News: This forum is now permanently frozen.
linktree m0n0wall Forum  >  m0n0wall Support (English)  >  Firewall/NAT
linktree Topic: SSH Nat WAN 2 LAN cannot reach lan ip
Pages: [1]
Topic: SSH Nat WAN 2 LAN cannot reach lan ip  (Read 372 times)
« on: February 13, 2015, 19:32:05 »
Teito *
Posts: 2
Dear all,

my setup is router <> m0n0wall <> lan

i set up router to nat 22 23 21 20 (both ssh and ftp are needed) on the m0n0wall WAN IP

on the m0n0wall i manage to create nat rules

WAN   TCP/UDP   20 - 21   192.168.4.252   21 - 22   FTP Server
WAN   TCP/UDP   22 - 23   192.168.4.252   22 - 23   SSH Server

and this automatically created rules on firewall (ipv4)

TCP   *   *   192.168.4.252   20 - 21   NAT FTP Server    
TCP   *   *   192.168.4.252   22 (SSH)   NAT SSH

if i try to have SSH from an external server to my router public ip i got
ssh: connect to host *.*.*.* port 22: Connection timed out

im going to have a crash..

btw i disabled ipv6 do ya think that this can interfere?

Thanks anyone can help!

teo
« Reply #1 on: February 13, 2015, 20:04:09 »
Lee Sharp *****
Posts: 517
You have m0n0wall on a private network, so did you turn off the default "Block private IPs from WAN interface" yet?
« Reply #2 on: February 13, 2015, 20:06:36 »
Fred Grayson *****
Posts: 994
You have an overlap of port 22 on your NAT Rules destination ports.

Also, rather than using ranges of ports, I would start out with a single port and verify that it works, then expand for the ranges you need, or just create new additional single port rules.
--
Google is your friend and Bob's your uncle.
« Reply #3 on: February 16, 2015, 11:27:08 »
Teito *
Posts: 2
First of all.
Thank you both of you that gave me answer.

Quote from: Lee Sharp on February 13, 2015, 20:04:09
You have m0n0wall on a private network, so did you turn off the default "Block private IPs from WAN interface" yet?

Dear Lee, I actually have unchecked this option, thanks.

Quote from: Fred Grayson on February 13, 2015, 20:06:36
You have an overlap of port 22 on your NAT Rules destination ports.

Also, rather than using ranges of ports, I would start out with a single port and verify that it works, then expand for the ranges you need, or just create new additional single port rules.


Dear Fred, you right, i got multiple try all day long and at last i miss this setting.
Anyway i changed Inbound NAT like this:
WAN   TCP/UDP   21 (FTP)   192.168.4.252   21 (FTP)   FTP Server
WAN   TCP/UDP   22 (SSH)   192.168.4.252   22 (SSH)   SSH Server

Test fail like always:
ssh: connect to host <> port 22: Connection timed out

Also i have to say that i managed to configure pptp VPN and it works quite well.
« Reply #4 on: February 16, 2015, 16:40:33 »
Fred Grayson *****
Posts: 994
It's always bets to post screenshots of your NAT and Firewall rules.

Also, you made changes to the NAT rules, but did you also make the same changes to the Firewall rules, or use auto-rule create?

And finally, just to confirm, you are testing this from a network out on the internet as testing by trying to connect to the WAN address from a LAN host will always fail.
--
Google is your friend and Bob's your uncle.
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines