Hi all. My problem is as follows:

I recently added a second (wired) computer to my router. I can access either of my two wired computers through SSH via their LAN address 192.168.x.x but I am wondering how might I access either of them from outside my LAN, like when I am at work or school? I haven't had any luck googling or LQsearching for a solution to my question. Thank you.

check dis: http://portforward.com all you need to know right there.

Thanks for the reply, still no go.

I had already configured my router to allow access to one of the PCs. I've had no problem accessing my first PC from outside the LAN. Now, however, I'm trying to access the second PC. The SSH port forwarding tutorial does not touch on adding a second PC. And I can't forward port 22 to both PCs, apperently, as I'm creating a conflict. Is it even possible to allow SSH port forwarding to multiple computers behind a router?

yeah sure, just use a different port... 23, 220, 222, 22222 whatever you feel like, just as long as it's not already in use.

and before you ask, on the client side, "ssh -p 22222 your-remote-host" will connect to the second pc. For "scp" use -P (uppercase p).

that inconsistnecy has always bugged me, -p vs -P..... always get the wrong one personally.

Ah, well check that out. I learned something new about port options from the command line, specifically -p # with ssh. Thanks for the tip.

I also had to mess around with /etc/ssh/ssh_config (and possibly /etc/ssh/sshd_config) to change the port ssh listens to to the port I assigned it to. After that it worked like a beast. Thanks!

The work around to this is actually kind of funny lol


You forward one machine to the outside ssh port and connect from work. Then you ssh into the other ip through the current ssh session.

Like so:

It's ugly, but it works.

no no, that's wrong, you would leave the real ssh server untouched, and simply redirect the port on the firewall, i.e. 1.2.3.4:22 -> 192.168.1.1:22 and 1.2.3.4:2222 -> 192.168.1.2:22

Really, thanks for all the replies.

Now I'm unable to ssh into either computer after trying acid_kewpie's latest instructions.

From within my router I have 192.168.1.1 forward port 211 w/ TCP and 192.168.1.2 forward port 212 w/ TCP. I reverted /etc/ssh/ssh_config and sshd_config back to listening to port 22 within the computers themselves. Now how I understand your last post, I should be able to just ssh in via the following command:

ssh username@my.global.ip.address:211 (for the first PC and)
ssh username@my.global.ip.address:212 (for the second PC)

Am I correct to assume that is how I should be tunneling? I shouldn't need to add [-p 22] to the ssh command as ssh is seeking port 22 by default and my computers are listening for action on port 22, correct? the :211 on the end of my.global.ip.address is what is telling the ssh command to send the request through port 211 of my firewall, correct?

The error is as follows (though you could have guessed):
ssh: connect to host my.global.ip.address:211 port 22: Connection refused.

And just so I'm clear, ssh is turned on on that computer. I can still ssh in via the LAN and the 192.168.1.1 address. Thanks for your time and replies, I could still use some clarification (and just think of how helpful this discussion could be the more detail we go into. It'll help out future forum'ers who have the same problem).

[EDIT]
Just messing around with my router, I added 192.168.1.1 port 22 w/ TCP to my router port forwarding. Now when I [ssh username@my.global.ip.address:211 or 212] it always goes to my first PC. Bleh.

[EDIT2]
There's some mess about public/private ports. What would be logical to me is that I assign 192.168.1.1 to forward (public 211) to (private 22) and
192.168.1.2 to forward (public 212) to (private 22) meaning when I [ssh -p 212 myaddress] then it forwards SSH through port 212 in the firewall along to myaddress via port 22 in the computer. Instead, I'm getting conflicting port ranges again! I can't assign any two private ports to be the same thing. That's counter intuitive to me, and just seems to be a design flaw. I must be missing one very simple step.

no, you're interpretting me wrongly. on the router you tell it to forward connections on port 211 in your example to port 22 on internal host 1, and external hits on port 212 to 22 internally on the second machine. so from the outside you DO need to use -p 211 or -p 212 to hit the right machine, but the internal servers will only ever see port 22 activity from the joys of port translation.

oh and none of this has anything to do with tunneling, get the basics working first, then look into tunneling once you can do normal ssh forwarding.

I'm not one to point elbows at people...

Thanks for all your help, especially acid_kewpie. It turns out it was a "design flaw" where D-Link was concerned. I have a D-Link 524 (DI 524) and hadn't updated the firmware in the last year. I was running version 3.02 of the firmware and now have the latest 3.23 firmware. It turns out, I couldn't redirect external port 211 and external port 212 to internal ports 22 on each respective computer because the firmware saw this as a conflict of port ranges. The firmware upgrade fixed that, so I can redirect (private/public) 22/211 and 22/212 now and it all works with a simple

ssh -p (211 or 212) myaddress

except with some complaints about RSA keys and such. Thanks for all the help, it's working now like I had it before. Just now I didn't have to tell the machines themselves to listen on ports 211 and 212 respectively. Thanks again.

meant to post a new topic, not reply.