Discussion stats
  • 13 replies
  • 8645 views
  • 1 kudo
  • 3 in conversation
Announcements

Top Contributors
Reply
Highlighted
Tutor

Netgear R6220 - Issues with port forwarding

Hello!

 

I have some issues port-forwarding. I'm trying to enable external SSH to my raspberry PI. I had previously two routers in my network. One "external" which is connected to the Internet provider and one "internal" which I used as a switch pretty much. I thought my issue was the internal router messing up IP adresses, so I bought a real switch instead (Netgear ProSAFE 5-port Gigabit Switch GS105v5). However, I am still unable to port forward correctly.

 

I've tried to port forward my raspberry PI on port 22 (I know I should change this to another port to avoid hacking, but I will do that later) to an external port 49000. I've attached an image. I assume this is all I need to do? I've tested the porting with canyouseeme.org, but it does not work. I've Googled quite a bit but can not find any solution to my issue. SSH is activated on the PI since I am able to access it using the internal IP adress (shown in the picture). What am I missing?

 

 

 

 

Message 1 of 14

Accepted Solutions
Highlighted
Sensei

Re: Netgear R6220 - Issues with port forwarding

> And there is no other way? I've googled a bit and found info about
> Dynamic DNS and noip.com. Would that work, or is this another issue?

 

   DNS deals with name-to-address translation, not the actual address
assignment.  DDNS (Dynamic DNS) provides a way for a name-to-address
translation to keep up when your address changes.  Your problem is not
with the name or the translation; it's with your actual address, and
that's under the control of your ISP.

 

   If the WAN/Internet interface on your router does not get a public IP
address (from your ISP), then you won't be able to reach it from the
outside world (with an incoming connection).  No amount of any kind of
DNS can change that.

View solution in original post

Message 12 of 14

All Replies
Highlighted
Guru

Re: Netgear R6220 - Issues with port forwarding


@Jonte135 wrote:

I have some issues port-forwarding. I'm trying to enable external SSH to my raspberry PI. .... One "external" which is connected to the Internet provider ...and a real switch instead (Netgear ProSAFE 5-port Gigabit Switch GS105v5). 

Your ISP does assign a public IPv4 address to the router Internet/WAN port? COmpare the number on the router WAN/Internet interface with what-is-my-IP-address e.g on Google.

 


@Jonte135 wrote:

I've tried to port forward my raspberry PI on port 22 (I know I should change this to another port to avoid hacking, but I will do that later) to an external port 49000.

Security by obscurity - you already have a different port exposed (permitting the port forwarding dos become workable).


Message 2 of 14
Highlighted
Sensei

Re: Netgear R6220 - Issues with port forwarding

> Netgear R6220 [...]

 

   Firmware version?

 

> [...] I had previously two routers in my network. One "external" which
> is connected to the Internet provider and one "internal" which I used as
> a switch pretty much. [...]

 

   What are/were these "routers"?  Connected/configured how, exactly?
Is the (unspecified) "external" router the R6220?

 

> [...] I thought my issue was the internal router messing up IP
> adresses, so I bought a real switch instead (Netgear ProSAFE 5-port
> Gigabit Switch GS105v5). [...]

 

   You should have been able to configure your (unspecified) "the
internal router" as a wireless access point, which would have a similar
effect (and provide wireless access).

 

   And what happens if you connect the R-Pi directly to the "external"
router?

 

> [...] I am still unable to port forward correctly.


   "unable" is not a useful problem description.  It does not say what
you did.  It does not say what happened when you did it.  As usual,
showing actual actions with their actual results (error messages, LED
indicators, ...) can be more helpful than vague descriptions or
interpretations.

 

> I've tried to port forward my raspberry PI on port 22 (I know I should
> change this to another port to avoid hacking, but I will do that later)
> to an external port 49000. I've attached an image. [...]

 

   That port-forwarding rule looks ok.  What have you done to ensure
that the LAN IP address of the R-Pi stays the same?

 

   Unless you expect attacks from malware running on your own LAN, you
can safely use port 22 on your LAN.  It's the external (forwarded) port
where using "22" would be unwise.  (And "49000" is different enough.)

 

> [...] I assume this is all I need to do? [...]


   Other than ensure that the R-Pi address stays ".11", yes, normally.

 

> [...] I've tested the porting with canyouseeme.org, but it does not
> work. [...]

 

   Regarding "does not work", see "unable", above.

 

   To what is the WAN/Internet Ethernet port of your (unspecified)
"external" router connected?  What's the WAN/Internet IP address of your
(unspecified) "external" router?  ("a.b" of "a.b.c.d" would be enough of
your public IP address.)

 

> [...] SSH is activated on the PI since I am able to access it using
> the internal IP adress (shown in the picture). [...]


   "access it" how, exactly, from what, exactly?

 

   If your (unspecified) "external" router does NAT loopback (which I'd
expect), then you should also be able to access the R-Pi from your LAN
if you specify port 49000 and the WAN/Internet address of your
(unspecified) "external" router:

 

      ssh -p 49000 <"external"_router's_WAN_IP_address>

 

   The usual problems with this stuff are:

 

   1. Wrong external IP address (different from the port-forwarding
router's WAN/Internet IP address).  (An intermediate NAT router, for
example, could cause this.)

 

   2. Bad port-forwarding rule (wrong port(s), wrong target address --
including a wandering target).

 

   3. Server not listening on the port-forwarding target system.

 

   4. External influences: ISP blocking, other firewalls, ...

 

   You seem to have "3" covered.  Everything else is in some doubt.

 

   And, of course, bad router firmware is always a possibility.

Message 3 of 14
Highlighted
Tutor

Re: Netgear R6220 - Issues with port forwarding

(I don't know if you can already see this reply. I seem to have some issue with editting my response so this might show up several times. If so, I apologize for the spam.)

 

 

Thanks for taking the time to help me! I'll try to answer to the best of my ability.

 

> Firmware version?

V1.1.0.34_1.0.1

 

>What are/were these "routers"?  Connected/configured how, exactly? 
>Is the (unspecified) "external" router the R6220?

 

The external router, connected to the Internet provider, is the R6220. The internal was a R6100 which I replaced with the switch. The connection was as follows:

my computer <--> R6100 <--> R6220 <-- Internet provider

                                    ^

                                     |

                                    v

                          Raspberry

 

>You should have been able to configure your (unspecified) "the internal router" as a wireless access point, which would have a similar effect (and provide wireless access).

 

I tried converting the router to a switch by following some guide. According to the guide, I had to reset the router and then change some settings. Resetting it was easy but I had some trouble doing the rest of the settings. For some reason it still worked (before I reset the router the Internet did not work for my computer using the previously mentioned setup) even if I only reset it. However, just to minimize trouble I bought a switch.

 

>And what happens if you connect the R-Pi directly to the "external" router?

 

I still get the same issues as before. If I try to use "can you see me" I get the error: 

 

Error: I could not see your service on xxx.xxx.xxx.xx on port (49000)

Reason: Connection refused

 

I have checked to make sure the internal IP of the raspberry PI is the same as in the port forwarding settings when I did this, as they could change when changing the cables.

 

> That port-forwarding rule looks ok.  What have you done to ensure that the LAN IP address of the R-Pi stays the same?

 

I have checked to make sure it does not change when I've performed my tests. Whenever I changed any cables/setup I re-checked it. It's set manually, and I have not forced it to a specific IP. As IPs usually do not change by themselves (as far as I know) I don't think it's necessary to force it. However, this might be the case? I doubt the issue lies here though.

 

> Regarding "does not work", see "unable", above.

 

Sorry if I was unclear. The error message I got was the same as mentioned before:

 

Error: I could not see your service on xxx.xxx.xxx.xx on port (49000)

Reason: Connection refused

 

> To what is the WAN/Internet Ethernet port of your (unspecified) "external" router connected?  What's the WAN/Internet IP address of your (unspecified) "external" router?  ("a.b" of "a.b.c.d" would be enough of your public IP address.)

 

185.205.c.d

 

>   "access it" how, exactly, from what, exactly?


I am able to connect through SSH using cmd on my (Windows) computer, using the internal IP address for the Raspberry PI.

 

 >If your (unspecified) "external" router does NAT loopback (which I'd expect), ...

I am not sure about this one. The R6220 router does not appear on this list:

https://kb.netgear.com/000049578/NETGEAR-Router-support-for-NAT-Loopback

 

However, should I not be able to connect to the PI using SSH regardless, if the port forwarding works? This would just mean the PI is accessable on the Internet, which I am able to connect to regardless. Perhaps my understanding of NAT loopback is incorrect.

 

> 1. Wrong external IP address (different from the port-forwarding router's WAN/Internet IP address).  (An intermediate NAT router, for example, could cause this.)

 

Is there some way to easily trace the IP to make sure it does not change? This was my concern with my internal (R6100) router, that it changed the IP which is why I bought a switch. I see no reason why the IP should change if I am using a switch. Could perhaps something happen from the Internet provider? On the wall in my building there is a device which I believe is a media converter. This is where the fiber connection is "transformed" into Ethernet (see picture). This is not my picture but something I found online which shows the same type of device.

 

mediaconverter

 

> 2. Bad port-forwarding rule (wrong port(s), wrong target address -- including a wandering target).

 

By this you mean that the wrong raspberry PI IP would be used in the port forwarding? And that it might change over time?

 

> 3. Server not listening on the port-forwarding target system.

 

As you mentioned, this should be covered. Opening the PI to SSH should be enough to listen, no?

 

> 4. External influences: ISP blocking, other firewalls, ...

 

The ports I'm using are not blocked by the ISP. I also checked the firewall and it should allow port 22. There are more computers/devices connected to the R6220. Would the firewalls on these be able to affect the connection?

 

I hope I answered everything satisfactory. Again thanks a lot for the help!

 

Message 4 of 14
Highlighted
Sensei

Re: Netgear R6220 - Issues with port forwarding

> I tried converting the router to a switch by following some guide.
> [...]

 

   "some guide" is not a useful description of anything.

 

> [...] However, just to minimize trouble I bought a switch.

 

   That should be harmless.  So, all your client devices now have LAN IP
addresses which are in the same subnet ("192.168.1.*")?

 

> [...] As IPs usually do not change by themselves (as far as I know) I
> don't think it's necessary to force it. However, this might be the case?
> [...]


   If you do nothing special, then the R-Pi could get a different IP
address every time you start it or the router.  If you put its IP
address into a port-forwarding rule, then it must _always_ get that
address.  You can do two things to ensure this.  One: Reserve a dynamic
IP address for it -- ADVANCED > Setup > LAN Setup : Address Reservation.
Two: Shrink the DHCP pool to move some addresses outside the pool, and
configure the R-Pi with a static, non-pool address.

 

> Reason: Connection refused

 

   "Connection refused" normally means that you've reached the
destination IP address, but no one is listening at the specified port
number.

 

> 185.205.c.d

 

   Ok.  That's a real public IP address.


> I am able to connect through SSH using cmd on my (Windows) computer,
> using the internal IP address for the Raspberry PI.

 

   That's using port 22 (the default)?

 

> I am not sure about this one. The R6220 router does not appear on this
> list: [...]

 

   Netgear seems to have some problems with particular models and/or
firmware versions, but it's generally a feature on everything.  Did you
try it?  That would be the next step.

 

> However, should I not be able to connect to the PI using SSH
> regardless, if the port forwarding works? This would just mean the PI is
> accessable on the Internet, which I am able to connect to regardless.
> Perhaps my understanding of NAT loopback is incorrect.

 

   You should be able to use SSH (on port 22) from a system on your LAN
to the R-Pi (listening on port 22) at its LAN IP address
("192.168.1.11"?).  That tests the R-Pi SSH service.


   If NAT loopback works on your R6220 (which it should), then you
should be able to use SSH (on port 49000, or whatever is in your
port-forwarding rule) from a system on your LAN to the WAN/Internet IP
address of the R6220.  (The R6220 should use the port-forwarding rule to
connect to the R-Pi (listening on port 22).)  That tests the R-Pi SSH
service, NAT loopback on the R6220, and port forwarding on the R6220.

 

   If all that works, then you should be able to use SSH (on port 49000)
from a system in the outside world to the WAN/Internet IP address of the
R6220 (on port 49000).  That tests everything.  Your ISP could still
block this, but I would not expect your ISP to worry about a port like
49000.

 

> [...] I see no reason why the IP should change if I am using a switch.
> [...]

 

   DHCP = Dynamic Host Configuration Protocol.  "Dynamic" means that
many things could happen.  That's why a _reserved_ dynamic address
should be used.  (Or a static address, configured on the R-Pi itself.)


> [...] This is where the fiber connection is "transformed" into
> Ethernet (see picture). [...]

 

   The picture was not worth much, but if the R6220 says that its
WAN/Internet address is "185.205.c.d", then you should not need to worry
about any other equipment between it and your ISP.  (Your English is
very good for a ".fi" address, by the way)

 

> By this you mean that the wrong raspberry PI IP would be used in the
> port forwarding? And that it might change over time?

 

   Exactly.  That's why a _reserved_ dynamic address should be used.

 

> Opening the PI to SSH should be enough to listen, no?

 

   If you can SSH to the R-Pi from your LAN (on port 22), then the R-Pi
is good.

 

> [...] I also checked the firewall and it should allow port 22. [...]


   Which "the firewall" is that?

 

> [...] There are more computers/devices connected to the R6220. Would
> the firewalls on these be able to affect the connection?

 

   No.  The R6220 and the R-Pi should be the only things involved here.

 

> I hope I answered everything satisfactory. [...]

 

   Getting there.  Sorry about the delayed response.  While I was
waiting for the picture to get cleared, your thread got pushed down out
of view, and I lost it.

Message 5 of 14
Highlighted
Tutor

Re: Netgear R6220 - Issues with port forwarding

That should be harmless.  So, all your client devices now have LAN IP
addresses which are in the same subnet ("192.168.1.*")?

 

Yes.

 

If you do nothing special, then the R-Pi could get a different IP
address every time you start it or the router.  If you put its IP
address into a port-forwarding rule, then it must _always_ get that
address.  You can do two things to ensure this.  One: Reserve a dynamic
IP address for it -- ADVANCED > Setup > LAN Setup : Address Reservation.
Two: Shrink the DHCP pool to move some addresses outside the pool, and
configure the R-Pi with a static, non-pool address.

 

Ok, I limited the pool to 30 adresses and put the PI at 40 (192.168.1.40). When I check attached devices it says the R-PI is on 11. Is something wrong or is it possible to be on both? I attached a picture.

 

That's using port 22 (the default)?

 

I believe so, yes. When I'm connecting to it I type "ssh pi@192.168.1.11" without specifying any port. I also tried to specify the port ("-p 22") which worked, as well as port 30 ("-p 30") which did not work. So I believe it should be correct.

 

Netgear seems to have some problems with particular models and/or
firmware versions, but it's generally a feature on everything.  Did you
try it?  That would be the next step.

 

I do this by setting "NAT Filtering" to "Open", right? I tried now with no change, so it did not solve it.

 

 You should be able to use SSH (on port 22) from a system on your LAN
to the R-Pi (listening on port 22) at its LAN IP address
("192.168.1.11"?).  That tests the R-Pi SSH service.

 

This works. I am able to use SSH from my computer to access the R-PI.

 

  If NAT loopback works on your R6220 (which it should), then you
should be able to use SSH (on port 49000, or whatever is in your
port-forwarding rule) from a system on your LAN to the WAN/Internet IP
address of the R6220.  (The R6220 should use the port-forwarding rule to
connect to the R-Pi (listening on port 22).)  That tests the R-Pi SSH
service, NAT loopback on the R6220, and port forwarding on the R6220.

 

This does not work. If I type "ssh -p 49000 pi@185.205.c.d" I get the error message "Connection timed out".

 

> The picture was not worth much, but if the R6220 says that its
WAN/Internet address is "185.205.c.d", then you should not need to worry
about any other equipment between it and your ISP.  (Your English is
very good for a ".fi" address, by the way)

 

I got the IP address "185.205.c.d" from https://www.iplocation.net/find-ip-address, not from the router. The only IP I can find in the router is the 192.168.1 address.

 

And I'm not Finnish actually, but Swedish. The ISP is Telia which might exist in Finland aswell, perhaps that's why it looks like a ".fi" address. But thanks Smiley Happy

 

Which "the firewall" is that?

 

The firewall of my computer (not the R-Pi or router). I was a bit confused thinking it had any impact, which it shouldn't.

 

Getting there.  Sorry about the delayed response.  While I was
waiting for the picture to get cleared, your thread got pushed down out
of view, and I lost it.

 

No worries, I really appreciate the help!

 

 

 

 

 

 

 

 

 

Message 6 of 14
Highlighted
Sensei

Re: Netgear R6220 - Issues with port forwarding

> Ok, I limited the pool to 30 adresses and put the PI at 40
> (192.168.1.40). When I check attached devices it says the R-PI is on 11.
> Is something wrong or is it possible to be on both? I attached a
> picture.

 

   ".2" - ".30" is 29 addresses, but no matter.  Have you restarted the
R-Pi since changing the DHCP pool on the router?  Is the R-Pi configured
to use DHCP, or did you give it a static address (".11")?  Address
reservations should work.

 

> I do this by setting "NAT Filtering" to "Open", right? [...]

 

   I've never changed my (D7000[v1]) ADVANCED > Setup > WAN Setup : NAT
Filtering from "Secured", and I have no trouble with my port forwarding.
I doubt that that setting is relevant here.  NAT loopback should always
work.

 

> This does not work. If I type "ssh -p 49000 pi@185.205.c.d" I get the
> error message "Connection timed out".


   If your port-forwarding rule still says "192.168.1.11", and the R-Pi
is actually at "192.168.1.11", then I'd expect that to work.  (But see
below.)

 

> I got the IP address "185.205.c.d" from
> https://www.iplocation.net/find-ip-address, not from the router. The
> only IP I can find in the router is the 192.168.1 address.

 

      ADVANCED > ADVANCED Home : Internet Port : Internet IP Address

 

   If that's not "185.205.c.d", then there would seem to be some other
router between you and your ISP.  A command like your "ssh -p 49000
pi@185.205.c.d" can work only if "185.205.c.d" is the WAN/Internet
address of your router.  (See "usual problems with this stuff" 1.)

 

> The firewall of my computer (not the R-Pi or router). I was a bit
> confused thinking it had any impact, which it shouldn't.

 

   Right.

Message 7 of 14
Highlighted
Tutor

Re: Netgear R6220 - Issues with port forwarding

 ".2" - ".30" is 29 addresses, but no matter.  Have you restarted the
R-Pi since changing the DHCP pool on the router?  Is the R-Pi configured
to use DHCP, or did you give it a static address (".11")?  Address
reservations should work.

 

I restarted it, and it still says it's on 11. However, this is most likely not an issue (as long as my port forwarding is the correct address).

 

because,

 

> ADVANCED > ADVANCED Home : Internet Port : Internet IP Address

If that's not "185.205.c.d", then there would seem to be some other
router between you and your ISP.  A command like your "ssh -p 49000
pi@185.205.c.d" can work only if "185.205.c.d" is the WAN/Internet
address of your router.  (See "usual problems with this stuff" 1.)

 

this is most likely the issue. I see another IP address here. This address is 100.72.c2.d2. I was able to SSH to my R-PI using this address. However, it is not possible to do outside the network (using this address), so there is some change between the router and the ISP.  Is there a way to fix this? I tried port forwarding using this address but it would not allow it, saying it was an invalid IP address.

 

 

Message 8 of 14
Highlighted
Sensei

Re: Netgear R6220 - Issues with port forwarding

> [...] This address is 100.72.c2.d2. [...]

 

   Yes, that's the problem.  (There's no need to hide any of that
address.  As you've seen, it's not useful in the real world.)

 

      https://whois.arin.net/rest/net/NET-100-64-0-0-1/pft?s=100.72.1.1
      https://tools.ietf.org/html/rfc6598

 

> [...] Is there a way to fix this? [...]

 

   Talk to your ISP?  They may be trying to conserve public IPv4
addresses, but they may give you one if you ask.  (Or perhaps they don't
want you running a server?)

Message 9 of 14
Highlighted
Guru

Re: Netgear R6220 - Issues with port forwarding


@Jonte135 wrote:

...

> ADVANCED > ADVANCED Home : Internet Port : Internet IP Address

If that's not "185.205.c.d", ... this is most likely the issue. I see another IP address here. This address is 100.72.c2.d2.


Geeeeeee - see my first reply:

 


@schumaku wrote:

@Jonte135 wrote:

I have some issues port-forwarding. I'm trying to enable external SSH to my raspberry PI. .... One "external" which is connected to the Internet provider ...and a real switch instead (Netgear ProSAFE 5-port Gigabit Switch GS105v5). 

Your ISP does assign a public IPv4 address to the router Internet/WAN port? Compare the number on the router WAN/Internet interface with what-is-my-IP-address e.g on Google.


Thats the first thing to check before diving in whatver testing.

 

FMI: https://en.wikipedia.org/wiki/Carrier-grade_NAT   https://tools.ietf.org/html/rfc6598   Shared Address Space 100.64.0.0/10.

Message 10 of 14
Highlighted
Tutor

Re: Netgear R6220 - Issues with port forwarding

(Sorry for late response, didn't get any update mails and I've been quite busy irl)

 

Talk to your ISP?  They may be trying to conserve public IPv4
addresses, but they may give you one if you ask.  (Or perhaps they don't
want you running a server?)

 

And there is no other way? I've googled a bit and found info about Dynamic DNS and noip.com. Would that work, or is this another issue?

 

> Thats the first thing to check before diving in whatver testing.

FMI: https://en.wikipedia.org/wiki/Carrier-grade_NAT   https://tools.ietf.org/html/rfc6598   Shared Address Space 100.64.0.0/10.

 

Sorry about that... Is there anyway to overcome this, such as using noip.com as mentioned above? Or is that something else?

Message 11 of 14
Highlighted
Sensei

Re: Netgear R6220 - Issues with port forwarding

> And there is no other way? I've googled a bit and found info about
> Dynamic DNS and noip.com. Would that work, or is this another issue?

 

   DNS deals with name-to-address translation, not the actual address
assignment.  DDNS (Dynamic DNS) provides a way for a name-to-address
translation to keep up when your address changes.  Your problem is not
with the name or the translation; it's with your actual address, and
that's under the control of your ISP.

 

   If the WAN/Internet interface on your router does not get a public IP
address (from your ISP), then you won't be able to reach it from the
outside world (with an incoming connection).  No amount of any kind of
DNS can change that.

View solution in original post

Message 12 of 14
Highlighted
Tutor

Re: Netgear R6220 - Issues with port forwarding

   DNS deals with name-to-address translation, not the actual address
assignment.  DDNS (Dynamic DNS) provides a way for a name-to-address
translation to keep up when your address changes.  Your problem is not
with the name or the translation; it's with your actual address, and
that's under the control of your ISP.

 

   If the WAN/Internet interface on your router does not get a public IP
address (from your ISP), then you won't be able to reach it from the
outside world (with an incoming connection).  No amount of any kind of
DNS can change that.

 

Hmm ok, well that sucks. Thanks anyway for your help!

 

For anyone finding this thread in the future, I managed to solve it using ngrok. It does not solve the actual port forwarding, but I am able to use the same type of functionality if I install ngrok on my R-PI. It's not the same, but works.

Message 13 of 14
Highlighted
Sensei

Re: Netgear R6220 - Issues with port forwarding

> [...] I managed to solve it using ngrok. [...]

 

   Interesting.  I hadn't heard of that program/service.

 

> [...] It does not solve the actual port forwarding, [...]

 

   Right.  The downloaded program creates an _outbound_ connection to a
cloud server, which should work as well as any other outbound connection
(such as from a web browser), with no need for port forwarding.  That
cloud server is publicly accessible, and can use the tunnel created
between it and that program running on your end.

 

   Various Internet-of-Junk devices do similar things to allow access
from the outside world.  The gizmo creates an outbound connection to
some cloud server, and the user's app deals with that cloud server
(which can talk to the gizmo over the connection which the gizmo
established).

Message 14 of 14