1

I have set up a no-ip account to access my ssh server at home remotely with myserver.ddns.net, which works well.. from outside only.

From outside:

Remote ping:

$ ping myserver.ddns.net # success

Remote ssh:

$ ssh myserver.ddns.net # success

From local:

Local ping:

$ ping 192.168.2.8 # success

Local ssh:

$ ssh 192.168.2.8 # success

Remote ping:

$ ping myserver.ddns.net # success, resolving to 90.113.108.192

Remote ssh:

$ ssh myserver.ddns.net # loOong time waiting, then..
Connection closed by 90.113.108.192 port 22

Why could it be so?

iago-lito
  • 2,751
  • You haven't set portforwarding on your router from local addresses, only from externals. – Ipor Sircer Feb 18 '17 at 22:37
  • Firewall rules, routes....not enough data from your post. – Rui F Ribeiro Feb 18 '17 at 23:01
  • @RuiFRibeiro Question edited to add more info. Is this enough? – iago-lito Feb 18 '17 at 23:27
  • @IporSircer the only NAT/PAT option seemed to be internal port and external port which I've both set to 22. I couldn't find any interesting configuration options with the keywords "forward port local".. From my router point of view, what is the difference between forwarding from local and forwarding from outside? – iago-lito Feb 18 '17 at 23:31
  • You've already experienced the difference: one works and the other doesn't. Most of the router firmwares doesn't have this feature, you have to use special (openwrt, ddwrt) images to achieve this. – Ipor Sircer Feb 18 '17 at 23:34
  • 1
    Many routers don't allow LAN addresses to loop back to the WAN address. I ran into that problem and set up a DNS server on the intranet as a workaround. I'd be interested in an alternate solution. – Fox Feb 18 '17 at 23:35
  • @IporSircer wow. I cannot flash a custom image to my box, can I? I think it is property of my ISP :\ – iago-lito Feb 18 '17 at 23:44
  • @Fox wow. Do you have any pointer about this workaround? How heavy was it? Does my ssh server could also be used as its own-dedicated dns server? – iago-lito Feb 18 '17 at 23:45
  • 1
    The SSH server could be used as a DNS server, yes. For your whole network even. I use BIND9. It's under 2 MB of files including configuration and the executables. top says it's using 0.0% CPU and ~60MB RAM. Arch has a tutorial that might be useful. – Fox Feb 18 '17 at 23:59
  • @Fox Cheers! As an alternate solution, maybe someone will help us there ;) – iago-lito Feb 19 '17 at 00:15

2 Answers2

1

The answer about accessing NAT from an internal network is, more correctly: you do not want to do that because of:

  • restrictions of consumer-grade technology;
  • performance reasons - NAT uses more CPU resources and memory - albeit in a domestic scale it is not worrisome;
  • routing more complex - either using and debbuging.

The alternatives are:

  • if accessing only from that local server, creating an host file entry;
  • creating a name server, and creating views if a public DNS name that belongs to you - not the case you present, but usually in an enterprise;
  • creating a name server, and creating a custom internal name, like ssh.home;
  • using BIND+RPZ, and redefining the external name to your internal IP address;
  • if doing routing with a Linux box, with iptables+NAT, capturing the SSH sessions to your external IP, and NATing them to your internal IP address.

About my comments about capturing the IP address/creating the host file, see this answer how I deal at home with my DDNS address. Better method for acting on IP address change from the ISP?

For BIND+RPZ see:

Configure BIND as Forwarder only (no root hints), encrypted + RPZ blacklist / whitelist all together

Large zone file for bind9 : ad-blocking

Rui F Ribeiro
  • 56,709
  • 26
  • 150
  • 232
0

Okay, from the comments and this page, I understand that it is a common security feature for routers not to accept such "NAT loopbacks": i.e. connecting from a local machine to another local machine via an external domain resolution.

As workarounds, I have been suggested to:

  • use a custom image like openwrt or ddwrt in place of my native router softwares. (cheers to Ipor Sircer)
  • set up a local DNS server (cheers to Fox)

Feel free to offer any other item I could append to this list :)

Community
  • 1
iago-lito
  • 2,751