× NETGEAR will be terminating ReadyCLOUD service by July 1st, 2023. For more details click here.
Orbi WiFi 7 RBE973
Reply

Re: Local SSH works, remove SSH fails even with port-forwarding

q3d
Aspirant
Aspirant

Local SSH works, remove SSH fails even with port-forwarding

I have enabled SSH, and locally works fine for the accounts that have SSH enabled.

 

However, when I port forward port 22 to the NAS, it doesn't respond when trying to use SSH (on laptop/phone when away/using mobile data). There is a timeout response from the client and the logs from the NAS just show (auth.log):

Sep 10 19:07:21 NAS sshd[10270]: pam_unix(sshd:session): session opened for user admin by (uid=0)
Sep 10 19:07:21 NAS sshd[10270]: pam_unix(sshd:session): session closed for user admin

 

Any way to diagnose what's preventing access to the NAS via SSH?

 

I've also enabled FTP (+SFTP) and same issue, no response/time outs when connecting from an external IP (non-LAN).

 

When port-forwarding to another device (not the NAS) on the same port, it works fine....

 

Message 1 of 11

Accepted Solutions
q3d
Aspirant
Aspirant

Re: Local SSH works, remove SSH fails even with port-forwarding

I enabled DMZ on the router to point to the NAS and works fine - so it's the router 🙂

 

Thanks for your input guys - I haven't done basic h/w troubleshooting for several years now, so a revisit is always good.

 

Note: I've secured the NAS now that I know what was causing the issue.

View solution in original post

Message 11 of 11

All Replies
schumaku
Guru

Re: Local SSH works, remove SSH fails even with port-forwarding


@q3d wrote:

I have enabled SSH, and locally works fine for the accounts that have SSH enabled.

 

However, when I port forward port 22 to the NAS, it doesn't respond when trying to use SSH (on laptop/phone when away/using mobile data). There is a timeout response from the client and the logs from the NAS just show (auth.log):

Sep 10 19:07:21 NAS sshd[10270]: pam_unix(sshd:session): session opened for user admin by (uid=0)
Sep 10 19:07:21 NAS sshd[10270]: pam_unix(sshd:session): session closed for user admin

 

Any way to diagnose what's preventing access to the NAS via SSH?.


Uneducated guess: You need to use the username root, instead of admin.

 


@q3d wrote:

I've also enabled FTP (+SFTP) and same issue, no response/time outs when connecting from an external IP (non-LAN)


Not sure you understand the major difference between sftp and ftp, especially when using ftp over port forwarding?

 

 

Message 2 of 11
q3d
Aspirant
Aspirant

Re: Local SSH works, remove SSH fails even with port-forwarding

When trying to log in, it's not even prompting for anything. When using an external IP not related to the NAS external IP (ie not LAN IP's), it appears to not respond at all (no banner, login, etc.). I switch to the NAS public IP (NAS is within a LAN), and the login prompt appear fine.

 

It appears there's a external IP blocker or external IP blacklist, since the LAN IP's work and the External IP of the NAS works fine too. I don't recall setting one up (fail2ban, hosts, etc.) but hen again, it's been awhile since I did anything with the NAS....

 

Not running fail2ban, the /etc/hosts.deny is empty, /etc/hosts.allow is empty

 

and /etc/hosts has the following:

127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

127.0.0.1 ********* loghost # added by readynasd:ads

 

iptables -L INPUT -v

Chain INPUT (policy ACCEPT 9851K packets, 2542M bytes)
pkts bytes target prot opt in out source destination
9847K 2542M all -- bond0 * 0.0.0.0/0 0.0.0.0/0
1011 80512 tcp -- bond0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 tcp -- bond0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:22

Message 3 of 11
StephenB
Guru

Re: Local SSH works, remove SSH fails even with port-forwarding

What readynas model do you have, and what fimware is it running?

Message 4 of 11
schumaku
Guru

Re: Local SSH works, remove SSH fails even with port-forwarding


@q3d wrote:

When trying to log in, it's not even prompting for anything. When using an external IP not related to the NAS external IP (ie not LAN IP's), it appears to not respond at all (no banner, login, etc.). I switch to the NAS public IP (NAS is within a LAN), and the login prompt appear fine.

 

It appears there's a external IP blocker or external IP blacklist, since the LAN IP's work and the External IP of the NAS works fine too. I don't recall setting one up (fail2ban, hosts, etc.) but hen again, it's been awhile since I did anything with the NAS....


Assuming you have a public routeable WAN IP on your Internet connection: Some ISPs are blocking common ports, or have firewall services blocking major services, like 22/TCP for example.

 

Coming back on your comment of ftp and sftp - which are two complete different beasts: sftp does operate on the named 22/TCP, while ftp does operate on 23/TCP for the control connection, plus one more port for the FTP data connection - what can make things much more difficult for the NAT, for the FTP server config, and for the FTP client. 

Message 5 of 11
StephenB
Guru

Re: Local SSH works, remove SSH fails even with port-forwarding

FWIW, I wouldn't use port forwarding to connect ssh to a ReadyNAS myself.  Instead I'd use a VPN (openvpn, zerotier, etc).

 

Like @schumaku, I suspect either the ISP or the router is blocking the connection.  Though it does seem to (briefly) reach the NAS.

 

You could try using a different external port, and forward it to port 22 of the NAS. 

Message 6 of 11
q3d
Aspirant
Aspirant

Re: Local SSH works, remove SSH fails even with port-forwarding

It's on a RN316, OS 6.10.8. I've stripped down to  a bare external SSH connection to troubleshoot external IP's accessing the NAS, it won't be permanently exposed in the end, but for now as part of a process of elimination I need to start with a simple base-line of Client -> External IP -> ISP -> Router (Port Forwarding) -> NAS (LAN)

 

It's not the ISP or the router. I keep the port-forwarding settings on the router the same, except change destination IP from the NAS to another server and it works fine with the other server. When I use the NAS as the destination IP, it doesn't work. This is the same regardless of which external port used.

 

ie 

Client -> External IP -> ISP -> Router (Any External Port -> Port Forwarding to internal 22) -> RPi-Server (LAN) ** works

Client -> External IP -> ISP -> Router (Any External Port -> Port Forwarding to internal 22) -> NAS (LAN) ** fails

 

Port forwarded using TCP/UDP and both, same result. Access to the other LAN Server works fine, but NAS fails.

 

Yep FTP usually uses port 21 for control and port 20 for data but I also have high port ranges on that as well for passive mode. I was using FTP just to test connectivity, I'm mainly after the SSH (or SFTP) to work for now.

 

Does the the RN OS have any other ip settings that could cause external ip blocks? There's the standard ones I've listed above (the usual for Ubuntu/Debian, etc.)

 

Message 7 of 11
StephenB
Guru

Re: Local SSH works, remove SSH fails even with port-forwarding


@q3d wrote:

 

Does the the RN OS have any other ip settings that could cause external ip blocks? There's the standard ones I've listed above (the usual for Ubuntu/Debian, etc.)

 


Not that I know of.

 

Just wondering - do you have both NICs connected on the RN316?

Message 8 of 11
q3d
Aspirant
Aspirant

Re: Local SSH works, remove SSH fails even with port-forwarding

Yes, both NIC's are being used

 

Name: bond0

MTU 1500

Over eth0, eht1

IP Settings; DHCP

Mode: Adaptive Load Balancing (primary = eht0)

 

 

Message 9 of 11
StephenB
Guru

Re: Local SSH works, remove SSH fails even with port-forwarding


@q3d wrote:

Yes, both NIC's are being used

 

Name: bond0

MTU 1500

Over eth0, eht1

IP Settings; DHCP

Mode: Adaptive Load Balancing (primary = eht0)

 

 


Try disconnecting eth1 and see if that makes any difference.

Message 10 of 11
q3d
Aspirant
Aspirant

Re: Local SSH works, remove SSH fails even with port-forwarding

I enabled DMZ on the router to point to the NAS and works fine - so it's the router 🙂

 

Thanks for your input guys - I haven't done basic h/w troubleshooting for several years now, so a revisit is always good.

 

Note: I've secured the NAS now that I know what was causing the issue.

Message 11 of 11
Top Contributors
Discussion stats
  • 10 replies
  • 3014 views
  • 0 kudos
  • 3 in conversation
Announcements