port forwarding/default gateway problem

[meanmistermustard]

I'm trying to get port forwarding set up for remote ssh.
I have an ADSL modem from my phone company going into an SMC Barricade (4 port router/firewall) which is connected to my Linksys WRT54G running tomato firmware.

Speedstream ---->SMC barricade------>WRT54g------->Desktop

I have port forwarding set up on both the barricade and the Linksys router (for port 22) but for some reason am unable to ssh into my network from a remote location.

Ssh works fine inside the LAN.

Tech support for the telco tells me that there is no access to the modem, it passes all requests to my firewall which is the default gateway.

I tried setting up the forwarding for port 22 on the firewall for requests coming from both the public IP and the private IP - neither seems to make a difference.

I know this is supposed to be simple and imagine it's something simple I'm missing but I don't see what it might be.

There are no access restrictions set on either the firewall or the linksys.

Any ideas for me?

[rcgreen]

Speedstream ---->SMC barricade------>WRT54g------->Desktop

You have to daisy chain them. The SMC barricade has to
forward the port to the WRT54g and the WRT54g
has to forward the port to the Desktop

Both routers should have NAT enabled. (It usually is by default)

[meanmistermustard]

I believe that's what I've done port 22 on each unit is forwarded.
Once I have it working I'll use a different internal port on the desktop but so far I cannot get connected.

What am I missing?

[rcgreen]

Are you getting normal internet connectivity from the Desktop?

You could go to a site like ShieldsUP!
where they will port scan your address and report on the status
of your open ports. It'll give you a clue.

[meanmistermustard]

No problem at the desktop, and as far as ssh, I can reach all machines on my network.
As for NAT, I left both machines with the default settings, Upnp is enabled on the Linksys and I don't see any option on either to disable NAT - so I guess it's also enabled on both.
When I check "all service ports" at GRC, they all show in stealth mode and the firewall is set to discard pings form the WAN side:

"There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!"

BTW.. I have the WRT54G and the Barricade forwarding port 22 for both TCP and UDP.

Must port 22 be shown as open in order for me to access the desktop remotely?

My understanding is that the port can show as stealthed but still be accessible to me since I know the WAN address, no?


If Shields Up were to report port 22 open - wouldn't that, as opposed to showing as stealthed, just be an invitation for a bot to attempt a brute force attack or a person to try something more refined to gain access?

[rcgreen]

The port would have to be open for you to access the service.
Closed is if the machine replies that the port is closed.
Stealth is if the machine doesn't reply at all. Double check all your settings. I guess your ISP could be blocking the port. They often
block 80 and 25, but I wasn't aware of any that block 22.

[meanmistermustard]

I've double, triple and quadruple checked the settings and can't see anything that would be preventing the connection.

I talked to the telco support and told them what I was trying to forward traffic from port 22 - I guess it might be a good idea to specifically them ask if the port is blocked.

Otherwise, I'm lost here.

[coopstah13]

most ISP block default ports because they don't want you running those servers

try changing SSH port to something else instead, it will make you a little less likely of a target through obscurity anyway

[meanmistermustard]

most ISP block default ports because they don't want you running those servers

I talked again with telco support, they assured me that port 22 is not blocked.

try changing SSH port to something else instead, it will make you a little less likely of a target through obscurity anyway

It must be the settings on my hardware that's causing the problem so I thought I'd post just what I've done to see if anyone sees an error.

The first unit in the chain is the Barricade (IP 192.168.2.1). The instructions say to use the advanced settings/special applications for port forwarding.
The fields there are (left to right):

Trigger port - I entered 22, Trigger type - I checked TCP, the next is Public Port - I've entered 22 then there's Public Type - again I chose TCP, and there's a check box to enable - of course, then I save the settings.

The packets then go to the Linksys router (192.168.1.1). The Tomato firmware wants a Src address first - I've entered the address of the Barricade, then Ext. Port - I've entered 22, then 22 for the Int. port, the next field is Int address - which is partially filled in with 192.168.1.x - my internal address for the desktop is 192.168.1.110 so I put 110 as the last digits of the octet.

It just occurred to me that the Linksys address 192.168.1.110 may be the problem since the default gateway is 192.168.2.1

But then the Barricade has me assign a group of addresses for machines on the network and I started with 192.168.1.1 up to xxx.xxx.1.149

EDIT:
I meant to say that I started with 192.168.2.1 to 192.168.2.149

I did try a different internal port number on the Linksys but it didn't make a difference.

[rcgreen]

OK, each router has two interfaces. Call them WAN (wide area network)
and LAN (local area network. The barricade's WAN interface has your
public IP address. Its LAN interface is 192.168.2.1

The linksys WAN interface is on the same subnet as the barricade's
LAN interface, and therefore needs an address of 192.168.2.X

The barricade must forward the port to that 192.168.2.X address.

The linksys LAN interface is 192.168.1.1 and desktop is 192.168.1.100
The linksys must forward the port to 192.168.1.100

I guess I should have asked why you need two routers.