SSH Tunnels Through ER605 Gateway Router (hairpins) Do Not Always Work; Likely A Firewall Rule Issue

SSH Tunnels Through ER605 Gateway Router (hairpins) Do Not Always Work; Likely A Firewall Rule Issue
SSH Tunnels Through ER605 Gateway Router (hairpins) Do Not Always Work; Likely A Firewall Rule Issue
2021-07-22 06:47:11 - last edited 2021-08-21 07:35:44
Hardware Version: V1
Firmware Version: 1.0.0 Build 20200930 Rel.36519

Please forgive a rather detailed question, probably requiring a change in firewall rules.

 

Network Setup:

  • Gateway (ER605; xyz.com; 192.168.1.1; external port 12345 forwards to 192.168.1.11:22)
  • Internal SSH Server (192.168.1.11)
  • Several internal network devices (e.g., an Access Point 192.168.1.23 running v 18 OpenWRT)
  • Local PC (Win 10) (192.168.1.ZZZ)
  • Remote PC (Win 10)

.

Connections from Remote PC to Gateway through SSH tunnels work.

  • Remote PC uses PuTTY (and SuperPuTTY) to connect to Internal SSH Server (Someone@xyz.com:12345). SSH connection is successful meaning that Gateway properly forwards inbound xyz.com:12345 to 192.168.1.11:22.
  • PuTTY also creates several tunnels (e.g., L19023=192.168.1.23:80 and L19001=192.168.1.1:443).

 

  • From Remote PC:
    • Can connect to web admin of Access Point (http://localhost:19023/cgi-bin/luci/), Gateway and all other internal network devices (all through the SSH tunnels L19023=192.168.1.23:80 and others).
    • Can connect to web admin of Gateway (https://localhost:19001/webpages/login.html) (through the SSH tunnel L19001=192.168.1.1:443)
    • Success

    
Connections from Local PC to Gateway through LAN works.

  • From Local PC:
    • Can connect to web admin of Access point (192.168.1.23), Gateway (192.168.1.1) and all other internal network devices (through a normal LAN connection).
    • Success.

 

Connections from Local PC to Gateway through SSH tunnels (through the hairpin) does not always work.

  • Same PuTTY setup as for Remote PC (Someone@xyz.com:12345) and same tunnels. This works (i.e., the hairpin through the Gateway and back through the Gateway works).
  • From Local PC:
    • Can connect to web admin of Access Point (http://localhost:19023/cgi-bin/luci/) and other internal network devices (all through the SSH tunnels L19023=192.168.1.23:80 and others). Hairpin on Gateway seems to work.
    • HOWEVER, cannot connect to web admin of Gateway (https://localhost:19001/webpages/login.html). After a delay, the browser (locked-down Firefox) shows "Secure connection failed and Firefox did not connect."
    • Partial failure.

   
Seems SSH tunnels through the Gateway (ER605) hairpin works except when the destination is the web admin of the Gateway itself. Is there a setting in the GUI to fix this? Are custom firewall rules needed? The current firewall rules are all the defaults.

 

Thank you in advance.

0
0
#1
Options