SSH remote port forwarding to a computer behind a NAT: what exactly happens if the public IP address changes

Question

Scenario:

I have a local machine behind a router who uses NAT and my ISP assigns sometimes a new public IP address to that router.

The local machine uses SSH to open a remote port on a public SSH server, e.g. something like ssh [email protected] -R 8080:localhost:80 As far as I understood, this redirects requests to the ssh server on port 8080 to port 80 of my local machine.

Question:

What happens exactly if my ISP gives a new public IP address to my router. Does the ssh client on my local computer stop and exit? Does the ssh server recognizes the changing or does it stop or fail too? Or is there no problem and the server can update the IP address automatically? (this question and its answers make me think this is the case but it isn't stated clearly)

For the moment, I don't care about how to fix this problem, I only want to know how to detect it. And no, I can not "just try" it, sorry for that.

Answer 1

Normal situation:

• You have a NAT router with a public IP of 333.333.333.333. You have NAT configured to forward incoming traffic from port 22 to 192.168.33.33 port 22.

• A client with public IP of 444.444.444.444 starts an SSH session using port 22 and sends that to 333.333.333.333 port 22.

• Your NAT router receives the first part of the TCP connection (the TCP flags allow it to know whether incoming traffic is a new TCP connection) on 333.333.333.333:22 and checks the NAT table to see if any port forwardings are setup.

• Your NAT router finds the mapping to 192.168.33.33 port 22 and starts a NAT session internally for this connection. It will rewrite the source IP of incoming packets from this connection on 444.444.444.444:22 to 192.168.33.33:22 and also rewrite the source IP of packets that are leaving the NAT router from 192.168.33.33:22 to 333.333.333.333:22. The NAT session will expire when the TCP connection is closed or a timeout period passes.

If your public IP changes, then:

• External clients trying make new connections to the old IP will either time out or connect to the wrong system.

• Existing connections: If your router doesn't update NAT configuration when the public IP changes, and you're in the middle of a TCP connection with NAT session, NATted segments of the TCP connection will reach the external client but responses can't reach back to the server behind the NAT. The result will be that client connection will eventually time out, and the server connection behind the NAT will also eventually time out and you will see log entries on both sides about timeouts.

• Your SSH server will not automatically restart unless something on your router is set to restart it when the external IP changes.

openssh - the normal SSH server that is used with Linux, is designed to be robust enough to support remote login into servers. It pretty much won't die unless you explicitly kill it, possibly if you modify the permissions of certain configuration files, or your system is extremely corrupted.

I only want to know how to detect it

If your NAT router is a Linux-based router, and your ISP gives you your IP via DHCP, your router is probably running a program called dhcpcd that performs actions when the ISP DHCP lease expires, and has hooks to perform actions on events such as getting a new IP from your ISP. Alternatively if your router has support for working with a dynamic DNS provider, like freemyip.com, you can use a domain name instead of an IP.