Re: [OpenWrt-Users] allow ssh on wan zone

Thu, 02 Oct 2014 19:05:29 -0700 

On Thu, Oct 2, 2014 at 9:17 PM, Harry Putnam <[email protected]> wrote:
> I want all the hosts... (only two shown but there are more like 12-14)
> to be able to ssh to each other from anywhere on the lan.
>
> So far hosts on 10.0.0.0/24 subnet can ssh each other, but not hosts
> on 192.168.2.0/24.  Hosts from 192.168.2,0/24 can ssh to either
> subnet.
>
> I picked this bit of code up in the piles of openwrt docs:
> (http://www.it-slav.net/blogs/2011/04/02/open-ssh-on-the-wan-inteface-openwrt/)
>
>   config rule
>           option src              wan
>           option dest_port        22
>           option target           ACCEPT
>           option proto            tcp
>
>   #/etc/init.d/firewall restart
>
> I thought it would let 10.0.0.0/24 hosts ssh to other subnet. But it
> does not appear to have that effect.
That would let you SSH from the WAN to the OpenWRT router.
If you want to allow access to SSH on the other machines in the
192.168.2.x subnet, you will need to add a line to that which says
"option dest lan" to your rule to enable connections to machines other
than the OpenWRT router (see Link [1]).

However, that wont do much unless you allow fowarding from WAN to LAN.
In the firewall config file, there is a section called "config
forwarding" (see Link [2] for more info)
By default, it has just one section (quoted below):
config forwarding
    option src      lan
    option dest     wan

You will need to add another section to allow forwarding from WAN to
LAN I think that will need to be in its own "config forwarding" like
below:

config forwarding
        option src     wan
        option dest     lan

(note, I am guessing that it needs to be its own section as I have
never used it. If that doesn't work, try adding the "option src
wan" and "option dest     lan" to the existing "config forwarding"
section)

Link [1]: http://wiki.openwrt.org/doc/uci/firewall#rules
Link [2]: http://wiki.openwrt.org/doc/uci/firewall#forwardings


Aaron Z
A human being should be able to change a diaper, plan an invasion,
butcher a hog, conn a ship, design a building, write a sonnet, balance
accounts, build a wall, set a bone, comfort the dying, take orders,
give orders, cooperate, act alone, solve equations, analyze a new
problem, pitch manure, program a computer, cook a tasty meal, fight
efficiently, die gallantly. Specialization is for insects.
— Robert Heinlein, Time Enough for Love
_______________________________________________
openwrt-users mailing list
[email protected]
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-users

Reply via email to