SSH Tunnels Through ER605 Gateway Router (hairpins) Do Not Always Work; Likely A Firewall Rule Issue
Please forgive a rather detailed question, probably requiring a change in firewall rules.
Network Setup:
- Gateway (ER605; xyz.com; 192.168.1.1; external port 12345 forwards to 192.168.1.11:22)
- Internal SSH Server (192.168.1.11)
- Several internal network devices (e.g., an Access Point 192.168.1.23 running v 18 OpenWRT)
- Local PC (Win 10) (192.168.1.ZZZ)
- Remote PC (Win 10)
.
Connections from Remote PC to Gateway through SSH tunnels work.
- Remote PC uses PuTTY (and SuperPuTTY) to connect to Internal SSH Server (Someone@xyz.com:12345). SSH connection is successful meaning that Gateway properly forwards inbound xyz.com:12345 to 192.168.1.11:22.
- PuTTY also creates several tunnels (e.g., L19023=192.168.1.23:80 and L19001=192.168.1.1:443).
- From Remote PC:
- Can connect to web admin of Access Point (http://localhost:19023/cgi-bin/luci/), Gateway and all other internal network devices (all through the SSH tunnels L19023=192.168.1.23:80 and others).
- Can connect to web admin of Gateway (https://localhost:19001/webpages/login.html) (through the SSH tunnel L19001=192.168.1.1:443)
- Success
Connections from Local PC to Gateway through LAN works.
- From Local PC:
- Can connect to web admin of Access point (192.168.1.23), Gateway (192.168.1.1) and all other internal network devices (through a normal LAN connection).
- Success.
Connections from Local PC to Gateway through SSH tunnels (through the hairpin) does not always work.
- Same PuTTY setup as for Remote PC (Someone@xyz.com:12345) and same tunnels. This works (i.e., the hairpin through the Gateway and back through the Gateway works).
- From Local PC:
- Can connect to web admin of Access Point (http://localhost:19023/cgi-bin/luci/) and other internal network devices (all through the SSH tunnels L19023=192.168.1.23:80 and others). Hairpin on Gateway seems to work.
- HOWEVER, cannot connect to web admin of Gateway (https://localhost:19001/webpages/login.html). After a delay, the browser (locked-down Firefox) shows "Secure connection failed and Firefox did not connect."
- Partial failure.
Seems SSH tunnels through the Gateway (ER605) hairpin works except when the destination is the web admin of the Gateway itself. Is there a setting in the GUI to fix this? Are custom firewall rules needed? The current firewall rules are all the defaults.
Thank you in advance.