attempted on vether0 which is what I want. Why OpenSSH isn't establishing a session is beyond me. Nothing is out of the ordinairy & /etc/ssh/sshd_config is set to installed defaults.

If it helps, below are the PF rules. Not certain if these are having any influence on the situation:
Code:
# pfctl -s rules
block drop all
pass all flags S/SA
block drop in on ! lo0 proto tcp from any to any port 6000:6010
SSH from the LAN works as expected. The pasted output above was all taken from an attempted WAN SSH session.

Last edited by pttymuth; 23rd July 2013 at 10:49 AM.
Reply With Quote