Speed Stream 5861

[datamike]

I have some problems. I have a Speed Stream 5861 router/modem at a lab. We have three PC's on the inside sharing a connection and a Red Hat server. The PC's need a static IP address in order to log into the software on the Linux box. OK that is my setup. The problem is I am trying to SSH into the Linux box through the modem/router by opening port 22 on the router. The config is a little screwy and I can't seem to find any more info on the router. There is a remote side and a ethernet side in the config. I have NAT turned on on the remote side and NAT turned on on the the ethernet side. I can SSH fine, but the internet does not work from the inside. If I shut NAT off on ethernet I can not SSH but I can access the internet. Weird. The other thing I noticed was that if I run a nmap when NAT ethernet is off port 22 is filtered. If the NAT ethernet is on port 22 says it is filtered. Anyone have any ideas. I have set this up before on a different router/modem and had no problems. I can't figure this one out though.

[Schotty]

setup port forwarding on the nat gateway to forward the ssh requests to the server. And of course allow on the server ssh requests.

After a second of thinking -- is this a bridge or a normal nat gateway? If it is a bridge make sure that the firewall on the server is set to allow your real world (wan) IPs. Otherwise if it is a nat gateway, it would be the private IPs (LAN0 that would be used.

So if 1.2.3.4 -1.2.3.6 are issued to you from your ISP, your firewall would need to know that the following IPs need to connect. If it is not bridged and therefore natted, we need to say ... map 192.168.0.4 - 192.168.0.6 to each WAN IP and allow ssh sessions from 192.168.4 - 192.168.0.6.

[datamike]

It is set up like that right now. It has somthing to do with the wierd settings I posted before. I just dont get how I can SSH one way and not get to the net and the other way I can get to the net but not SSH.

[Schotty]

Set in the router the rules. I have a speed stream 5861, so i am familiar with the type of equipment you got. What we do here is forward entire IPs to the servers (we got a 5 ip block), and firewall from there. The natted machines on the gateway have no real way of getting hacked behind the firewall/gateway so those are left alone, but each server with direct access to the net is firewalled and filtered like all hell.

[datamike]

Andrew that is sweet that you have one of these. Ok, in a few minutes I am gonna paste the settings and you can tell me where I went wrong. I did it all by command line so I hope you did it the same way.

[datamike]

Here are the settings. The * are numbers but are I just put them in there to protect the innocent. Can you see anything wrong?
GLOBAL BRIDGING/ROUTING SETTINGS:
Bridging enabled..................... no
Exchange spanning tree with dest... yes
Bridge only PPPoE with dest........ no
IP Routing enabled................... yes
Multicast forwarding enabled....... no
Firewall filter enabled ........... yes
Directed Broadcasts Allowed........ no
RIP Multicast address.............. default
VRRP Multicast address............. default
IPX Routing enabled.................. no

ETHERNET INFORMATION FOR <ETHERNET/0>
Hardware MAC address................. 00:20:6F:13:34:F5
Send IP RIP to the LAN............... rip-1 compatible
Advertise me as default router..... yes
Process IP RIP packets received...... rip-1 compatible
Receive default route by RIP....... yes
IP address translation............... no
IP filters defined................... no
IP address/subnet mask............... 192.168.21.1/255.255.255.0
Management IP address/subnet mask.... 0.0.0.0/0.0.0.0
Static Ethernet routes defined....... none
Virtual Ethernet routes defined...... none
IPX External network number.......... 00000000
IPX Frame type....................... 802.2
MTU.................................. default
# rem list
INFORMATION FOR <internet>
Status............................... enabled
Interface in use..................... HSD
Protocol in use...................... RFC1483 (SNAP) - MAC Encapsulated Routin
g
ATM traffic shaping...................no
Connection Identifier (VPI*VCI)...... 0*35
IP address translation............... on
Server(s) (IP Translation) ........ 192.168.21.200 proto-TCP port-22
IP filters defined................... no
Send/Receive Multicast............... off
Block NetBIOS Packets................ on
Source IP address/subnet mask........ 66.*.*.*/255.255.255.248
Remote IP address/subnet mask........ 0.0.0.0/0.0.0.0
Management IP address/subnet mask.... 0.0.0.0/0.0.0.0
Send IP RIP to this dest............. no
Send IP default route if known..... no
Receive IP RIP from this dest........ no
Receive IP default route by RIP.... no
Keep this IP destination private..... yes
Total IP remote routes............... 1
0.0.0.0/0.0.0.0/1->66.*.*.*
IPX network number................... 00000000
Use IPX RIP/SAP (negotiate with PPP): yes
Total IPX remote routes.............. 0
Total IPX SAPs....................... 0
Bridging enabled..................... no
Exchange spanning tree with dest... no
Bridge only PPPoE with dest........ no
mtu.................................. 1500
# system list
GENERAL INFORMATION FOR <>
System started on.................... 10/16/2002 at 7:55
Authentication override.............. none
WAN to WAN Forwarding................ yes
Block NetBIOS Default................ no
BOOTP/DHCP Server address............ none
Telnet Port.......................... default (23)
Telnet Clients....................... LAN
SNMP Port............................ disabled (0)
SNMP Clients......................... LAN
HTTP Port............................ default (80)
HTTP Clients......................... LAN
Syslog Port.......................... default (514)
Allowed Syslog Servers............... LAN
Default Syslog Servers............... none
System message:
Security timer....................... 10 minutes
One WAN Dial Up...................... no
Management feature................... 0
Rip timer............................ 30
Backup............................... no (no valid remote profile is enabled)
Retry Interval In Minutes.......... 30
Stability Interval In Minutes...... 3

[Schotty]

Yeah, I preferred the command line simply because the sofware is for winderz only.

Well, after reading up a bit in their manual, I can reccomend one really easy way to handle this. Since it appears that you are using a setup similar to this : (beware -- bad artwork)

dsl -> 5861 -> Lan (3 PCs, 1 Server)

I would do this -- in the built in sofware, turn on the firewall and do the usual blocking. Now setup hostmapping for the server. And setup the firewall rules accordingly.

Now, your workstations will by default be able to access the net (if you enable nat). I personally hated dealing with the dhcp server, mainly because I hate dhcp in the first place. So I disabled mine. And my 5861 used 192.168.254.0/24 as the default subnet, with .254 as the 5861 unitself.

I have currently 2 nodes connected -- a mail server and my gateway. The mail server is setup with hostmapping, the gateway isnt yet, although I may add it at a later time. The firewalls on each unit filter appropriately for each duty -- mail server only needs mail, gateway more stuff, but no mail -- yadda adda...

My suggestion is similar. Once you have the natting in place the workstations will be able to do their work. restrictions can be added with a firewall/proxy. For the server -- well the same thing. And since you can setup the server to accept ssh quite easily, the rest is history.

For the ssh session from outside the LAN, say you were given 1.1.1.1/32 as your IP. you can do an (assuming the server is 192.168.254.1):

Code:

system addHostMapping 1.1.1.1 1.1.1.1 192.168.254.1
save
reboot

and a

Code:

ssh 1.1.1.1

will get thru to the server provided that the source IP isnt firewalled, and you are setup to go thru port 22 (ssh can be remapped to an alternate port)

Does that suit what you need?

[datamike]

Thanks Schotty, I will give it a shot as soon as it lets up here. Let you know how it goes.

[Schotty]

Hehehe, I know that feeling. Gimme a hollar if you need anything. I live in hell ... ahem work. ;D

[Schotty]

How did it turn out (if anything yet) ?