I have a server in my local network that I use for work over SSH. I have no issue connecting to it from LAN. The issue comes when I try to connect to it from outside. I've set up Port Forwarding for port 2209 (which is my custom SSH port), as well as web ports. I was able to connect to it once when I set it up, but just a week or so later the connection keeps timing out.

At the same time, I'm able to open a web page from the server, so port 80 works just fine. It's really just port 2209. I've confirmed, port forwarding is correct, that port is set up as an exception in Windows Firewall and the rule is enabled. Yet the connection times out.

Please, let me know if you'd need any screenshots or logs, I can provide. I'm not sure what information is needed for best assessment.

UPD 1: People in the comments pointed out about running ssh with -vvv option, here are the logs:

❯ ssh -vvv -p 2209 andrey@<ip>

OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n  7 Dec 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: resolving "<ip>" port 2209
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to <ip> [<ip>] port 2209.
debug1: connect to address <ip> port 2209: Resource temporarily unavailable
ssh: connect to host <ip> port 2209: Resource temporarily unavailable

At the same time connecting within LAN is absolutely fine. So is connecting to HTTP of the server from WAN.

And here's my SSH config:

❯ cat /etc/ssh/sshd_config

#       $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

Include /etc/ssh/sshd_config.d/*.conf

Port 2209
#AddressFamily any
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile     .ssh/authorized_keys .ssh/authorized_keys2

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

# override default of no subsystems
Subsystem       sftp    /usr/lib/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       PermitTTY no
#       ForceCommand cvs server

And /etc/ssh/sshd_config.d is empty, so this is the only config.

UPD 2: I realized I never mentioned what exactly my set up it. It's a Windows machine, but SSH sits inside WSL. So I need to go through Windows Firewall to get to the SSH.

  Enabling verbose logging might be helpful in a case like this.
  please show us your sshd_config and if possible a connection attempt using ssh -vvv
    Commented Dec 7, 2020 at 17:53
  is your port forward still active? what is your source and destination port? did your internal IP change (is your destination IP correct)? and as others said try with -vvv and I would ask that you also give us the whole command line you entered. and make sure that you are really trying from outside as routers will not port forward tries from inside the LAN.
  Will post config and -vvv logs shortly. As for trying from outside, I'm sure as I tried with WiFi switched off on my phone and using a service that tests SSH connections from outside.
  it looks similar, but not exactly my case. In my case the bug 100% does not come from the local machine as I'm able to connect without problem within LAN, but I'm not able to connect in WAN with multiple devices. The issue is either in my router and port forwarding or in windows' firewall
1 Answer 1


As in all the cases of this thing, it wasn't a strange mysterious force blocking me. I was looking at port forwarding in the router and firewall in Windows. But after looking around in my router's settings I found that it has a very minimal firewall that was doing almost nothing except block ping from WAN. I guess all my SSH clients were using ping as their first step and if it failed, they didn't connect.

All that to say that if you have a similar problem, just make sure to look in your server and router settings for all options.

  So what specifically did you do to solve your problem? It doesn't sound like you actually solved the problem
  ...plus I've never heard of an ssh client trying a ping first
  I found my router's firewall settings and they were very lax, but there was one that was blocking ping, it was on. I disabled it and the connection went through. Maybe it was blocking more than just ping by accident or on purpose.
  it's definitely fixed because that one action allowed me to connect to the server from WAN. I can't really see how it wouldn't be the problem
  Instead of pinging me you should clarify your answer.
