NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
Port Forwarding for Netgear Router R6700v2 is timing out/not working
I have a R6700v2 router that I was trying to setup to allow port forwarding for ssh access to my home Mac. My home Mac is accepting ssh (port 22) locally. I confirmed this by running 'ssh username@localhost' on Terminal which allowed me to connect to it.
In my attached screenshot, it shows that I have Port Forwarding turned on for connections externally at port 22 and being forwarded to port 22 at my Mac's local address of 192.168.1.6. When I use terminal to test this and put 'ssh username@ExternalIP' the connection times out. I also have No-IP creating a dynamic DNS for me, but since I'm using the ExternalIP to test it that shouldn't be the problem either.
TLDR: I've ruled out these common trouble shooting problems:
- Mac is not listening at port 22 (I can ssh locally, so that's not the case)
- Dynamic DNS is not working (I'm not at the step of using it, so that's not the case)
- Port check tool times out as well (confirms that the problem is specifically related to the router)
Where am I going wrong? Is this a hardware issue? If I can help clarify then I would be more than happy to do so. Thank you!
> Different... interesting
Even worse than interesting. Fill in your actual address, if you
want, but the result will be the same:https://whois.arin.net/rest/net/NET-10-0-0-0-1
> [...] Is this where my problem lies?
No, it's not a DNS problem. Welcome to carrier-grade NAT. From the
outside world, your router appears to be at "184.170.x.y", but your
router is really at "10.238.u.v", which is a private address, used by
your ISP. Your ISP is doing its own NAT, to let it use "184.170.x.y" (a
real public address) for multiple customers.Because any "10.r.s.t" address is considered private, any router in
the outside world will discard any message which is addressed to your
router at "10.238.u.v".
This NAT is the same thing as the NAT on your router, which lets
multiple devices on your LAN share the one IP address assigned to your
router, except that your ISP is doing it, and it's out of your control.
So, anything you read about "double NAT" applies to you, except that
your outer router is controlled by your ISP.Sadly, that also means that port forwarding (like what you want to
do) must be configured on the ISP's NAT router (as well as yours, I'd
guess, but I've never tried that).The only solutions I know are: 1) to ask your ISP for a real public
address, or 2) to use a tunneling service like the one mentioned in
another recent thread (near the end):
4 Replies
> 3. Port check tool times out as well (confirms that the problem is
> specifically related to the router)No, it doesn't confirm that, it's only consistent with it. As it is
with many other non-router problems.> [...] I confirmed this by running 'ssh username@localhost' [...]
A better test would be "ssh 192.168.1.6". "localhost" is normally
resolved to "127.0.0.1", which does not ensure that your Mac is at the
address in your port-forwarding rule.What is your public IP address? ("a.b" of "a.b.c.d" would be
enough for me.) What is the WAN/Internet IP address of your router?
ADVANCED > ADVANCED Home: Internet Port : Internet IP Address. Same or
different?
A test like "ssh <router's_WAN/Internet_IP_address>" should tell you
if the router is doing its port-forwarding job correctly (assuming that
its "NAT loopback" feature is also working, but I'd expect that).The usual problems with this stuff are:
1. Wrong external IP address (different from the port-forwarding
router's WAN/Internet IP address). (An intermediate NAT router, for
example, could cause this.)2. Bad port-forwarding rule (wrong port(s), wrong target address --
including a wandering target).3. Server not listening on the port-forwarding target system.
4. External influences: ISP blocking, other firewalls, ...
You seem to have 2 and 3 covered, _if_ the Mac's LAN IP address is
right in the port-forwarding rule. ("Address Reservation?) "1" tends
to cause increasing trouble these days, as ISPs run out of IPv4
addresses, and resort to carrier-grade NAT.https://en.wikipedia.org/wiki/Carrier-grade_NAT
Regarding External Port 22: It makes much sense to configure SSH on
your local servers to use the default SSH port, 22. However, unless
you're looking for a bombardment of SSH break-in attempts, it makes
almost no sense to use port 22 on your WAN/Internet interface. A rule
like the following will, I claim, save you considerable annoyance:Ports Protocol External Internal Server IP Address TCP/UDP 2022 22 192.168.1.6This does mean that you'd need to add "-p <port>" to all your
outside-world SSH commands, but it's a small price to pay. (Pick any
memorable port which is not needed for some other purpose.)
> In my attached screenshot, [...]24KB of picture to show 100 characters of text? Copy+paste is your
friend.> What is your public IP address? ("a.b" of "a.b.c.d" would be
enough for me.) What is the WAN/Internet IP address of your router?
ADVANCED > ADVANCED Home: Internet Port : Internet IP Address. Same or
different?Different... interesting
Public: 184.170 (a.b)
Netgear Internet IP Address: 10.238 (a.b)
I can ssh using the Netgear Internet IP Address... but when I change my No-IP Dynamic DNS to that address it times out... so I'm quite confused by that. Would this mean netgears integration with no-ip dynamic dns not work in this scenario since it would be reverting to the public IP and not the Netgear Internet IP Address? Is this where my problem lies?
External Port 22, Once I get the port forwarding working 100%, I was going to change it. I hadn't changed it to make troubleshooting a little bit easier, but I appreciate the valuable information.
I appreciate all the help, and if there's anything I can do to give more information, please do let me know.
> Different... interesting
Even worse than interesting. Fill in your actual address, if you
want, but the result will be the same:https://whois.arin.net/rest/net/NET-10-0-0-0-1
> [...] Is this where my problem lies?
No, it's not a DNS problem. Welcome to carrier-grade NAT. From the
outside world, your router appears to be at "184.170.x.y", but your
router is really at "10.238.u.v", which is a private address, used by
your ISP. Your ISP is doing its own NAT, to let it use "184.170.x.y" (a
real public address) for multiple customers.Because any "10.r.s.t" address is considered private, any router in
the outside world will discard any message which is addressed to your
router at "10.238.u.v".
This NAT is the same thing as the NAT on your router, which lets
multiple devices on your LAN share the one IP address assigned to your
router, except that your ISP is doing it, and it's out of your control.
So, anything you read about "double NAT" applies to you, except that
your outer router is controlled by your ISP.Sadly, that also means that port forwarding (like what you want to
do) must be configured on the ISP's NAT router (as well as yours, I'd
guess, but I've never tried that).The only solutions I know are: 1) to ask your ISP for a real public
address, or 2) to use a tunneling service like the one mentioned in
another recent thread (near the end):