1

A strange issue: I have a desktop running Ubuntu 10.04 behind a Netgear WNR1000 router performing NAT. I would like to be able to ssh into the desktop from my laptop (running Windows 7 and Cygwin). When at home, both the desktop and the laptop are connected by wireless (the desktop is in a different room from the router). sshd seems to be running fine, since ssh localhost from the desktop works without trouble. Also, ssh my.ip.address from my laptop when it is not behind the router works fine (I am forwarding port 22 on the router to my desktop). However, ssh same.ip.address from within the LAN fails with "Connection refused". ssh 192.168.local.ip.address fails with a different message, "Connection timed out". I can connect if I first ssh to a machine outside the LAN.

So far I haven't found anything with Google because with the search terms that seem like they would be relevant, the vast majority of people have the opposite problem - i.e., they can't connect from outside the LAN but can connect within it. I can port forward through a remote server when I'm at home, but this seems like a totally absurd way to connect two computers on the same home LAN. I have already tried stopping and starting sshd on the desktop. Any thoughts?

Improve this question
1

1 Answer 1

Reset to default
1

Part of this issue is that your NAT gateway isn't doing NAT hairpinning (sometimes called "NAT reflection"). That's when a NAT gateway lets client on the private side connect to the NAT's public IP address, and it's smart enough to realize that it has a port mapping, and thus turn the packet right back around and send it to the port mapped host on the private side of the NAT. You could look and see if your router has a setting for NAT hairpinning that just needs to be turned on, but the odds are that it just can't do it. You could check to make sure you're running the latest firmware from Netgear (maybe they fixed it later), or you could see if you can get an aftermarket firmware distro such as DD-WRT running on your Netgear box. Maybe DD-WRT or some other distro that supports your Netgear box has proper NAT hairpinning code.

The other part of this issue is the fact that you can't connect directly from host on the private side of the NAT to another host on the private side of the NAT, using the private IP addresses directly. The only thing I can think of for that is that some Wi-Fi APs have a checkbox to disable what's called "Intra-BSS Relay" by the IEEE 802.11 spec. Sometimes the UI might call this "enable client isolation" or "disable client-to-client communication" or something like that.

Improve this answer
1
  • Thanks a ton - a firmware upgrade fixed both the private and the public IP address problems. Not sure why I didn't think to try that first!
    – Patrick B.
    Commented Jul 8, 2012 at 16:34

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .