My goal was to set-up an SSH server on my laptop that I can access remotely. I figured out how to easily forward ports (simply use the router website interface) but no matter what, nmap scans continually revealed that port 22 (which was forwarded from on the router) wasn't open when scanning my router ip, 192.168.2.1.

I reset my router, did everything, couldn't connect. I tried SSHing from multiple devices and it still didn't work. However, if I do an online port scan, ie using a website like canyouseeme.org, then it shows port 22 IS open. This was extremely strange. But I figured out that if I use an online web-based ssh client, I can ssh "remotely" into my computer from the web and that port forwarding indeed works. Yet, why cannot I also ssh from within my network using an internet ip address as my router?

You should be able to ssh using your WAN IP address from within you network as well a ssh to the server's LAN IP address from any computer on your LAN. You can not use the router's LAN IP address i.e 192.168.2.1.

I tried using the router's WAN address on my nmap scan and to connect, but it did not work. The same thing with the LAN. I could only connect with the router's WAN address outside of my network.

Port forwarding only works when coming in through the WAN port. You can't ssh into the routers LAN IP and expect it to forward you properly. As for why it won't work when SSHing to your router's public WAN IP from within your network...my guess is your modem or ISP is blocking loopback connections.

1 members found this post helpful.

Are you forwarding port 22 to your laptop's LAN IP address or changing the port used as well?

You should be able to do both for the WAN interface. Using a port over 1024 on the WAN side and forwarding it to your laptop's IP address on port 22 will greatly reduce the number of script kiddie brute force attacks.

On the LAN, access ssh using your laptop's LAN IP address instead.

For many routers, you can use the hostname instead of the ip address. You may need to fix the IP address to your laptop's MAC address in the router's config for this to work.

It depends where the router's software checks a packet to see if it matches the forwarding criteria. If the criteria does not specify a destination IP address, and it's test is placed at a point where packets in both directions go through (usually pre-routing), then one forward entry can apply to all IPs.

Usually, small routers just handle port forwarding by using a permanent NAT entry. And they often only support NAT for the WAN. On a major enterprise firewall device, I had to put forwarding entries in twice for each port I wanted to go to in order to allow this from both outside users on the internet and inside users on our LANs.

Thanks for the clarification. The vast majority of my experience is with the small home routers you refer to in your post.

The same basics apply to enterprise and SOHO routers. But the latter may lack a lot of the extra features to minimize the firmware space, get you to buy a higher priced model, etc. These would be features less needed or used in the SOHO enviroment, such as making a local server look like it's all part of the internet to office staff, so they can just use the common hostname instead of a special internal one.

in short you are testing the wrong side of your router. nmap via your LAN to your router will show NOTHING as your router is not capable of receiving a ssh connection. it is setup to accept HTTP/HTTPS and maybe a COM port connection, but that is highly unlikely unless this is either very old or a high end router.

internally if you can not then you need to properly configure the laptop and its firewall software. As you have not provided us with the ditro you are running we have no way of directing you on this line of troubleshooting.

If you are able to ssh into the laptop via your LAN as i instructed above then as long as your laptop is set to either a static IP on your LAN, or you configure the DHCP to always assign your laptops MAC address for its NIC then your port forwarding is worthless. Every time the laptops IP changes your port forwarding will break.

1. Verify that you are issuing the correct ssh command to gain access to the laptop via your LAN.

2. If you are unable to connect, start with the laptop and troubleshoot in the connection issue.
2a. verify that sshd is running and properly configured to accept connecitons.
2b. verify that the firewall (iptables, ip6tables, firewalld, whatever) is configured to allow ssh connections.

3. Configure your laptop to either run a static IP while at home, remembering to set it back to DHCP while on the road, or configure your DHCP server to always assign the same IP to your laptop.

4. Verify that you can ssh into your WAN IP after all the above is resolved and functioning 100%.

5. Consider either investing in a static IP from your ISP, or try to find a DDNS service that you can either run via your laptop or your router. If you can run one from your router that would be best.

Before we can really help we need more information about the distro you are running on your laptop and how it is configured.