Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[obeiro]

Hi,

I am trying to debug why SSH traffic is not been forwarded by DFL-800 to my Linux router.

Same basic info as previous thread:http://forums.dlink.com/index.php?topic=13886.msg81487#msg81487
Here's my scenario.

* DFL-800 Firewall - WAN1: Public IP - LAN: Private IP:10.0.0.254 Subnet: 10.0.0.252/30
Default config. Just added two IP rules to let all traffic flow to the network appliance at 10.0.0.253

#      Name      Action      Source interface      Source network      Destination interface      Destination network      Service
1     allow_all_tcpudp_sat     SAT     any     all-nets     core     wan1_ip     all_tcpudp
2     allow_all_tcpudp_nat     NAT     any     all-nets     core     wan1_ip     all_tcpudp

* The Network appliance (IPBrick) is a Linux box which handles VPN, VoIP, email and fax, and works as main firewall. Unfortunately doesn't support WAN load balance or failover (that's why we need DFL-800).
eth0 IP: is 10.0.0.253 and  eth1 IP 192.168.0.254 in our LAN Subnet 192.168.0.0/24

Using snort at the Linux box, I've found that even a single SSH packet can't reach it at port 22. OpenVPN is working fine and snort shows it at port 1194.

So I'd like to get some advice from you to:

• Log specific traffic to a port (i.e. TCP 22)
• Whatever conf changes I may need to allow SSH traffic.

Thanks in advance

[Fatman]

Change the SSH port of your firewall itself, it can't forward traffic destined for ports that it is remotely manageable via as long as the setting for that UI before rules is in effect.

[obeiro]

Hi Fatman,

I've looked through the manual for that setting but couldn't find it.
At System -> Remote Management -> Advanced settings, is possible to change HTTP and HTTPS port, but not SSH.
I've tried unchecking  SSH Before Rules, but didn't work as expected.

Thank you.

[danilovav]

Port for SSH remote management is setting on SSH management item.

You can make special rules (SAT + NAT) for SSH and log it or you can capture packets by pcapdump command in console.

[obeiro]

Hi,

It's working now  (thank you , but have a new problem .

What I've done step by step.

• System -> Remote Management -> Advanced setting -> Uncheck SSH Before rules (thank you fatman)
• New wan1_ton_lan rule:
  
  • #      Name      Action      Source interface      Source network      Destination interface      Destination network      Service
    1     allow_ssh2_sat     SAT     any     all-nets     core     wan1_ip     ssh2
  • Action: SAT - Service: ssh2 (set to  another port (9922)
  • Log settings tab -> Checked Enable Logging - Severity: Debug
  • SAT tab -> Destination IP -> New IP Address: (SSH server) - New Port: 22

So is not working as I wished (using port 22), but it's working so that's ok.

Now I can't access DFL800 using SSH. I guess I need a new IP rule to point ssh traffic to the DFL. Am I wrong? What's that rule?

Thank you!

[danilovav]

Just one SAT rule will not works. Add Allow/NAT rule with same source/destination/service.

[obeiro]

Just one SAT rule will not works. Add Allow/NAT rule with same source/destination/service.

Well, it works, as I can access DFL from our LAN, and Linux Box, both from our LAN and WAN.

It's funny how I can't acces DFL from the WAN.

[danilovav]

I think, it's because u already use port 22 for your internal server? Add SSH remote management from wan with different port

[obeiro]

Thank you!