0

I am attempting to setup port-forwarding on my Asus router so that I can, among other things, SSH to one device connected to LAN from the Internet.

Since my Internet provider doesn't provide me with a static IP, I setup DDNS with no-ip.com - I configured the provided hostname in my router's DDNS settings with the username and password. When I look at the no-ip.com dashboard, I can see that the target is correctly showing up as my router's public IP (in the form 100.100.xxx.xx, which matches the IP I see in the router config page).

In the router's port-forwarding config, I set it to listen to both UDP and TCP on port 500, forwarding the connection to the IP of the local device I want to SSH to on port 22. I setup a SSH server on the target device (listening on port 22), and added an exception for port 22 in the device firewall.

Now, when I try to SHH to the device (using the command ssh [email protected] -p 500), if I'm trying it from another device connected to the same LAN, the connection succeeds. However, if I enable the VPN service I use on that device, or try to execute the command from a device connected to a completely different network, the connection times out. Likewise, if I try to run the command Test-NetConnection noiphostname.ddns.net from PowerShell on a Windows device, the ping fails/succeeds in the same fashion as the SSH connections.

Anyone that could help me troubleshoot what's going on?

Improve this question
2
  • 2
    500/UDP is the IKE port used by some VPNs. Your NAT gateway may be treating it specially. Try some other public port, preferably something above 1024.
    – Spiff
    Commented Sep 16, 2023 at 23:19
  • @Spiff Thanks, I tried port 1075 but no change
    – Faptimus420
    Commented Sep 16, 2023 at 23:56

1 Answer 1

Reset to default
1

When I look at the no-ip.com dashboard, I can see that the target is correctly showing up as my router's public IP (in the form 100.100.xxx.xx, which matches the IP I see in the router config page).

100.100.x.x is unfortunately not a public IP address. It's from the private address range reserved for CGNAT use – i.e. above your router there's another layer of NAT done at ISP level.

In other words, "no static IP" doesn't necessarily mean that the alternative is a dynamic IP address; it could also mean that you don't have a public IP address at all.

Looking for your IP at your router's settings page was the correct thing to do, but you should've also compared it with the IP that websites report. In your case they'll differ, indicating CGNAT.

Port forwarding will not work in this situation, as it would also need to be configured on the CGNAT level at the ISP. Use a VPN tunnel for inbound connections instead. (There are VPN programs more suited for this purpose.)

Improve this answer
4
  • Honestly this is a duplicate of like 20 "CGNAT" threads by now but I don't have the energy to search for them either
    – grawity_u1686
    Commented Sep 17, 2023 at 6:15
  • 1
    Re: "IP that websites report", sites like whatismyipaddress.com (and there are loads of others), or simply googling "what is my ip address" will show you what public IP address they're seeing your connecting from currently, but it will likely change.
    – Keith Langmead
    Commented Sep 17, 2023 at 9:52
  • @u1686_grawity Thanks, I was worried about that. The thing is, my router does actually support hosting an OpenVPN server, and I tried experimenting with it in the past, but I never got it to work, and I suspect it's for the same reason? I use TAP as the interface type (since I want clients to access the LAN), port 1025, tried with both TCP and UDP, various encryption protocols, TLS certificate-based auth, but when I then try to connect using an OpenVPN client with the router-generated certificate on a remote device, I get "TCP: connect to[AF_INET]100.100.xxx.xx:1025 failed: Unknown error"
    – Faptimus420
    Commented Sep 17, 2023 at 12:23
  • @Faptimus420: It's for the exact same reason. Port-forwarding on your router isn't working because the packets from Internet never reach your router to begin with; for the same reason, any service hosted directly on the router will not work either.
    – grawity_u1686
    Commented Sep 17, 2023 at 12:38

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .