Solved Can't connect to SSH through a NAT

[Sebel]

Hi everyone !

I have set up a testing environment with the following characteristics :

• ISP modem router : LAN 192.168.1.0/24
• personal router NAT mode, WAN fixed to 192.168.1.15 (DMZ address in ISP router) & LAN 10.0.0.0/8

On my ISP router is a FreeBSD laptop connected (192.168.1.20).
On my own router is a Windows desktop connected, fixed IP 10.0.0.30, and on that desktop a FreeBSD virtualbox sshd enabled guest with a bridged network card IP fixed to 10.0.0.44.

In that NAT, I have opened the port 22 pointing to 10.0.0.44 (both TCP and UDP).

When trying to ssh from 192.168.1.20 to 192.168.1.15 (ssh root@192.168.1.15) I get a connection timeout, but no problem to ssh from 10.0.0.30 or any other computer on the network behind the NAT.

I don't understand why it doesn't work despite the port 22 forwarding ?

Thanks for your help.

Sebel

 

[SirDice]

In that NAT,

Which NAT? There are several places where NAT could be configured.

When trying to ssh from 192.168.1.20 to 192.168.1.15

You have the same network range on different networks. One is attached to the "DMZ" network and the other is tied to your LAN through virtualbox. That's not going to work. At least not without considerable effort and knowledge of routing/networking.

(ssh root@192.168.1.15)

NEVER login with root directly. This is disabled by default, don't even consider enabling it, not even for your own "private" or "test" stuff. It's a really, really bad habit.

 

[Sebel]

Hi SirDice and thank you for your fast anwser.

Which NAT? There are several places where NAT could be configured.

The NAT of my personal router.

You have the same network range on different networks. One is attached to the "DMZ" network and the other is tied to your LAN through virtualbox. That's not going to work. At least not without considerable effort and knowledge of routing/networking.

No because the 192.168.1.0/24 network is configured on my ISP router and the 10.0.0.0/8 network on my personal router. This is to simulate a connection as if I was connecting from a public IP address.

NEVER login with root directly. This is disabled by default, don't even consider enabling it, not even for your own "private" or "test" stuff. It's a really, really bad habit.

Yes I know this is a volunteer behavior set in the sshd configuration just because it's a pure test lab. I will never do this on a production server.

The DMZ is configured to forward all the external traffic to my personal router.

Just for testing I set up a webserver (with port 80 forward) on the same SSH server and when I do a :

nmap -v 192.168.1.15

The port 80 appears open but not the port 22.

Strange thing.

 

[SirDice]

I always need to visualize things like this and I had a hard time seeing how things are connected. But I think I understand now.

The "easiest" way to trouble-shoot is by running tcpdump(1) on the VirtualBox FreeBSD and see if you receive the packets through the NAT. The port forwarding may not have been configured properly for example. Something like Wireshark on the Windows desktop would be useful too. Actually seeing the packets usually helps tremendously.

From the FreeBSD laptop you can easily test a port with a command like: nc -zv 192.168.1.15 80 or nc -zv 192.168.1.15 22

 

[Sebel]

Thanks for your answer, I didn't know the nc trick that will help me in the future.

I have found the problem : I have two network cards on the virtual FreeBSD. The first, em0, has its cable plugged in and a static IP address of 10.0.0.44. The second one, em1, has its cable unplugged and is configured by DHCP.

The problem has been solved by shutting down the virtual FreeBSD, disabling the second network card in virtualbox configuraton and booting again. Thats it.

I thought sshd was bound automatically to the "working" network card but it seems not.

Thanks for your help !

Sebel