Business Community > Routers > SSH Tunnels Through ER605 Gateway Router (hairpins) Do Not Always Work; Likely A Firewall Rule Issue
< Routers

SSH Tunnels Through ER605 Gateway Router (hairpins) Do Not Always Work; Likely A Firewall Rule Issue

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

SSH Tunnels Through ER605 Gateway Router (hairpins) Do Not Always Work; Likely A Firewall Rule Issue

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
SSH Tunnels Through ER605 Gateway Router (hairpins) Do Not Always Work; Likely A Firewall Rule Issue
SSH Tunnels Through ER605 Gateway Router (hairpins) Do Not Always Work; Likely A Firewall Rule Issue
2021-07-22 06:47:11 - last edited 2021-08-21 07:35:44
Model: ER605 (TL-R605)  
Hardware Version: V1
Firmware Version: 1.0.0 Build 20200930 Rel.36519

Please forgive a rather detailed question, probably requiring a change in firewall rules.

 

Network Setup:

  • Gateway (ER605; xyz.com; 192.168.1.1; external port 12345 forwards to 192.168.1.11:22)
  • Internal SSH Server (192.168.1.11)
  • Several internal network devices (e.g., an Access Point 192.168.1.23 running v 18 OpenWRT)
  • Local PC (Win 10) (192.168.1.ZZZ)
  • Remote PC (Win 10)

.

Connections from Remote PC to Gateway through SSH tunnels work.

  • Remote PC uses PuTTY (and SuperPuTTY) to connect to Internal SSH Server (Someone@xyz.com:12345). SSH connection is successful meaning that Gateway properly forwards inbound xyz.com:12345 to 192.168.1.11:22.
  • PuTTY also creates several tunnels (e.g., L19023=192.168.1.23:80 and L19001=192.168.1.1:443).

 

  • From Remote PC:
    • Can connect to web admin of Access Point (http://localhost:19023/cgi-bin/luci/), Gateway and all other internal network devices (all through the SSH tunnels L19023=192.168.1.23:80 and others).
    • Can connect to web admin of Gateway (https://localhost:19001/webpages/login.html) (through the SSH tunnel L19001=192.168.1.1:443)
    • Success

    
Connections from Local PC to Gateway through LAN works.

  • From Local PC:
    • Can connect to web admin of Access point (192.168.1.23), Gateway (192.168.1.1) and all other internal network devices (through a normal LAN connection).
    • Success.

 

Connections from Local PC to Gateway through SSH tunnels (through the hairpin) does not always work.

  • Same PuTTY setup as for Remote PC (Someone@xyz.com:12345) and same tunnels. This works (i.e., the hairpin through the Gateway and back through the Gateway works).
  • From Local PC:
    • Can connect to web admin of Access Point (http://localhost:19023/cgi-bin/luci/) and other internal network devices (all through the SSH tunnels L19023=192.168.1.23:80 and others). Hairpin on Gateway seems to work.
    • HOWEVER, cannot connect to web admin of Gateway (https://localhost:19001/webpages/login.html). After a delay, the browser (locked-down Firefox) shows "Secure connection failed and Firefox did not connect."
    • Partial failure.

   
Seems SSH tunnels through the Gateway (ER605) hairpin works except when the destination is the web admin of the Gateway itself. Is there a setting in the GUI to fix this? Are custom firewall rules needed? The current firewall rules are all the defaults.

 

Thank you in advance.

  0      
 
  0      
 
#1
Options

Information

Helpful: 0

Views: 1475

Replies: 0

About Us
Press
Copyright © TP-Link Corporation Limited. All rights reserved.