Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Cant ping on remote router [Solved]
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
apiaio
Apprentice
Apprentice


Joined: 04 Dec 2008
Posts: 206

PostPosted: Sun Dec 20, 2015 5:31 pm    Post subject: Cant ping on remote router [Solved] Reply with quote

I would like to establishe remote connection between my home PC and notebook. It works locally in my home LAN. It doesnt work from the home LAN of my friend. I have enabled VNC ports 5800, 5900 and SSH port 22 in both routers. No respose.
Even ping to remote router does not work. But is up
Quote:
gentoo miro # nmap -Pn -p 14534,51234 91.127.97.183

Starting Nmap 6.47 ( http://nmap.org ) at 2015-12-20 18:19 CET
Nmap scan report for adsl-dyn183.91-127-97.t-com.sk (91.127.97.183)
Host is up.
PORT STATE SERVICE
14534/tcp filtered unknown
51234/tcp filtered unknown

Nmap done: 1 IP address (1 host up) scanned in 3.24 seconds
I think that I neglected something in routers configuration but dont know what.

Last edited by apiaio on Tue Dec 22, 2015 4:11 pm; edited 1 time in total
Back to top
View user's profile Send private message
Keruskerfuerst
Advocate
Advocate


Joined: 01 Feb 2006
Posts: 2288
Location: near Augsburg, Germany

PostPosted: Sun Dec 20, 2015 5:55 pm    Post subject: Reply with quote

Network setup?
Back to top
View user's profile Send private message
apiaio
Apprentice
Apprentice


Joined: 04 Dec 2008
Posts: 206

PostPosted: Sun Dec 20, 2015 5:59 pm    Post subject: Reply with quote

Keruskerfuerst wrote:
Network setup?
Sorry. But which files or commands want you see?
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 42569
Location: 56N 3W

PostPosted: Sun Dec 20, 2015 10:22 pm    Post subject: Reply with quote

apiaio,

Don't even think about VNC over the internet. Its not secure.
You can tunnel VNC over ssh or do X forwarding over ssh.

On the router at your home, you need to forward port 22 to your PC.
Your PC needs to run sshd with root logings disabled.

From your adsl-dyn183.91-127-97.t-com.sk you have an extra complication. It appears you have a dynamic IP address.
That means it may change at any time. Look at a service like no-ip as a work around. That's not a recommendation, there are others.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
apiaio
Apprentice
Apprentice


Joined: 04 Dec 2008
Posts: 206

PostPosted: Mon Dec 21, 2015 11:47 am    Post subject: Reply with quote

NeddySeagoon wrote:
apiaio,

Don't even think about VNC over the internet. Its not secure.
You can tunnel VNC over ssh or do X forwarding over ssh.

On the router at your home, you need to forward port 22 to your PC.
Your PC needs to run sshd with root logings disabled.
I have TightVNC installed. Man page of vncwiever says
Quote:
-via gateway
Automatically create encrypted TCP tunnel to the gateway machine
before connection, connect to the host through that tunnel
(TightVNC-specific).
It should make transfer over internet secure. Have I uderstood it well?
Quote:

From your adsl-dyn183.91-127-97.t-com.sk you have an extra complication. It appears you have a dynamic IP address.
That means it may change at any time. Look at a service like no-ip as a work around. That's not a recommendation, there are others.
Yes it is dynamic IP address. I followed up IPs on both routers and it seems, that IP addresses are changed only when routers are powered off/on or rebooted.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 42569
Location: 56N 3W

PostPosted: Mon Dec 21, 2015 2:19 pm    Post subject: Reply with quote

apiaio,

That's correct as far as it goes. Check how it does authentication.

Show us both routers port forwarding set up.
Tell us the make and model of both routers too, so we can get their on line manuals.

Trying a traceroute from Scotland, on the IP in your original post gives
Code:
$ sudo traceroute -AI 91.127.97.183
Password:
traceroute to 91.127.97.183 (91.127.97.183), 30 hops max, 60 byte packets
 1  router (192.168.100.253) [AS55158]  0.890 ms  0.906 ms  0.926 ms
 2  losubs.subs.dsl4.wh-man.zen.net.uk (62.3.83.6) [AS13037]  13.261 ms  13.274 ms  13.690 ms
 3  ae1-118.cr1.wh-man.zen.net.uk (62.3.86.1) [AS13037]  13.719 ms  13.733 ms  13.743 ms
 4  ge-3-0-0-0.cr2.th-lon.zen.net.uk (62.3.80.45) [AS13037]  54.268 ms  54.297 ms  54.797 ms
 5  gi3-0.lonth-inter-1.interoute.net (195.66.224.53) [AS10026/AS4637]  23.760 ms  23.780 ms  23.794 ms
 6  ae2-0.lon-001-score-2-re0.interoute.net (84.233.218.185) [AS8928]  46.017 ms  44.300 ms  44.304 ms
 7  ae0-0.lon-001-score-1-re0.interoute.net (84.233.218.189) [AS8928]  50.002 ms  48.331 ms  48.337 ms
 8  ae1-0.ams-koo-score-1-re0.interoute.net (84.233.190.57) [AS8928]  48.336 ms  48.183 ms  48.180 ms
 9  ae0-0.ams-koo-score-2-re0.interoute.net (84.233.190.2) [AS8928]  48.172 ms  48.223 ms  48.239 ms
10  ae1-0.fra-006-score-1-re0.interoute.net (84.233.190.50) [AS8928]  48.339 ms  48.349 ms  49.448 ms
11  ae1-0.vie-per-score-1-re0.interoute.net (212.23.43.25) [AS8928]  49.441 ms  67.759 ms  67.769 ms
12  ae0-0.vie-per-score-2-re0.interoute.net (212.23.43.50) [AS8928]  67.778 ms  46.038 ms  46.049 ms
13  ae1-0.bts-001-score-1-re0.interoute.net (84.233.147.13) [AS8928]  46.058 ms  45.813 ms  45.825 ms
14  ae0-0.bts-001-score-2-re0.interoute.net (84.233.147.2) [AS8928]  45.822 ms  44.269 ms  44.262 ms
15  84.233.184.66 (84.233.184.66) [AS8928]  44.555 ms  45.289 ms  45.283 ms
16  st-static-bckb-249.213-81-233.telecom.sk (213.81.233.249) [AS6855]  45.245 ms  44.446 ms  44.899 ms
17  * * *


That suggests that st-static-bckb-249.213-81-233.telecom.sk, your ISPs incoming gateway for me, is dropping ping requests.
Of course, 91.127.97.183 may no longer be your public IP. You can't count on it only changing at router power cycle.

Feel free to attempt to ssh to 5.9.82.14. As you don't have an account, it will go through the password prompt three times before the attempt is rejected.
Count it as successful if you get asked to validate the host key. That means you can at least get out from you ISP and receive a response.
Try this from your friends too.

If you don't get a response, PM me the IP address(es) you tried from, the date and time of day and I'll check the logs.
The logs are already full of bots guessing usernames and passwords, so your login attempts will just add to the noise.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
apiaio
Apprentice
Apprentice


Joined: 04 Dec 2008
Posts: 206

PostPosted: Mon Dec 21, 2015 5:18 pm    Post subject: Reply with quote

Thanks for interesting communication.

On my table is TP-LINK TD-W8960N v1 00000000. On the desk of my friend is something what was delivered by internet provider and I am not able detect type at the moment. IMHO it is not important because we have the same provider and the same defafault GW 213.81.233. 249.

Port forwarding setup on my router:

Code:

NAT -- Virtual Servers Setup
Server Name    External Port Start    External Port End    Protocol    Internal Port Start    Internal Port End    Server IP Address    WAN Interface    Remove
VNC    5900    5900    TCP    5900    5900    192.168.1.100    ppp0    
Secure Shell Server (SSH)    22    22    TCP    22    22    192.168.1.100    ppp0    
vnc2    5800    5800    TCP    5800    5800    192.168.1.100    ppp0


Swapped quote to code tags above -- NeddySeagoon

Similar setting is on the friend router (not sure about port 5800).

Quote:
gentoo miro # ssh 5.9.82.14
The authenticity of host '5.9.82.14 (5.9.82.14)' can't be established.
ED25519 key fingerprint is SHA256:PFqHSomzpGQ86kGgGKNGZNzXHxPOx61laEo5MbkWtIk.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '5.9.82.14' (ED25519) to the list of known hosts.
Password:
Connection closed by 5.9.82.14
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 42569
Location: 56N 3W

PostPosted: Mon Dec 21, 2015 5:53 pm    Post subject: Reply with quote

apiaio,

I have the user manual for your router.
As long as your PC has a fixed IP of 192.168.1.100 that looks correct for sshd.

You were able to reach my server, so we know you can get to the outside world with packets that have a destination port of 22.

Go to your ISPs website and see if they block any ports.
Less enlightened ISPs tend to make it difficult for you to run servers at home by blocking ports like 25, 80, 443 and others.

You may need to use another port for ssh to avoid your ISPs restrictions.
To test that, edit /etc/ssh/sshd_config and add another Port entry. Make sure its not commented. Restart sshd.
Now it will listen or the port you selected. Choose a port >1023 and avoid port number clashes with other incoming services.
Fix your router to forward the new port.
You will need to give the -p option to the ssh command to connect to the new port.

Several uncommented port lines are allowed.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
apiaio
Apprentice
Apprentice


Joined: 04 Dec 2008
Posts: 206

PostPosted: Mon Dec 21, 2015 8:05 pm    Post subject: Reply with quote

Thanks for hints.

I phoned to the ISPs service department. Exclusive of port 25 they dont block any other ports. Tomorrow I will try to set ssh connection as you suggest.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 42569
Location: 56N 3W

PostPosted: Mon Dec 21, 2015 8:14 pm    Post subject: Reply with quote

apiaio,

If they really only block mail servers, it may yet be your router setup.

A TCP packet has a source and a destination port.
The source port can be anything, almost, but the destination port for ssh will default to 22.
Once ssh receives a packet (addressed to port 22) it makes a note of source port and replies to it.

I,m not sure what the 'External Port' does in your router setup but if it limits the range of permitted source ports, setting it to 22 will ensure it won't work as 22 will never be used as a source port number. Try leaving the external port settings blank.

-- edit --

Your routers logs may have some hints for you too.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
krinn
Watchman
Watchman


Joined: 02 May 2003
Posts: 6965

PostPosted: Tue Dec 22, 2015 8:54 am    Post subject: Reply with quote

apiaio wrote:
gentoo miro # ssh 5.9.82.14
The authenticity of host '5.9.82.14 (5.9.82.14)' can't be established.
ED25519 key fingerprint is SHA256:PFqHSomzpGQ86kGgGKNGZNzXHxPOx61laEo5MbkWtIk.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '5.9.82.14' (ED25519) to the list of known hosts.
Password:
Connection closed by 5.9.82.14

It doesn't mean you aren't connecting to ssh, in fact, it mean YOU are connecting to it.
How do you think your ssh found the host ED25519 keyfile if it's not because the connection is working?

Your ssh problem is not a port problem, but ssh configuration.

NeddySeagoon: the external range is just to ease life of user, vnc increase port range by one on each active connection, he could then define 5800-5810 external range to allow 10 connections to his vnc, in one entry instead of adding each entries.
It also allow someone connecting to a port to be match to a host with another port, allowing someone connecting to his router from port 44 be forward to a host to its port 22. Neat feature if the program cannot work on a different port or if you want aim a specific host on your network.
Two hosts use default 22 for ssh, but depending on external port that get knock, the router will forward to host1 or host2 the ssh query.
"External port" refer to his router port, and internal to his host port. So not source port of someone connecting to it, but the router port that get knock.
Back to top
View user's profile Send private message
apiaio
Apprentice
Apprentice


Joined: 04 Dec 2008
Posts: 206

PostPosted: Tue Dec 22, 2015 4:10 pm    Post subject: Reply with quote

Quote:

It doesn't mean you aren't connecting to ssh, in fact, it mean YOU are connecting to it.
How do you think your ssh found the host ED25519 keyfile if it's not because the connection is working?

Yes we know that connection is working. NeddySeagoon wrote:
Quote:
You were able to reach my server, so we know you can get to the outside world with packets that have a destination port of 22.

Problem is resp. was that I was not able to reach my server. Now I can reach my router via ssh. Actually I can ping on my public address after enabling ICMP option on my router. So I would say, that basic problem is solved.

Port forwarding setup on my router now:
Code:
NAT -- Virtual Servers Setup

Server Name    External Port Start    External Port End    Protocol    Internal Port Start    Internal Port End    Server IP Address    WAN Interface    Remove
Secure Shell Server (SSH)    2222    2222    TCP    2222    2222    192.168.1.100    ppp0    
VNC    5900    5910    TCP    5900    5910    192.168.1.100    ppp0


Up to now I was not able to create connection with ssh tuneling. But this is question for new thread.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 42569
Location: 56N 3W

PostPosted: Tue Dec 22, 2015 4:43 pm    Post subject: Reply with quote

apiaio,

Does it not work on port 22 too?
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
apiaio
Apprentice
Apprentice


Joined: 04 Dec 2008
Posts: 206

PostPosted: Tue Dec 22, 2015 5:33 pm    Post subject: Reply with quote

NeddySeagoon wrote:
apiaio,

Does it not work on port 22 too?
I'am not sure. Today's test was from my friend's house to my PC. There is still enabled port 22. Next time I will try reversal connection. Problem is, that they have Win8 installation only and I do not want to complicate their life with linux and everytime I have to go there with my notebook.
Truth of the matter is that this is testing place only. Aim is to prepare connection to the 50 km remote place where I need to administrate MySQL server from time to time.
For completeness' sake. My PC runs under Gentoo and notebook and mentioned remote place under Sabayon.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 42569
Location: 56N 3W

PostPosted: Tue Dec 22, 2015 5:57 pm    Post subject: Reply with quote

apiaio,

There are several free ssh clients for Windows. PuTTY comes to mind but there are others.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum