Two computers behind router, how do I ssh from outside the LAN?
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Two computers behind router, how do I ssh from outside the LAN?
Hi all. My problem is as follows:
I recently added a second (wired) computer to my router. I can access either of my two wired computers through SSH via their LAN address 192.168.x.x but I am wondering how might I access either of them from outside my LAN, like when I am at work or school? I haven't had any luck googling or LQsearching for a solution to my question. Thank you.
I had already configured my router to allow access to one of the PCs. I've had no problem accessing my first PC from outside the LAN. Now, however, I'm trying to access the second PC. The SSH port forwarding tutorial does not touch on adding a second PC. And I can't forward port 22 to both PCs, apperently, as I'm creating a conflict. Is it even possible to allow SSH port forwarding to multiple computers behind a router?
Ah, well check that out. I learned something new about port options from the command line, specifically -p # with ssh. Thanks for the tip.
I also had to mess around with /etc/ssh/ssh_config (and possibly /etc/ssh/sshd_config) to change the port ssh listens to to the port I assigned it to. After that it worked like a beast. Thanks!
The work around to this is actually kind of funny lol
You forward one machine to the outside ssh port and connect from work. Then you ssh into the other ip through the current ssh session.
Like so:
Code:
** note: <> should not be typed and indicates the placeholder for
information you need to type regarding your current ip addresses and
usernames.
user@localhost$:ssh <username@wan-ip>
Password:
user@wan-ip$:ssh <username@lan-ip>
Password:
user@lan-ip$:
It's ugly, but it works.
Last edited by zeroability; 08-23-2006 at 03:56 PM.
Ah, well check that out. I learned something new about port options from the command line, specifically -p # with ssh. Thanks for the tip.
I also had to mess around with /etc/ssh/ssh_config (and possibly /etc/ssh/sshd_config) to change the port ssh listens to to the port I assigned it to. After that it worked like a beast. Thanks!
no no, that's wrong, you would leave the real ssh server untouched, and simply redirect the port on the firewall, i.e. 1.2.3.4:22 -> 192.168.1.1:22 and 1.2.3.4:2222 -> 192.168.1.2:22
Now I'm unable to ssh into either computer after trying acid_kewpie's latest instructions.
From within my router I have 192.168.1.1 forward port 211 w/ TCP and 192.168.1.2 forward port 212 w/ TCP. I reverted /etc/ssh/ssh_config and sshd_config back to listening to port 22 within the computers themselves. Now how I understand your last post, I should be able to just ssh in via the following command:
Am I correct to assume that is how I should be tunneling? I shouldn't need to add [-p 22] to the ssh command as ssh is seeking port 22 by default and my computers are listening for action on port 22, correct? the :211 on the end of my.global.ip.address is what is telling the ssh command to send the request through port 211 of my firewall, correct?
The error is as follows (though you could have guessed):
ssh: connect to host my.global.ip.address:211 port 22: Connection refused.
And just so I'm clear, ssh is turned on on that computer. I can still ssh in via the LAN and the 192.168.1.1 address. Thanks for your time and replies, I could still use some clarification (and just think of how helpful this discussion could be the more detail we go into. It'll help out future forum'ers who have the same problem).
[EDIT]
Just messing around with my router, I added 192.168.1.1 port 22 w/ TCP to my router port forwarding. Now when I [ssh username@my.global.ip.address:211 or 212] it always goes to my first PC. Bleh.
[EDIT2]
There's some mess about public/private ports. What would be logical to me is that I assign 192.168.1.1 to forward (public 211) to (private 22) and
192.168.1.2 to forward (public 212) to (private 22) meaning when I [ssh -p 212 myaddress] then it forwards SSH through port 212 in the firewall along to myaddress via port 22 in the computer. Instead, I'm getting conflicting port ranges again! I can't assign any two private ports to be the same thing. That's counter intuitive to me, and just seems to be a design flaw. I must be missing one very simple step.
no, you're interpretting me wrongly. on the router you tell it to forward connections on port 211 in your example to port 22 on internal host 1, and external hits on port 212 to 22 internally on the second machine. so from the outside you DO need to use -p 211 or -p 212 to hit the right machine, but the internal servers will only ever see port 22 activity from the joys of port translation.
Thanks for all your help, especially acid_kewpie. It turns out it was a "design flaw" where D-Link was concerned. I have a D-Link 524 (DI 524) and hadn't updated the firmware in the last year. I was running version 3.02 of the firmware and now have the latest 3.23 firmware. It turns out, I couldn't redirect external port 211 and external port 212 to internal ports 22 on each respective computer because the firmware saw this as a conflict of port ranges. The firmware upgrade fixed that, so I can redirect (private/public) 22/211 and 22/212 now and it all works with a simple
ssh -p (211 or 212) myaddress
except with some complaints about RSA keys and such. Thanks for all the help, it's working now like I had it before. Just now I didn't have to tell the machines themselves to listen on ports 211 and 212 respectively. Thanks again.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.