Solwise SAR-600E with NAT and firewall off blocks incoming connections

I'm trying to set up a Solwise SAR-600E ADSL router to do simple routed
IP. I have unticked the NAT and firewall boxes in the WAN settings and
set the LAN address of the router to the same as the WAN address it
gets from my ISP. This works fine for accessing the Internet from
computers on the LAN, but when I try to use ssh from a computer on the
Internet to one on my LAN, it can't connect (times out).

I have tried a lot of things to solve this. Details are in my Solwise
forum post at http://www.solwiseforum.co.uk/showthread.php?t=9449

Has anyone else got one of these routers and managed to get routed IP
to work "normally" (i.e. incoming connections allowed as well as
outgoing). If so, how?

--
Geoff Clare <(E-Mail Removed)>

"Geoff Clare" <(E-Mail Removed)> wrote in message
news:3mo9p6-(E-Mail Removed)...
> I'm trying to set up a Solwise SAR-600E ADSL router to do simple routed
> IP. I have unticked the NAT and firewall boxes in the WAN settings and
> set the LAN address of the router to the same as the WAN address it
> gets from my ISP. This works fine for accessing the Internet from
> computers on the LAN, but when I try to use ssh from a computer on the
> Internet to one on my LAN, it can't connect (times out).
>
> I have tried a lot of things to solve this. Details are in my Solwise
> forum post at http://www.solwiseforum.co.uk/showthread.php?t=9449
>
> Has anyone else got one of these routers and managed to get routed IP
> to work "normally" (i.e. incoming connections allowed as well as
> outgoing). If so, how?
>
> --
> Geoff Clare <(E-Mail Removed)>

So what IP address does your computer have? It can't be the same as the LAN
IP address of the router, now can it? But it must have an IP address ...
yes?

I think you need to set the router in bridge mode. Don't know whether this
is possible on yours ...?

That way the router doesn't have a LAN IP address (or if it does, it is the
standard RFC1918 private address).

Then configure the ISP-provided WAN IP on the computer. Traffic leaving the
computer passes straight through the router. Equally, incoming traffic
passes straight through the router to the PC.

If you leave the router's DHCP service on, and connect another computer to
the LAN with its DHCP client enabled, it will get an IP from the router and
you will be able to manage the router but NOT see the internet.

Is this a technical exercise, or is there a real purpose? If the latter,
the conventional thing is to arrange port forwarding to the internal IP
address of the computer ...

--
Graham J

On Tue, 29 Sep 2009 17:19:47 +0100, Geoff Clare ate alphabet spaghetti and
shat out:

> I'm trying to set up a Solwise SAR-600E ADSL router to do simple routed
> IP. I have unticked the NAT and firewall boxes in the WAN settings and
> set the LAN address of the router to the same as the WAN address it gets
> from my ISP. This works fine for accessing the Internet from computers
> on the LAN, but when I try to use ssh from a computer on the Internet to
> one on my LAN, it can't connect (times out).
>
> I have tried a lot of things to solve this. Details are in my Solwise
> forum post at http://www.solwiseforum.co.uk/showthread.php?t=9449
>
> Has anyone else got one of these routers and managed to get routed IP to
> work "normally" (i.e. incoming connections allowed as well as outgoing).
> If so, how?

Yes, I had one of these (it's still in my attic). I had it running routed
where it fed into a bastion host that dealt with a LAN, and other public
IP servers.

I don't recall how I set it up, but I do recall it suffered from some
serious amnesia unless you made sure you saved the settings and rebooted.
It was not a challenge, or I would remember it.

The key is this, any machine or device behind this device is going to
have to have a public IP address. This is either going to be static or
dynamic, depending on your provider. For simplicity lets say you have
SOLWISE (routed NOT nat) -> SINGLE MACHINE. If you have a static IP
address, assign it to the machine. If your dynamic, you've probably
already got DHCP up and running.

Assuming all this is good to go, and spotting your SSH reference, I'm
guessing Linux, Have you added an IPTables rule to allow inbound on port
22?

--
political correctness: The safety net protecting deaf blind disabled
ethnic minority gays & lesbians with odd religious beliefs from reality





--
political correctness: The safety net protecting deaf blind disabled
ethnic minority gays & lesbians with odd religious beliefs from reality

Graham J wrote:
> "Geoff Clare" <(E-Mail Removed)> wrote in message
> news:3mo9p6-(E-Mail Removed)...
>> I'm trying to set up a Solwise SAR-600E ADSL router to do simple routed
>> IP. I have unticked the NAT and firewall boxes in the WAN settings and
>> set the LAN address of the router to the same as the WAN address it
>> gets from my ISP. This works fine for accessing the Internet from
>> computers on the LAN, but when I try to use ssh from a computer on the
>> Internet to one on my LAN, it can't connect (times out).
>>
>> I have tried a lot of things to solve this. Details are in my Solwise
>> forum post at http://www.solwiseforum.co.uk/showthread.php?t=9449
>>
>> Has anyone else got one of these routers and managed to get routed IP
>> to work "normally" (i.e. incoming connections allowed as well as
>> outgoing). If so, how?

> So what IP address does your computer have? It can't be the same as the LAN
> IP address of the router, now can it? But it must have an IP address ...
> yes?

I have a block of 8 static IPs, x.y.z.120/29. The router is x.y.z.126
and the computers I am trying to reach on the LAN are x.y.z.121 and
x.y.z.122.

There can't be any problem with the address assignments, because
TCP connections from computers on the LAN to the internet work fine.
It's only "incoming" TCP connections that are being blocked by the
router.

--
Geoff Clare <(E-Mail Removed)>

Spamtastic Spastic wrote:
> On Tue, 29 Sep 2009 17:19:47 +0100, Geoff Clare ate alphabet spaghetti and
> shat out:
>
>> I'm trying to set up a Solwise SAR-600E ADSL router to do simple routed
>> IP. I have unticked the NAT and firewall boxes in the WAN settings and
>> set the LAN address of the router to the same as the WAN address it gets
>> from my ISP. This works fine for accessing the Internet from computers
>> on the LAN, but when I try to use ssh from a computer on the Internet to
>> one on my LAN, it can't connect (times out).
>>
>> I have tried a lot of things to solve this. Details are in my Solwise
>> forum post at http://www.solwiseforum.co.uk/showthread.php?t=9449
>>
>> Has anyone else got one of these routers and managed to get routed IP to
>> work "normally" (i.e. incoming connections allowed as well as outgoing).
>> If so, how?
>
> Yes, I had one of these (it's still in my attic). I had it running routed
> where it fed into a bastion host that dealt with a LAN, and other public
> IP servers.

That sounds hopeful, thanks.

Do you remember if you updated the firmware?

> I don't recall how I set it up, but I do recall it suffered from some
> serious amnesia unless you made sure you saved the settings and rebooted.
> It was not a challenge, or I would remember it.

I quite like the way you can use "Apply" to try out settings and
they're not made permanent until you explicitly save them.

> The key is this, any machine or device behind this device is going to
> have to have a public IP address. This is either going to be static or
> dynamic, depending on your provider. For simplicity lets say you have
> SOLWISE (routed NOT nat) -> SINGLE MACHINE. If you have a static IP
> address, assign it to the machine. If your dynamic, you've probably
> already got DHCP up and running.

See my response to Graham regarding addressing.

> Assuming all this is good to go, and spotting your SSH reference, I'm
> guessing Linux, Have you added an IPTables rule to allow inbound on port
> 22?

Yes, and it worked fine with my old router (Vigor 2600).

--
Geoff Clare <(E-Mail Removed)>

On Wed, 30 Sep 2009 08:02:53 +0100, Geoff Clare ate alphabet spaghetti and
shat out:

> Graham J wrote:
>> "Geoff Clare" <(E-Mail Removed)> wrote in message
>> news:3mo9p6-(E-Mail Removed)...
>>> I'm trying to set up a Solwise SAR-600E ADSL router to do simple
>>> routed IP. I have unticked the NAT and firewall boxes in the WAN
>>> settings and set the LAN address of the router to the same as the WAN
>>> address it gets from my ISP. This works fine for accessing the
>>> Internet from computers on the LAN, but when I try to use ssh from a
>>> computer on the Internet to one on my LAN, it can't connect (times
>>> out).
>>>
>>> I have tried a lot of things to solve this. Details are in my
>>> Solwise forum post at
>>> http://www.solwiseforum.co.uk/showthread.php?t=9449
>>>
>>> Has anyone else got one of these routers and managed to get routed IP
>>> to work "normally" (i.e. incoming connections allowed as well as
>>> outgoing). If so, how?
>
>> So what IP address does your computer have? It can't be the same as
>> the LAN IP address of the router, now can it? But it must have an IP
>> address ... yes?
>
> I have a block of 8 static IPs, x.y.z.120/29. The router is x.y.z.126
> and the computers I am trying to reach on the LAN are x.y.z.121 and
> x.y.z.122.
>
> There can't be any problem with the address assignments, because TCP
> connections from computers on the LAN to the internet work fine. It's
> only "incoming" TCP connections that are being blocked by the router.

Geoff, can we be clear here, is this on all ports or specific to ssh (22)?
We are talking *all* incoming network activity or just some?


--
political correctness: The safety net protecting deaf blind disabled
ethnic minority gays & lesbians with odd religious beliefs from reality

On Wed, 30 Sep 2009 08:13:19 +0100, Geoff Clare ate alphabet spaghetti and
shat out:

> Spamtastic Spastic wrote:
>> On Tue, 29 Sep 2009 17:19:47 +0100, Geoff Clare ate alphabet spaghetti
>> and shat out:
>>
>>> I'm trying to set up a Solwise SAR-600E ADSL router to do simple
>>> routed IP. I have unticked the NAT and firewall boxes in the WAN
>>> settings and set the LAN address of the router to the same as the WAN
>>> address it gets from my ISP. This works fine for accessing the
>>> Internet from computers on the LAN, but when I try to use ssh from a
>>> computer on the Internet to one on my LAN, it can't connect (times
>>> out).
>>>
>>> I have tried a lot of things to solve this. Details are in my
>>> Solwise forum post at
>>> http://www.solwiseforum.co.uk/showthread.php?t=9449
>>>
>>> Has anyone else got one of these routers and managed to get routed IP
>>> to work "normally" (i.e. incoming connections allowed as well as
>>> outgoing).
>>> If so, how?
>>
>> Yes, I had one of these (it's still in my attic). I had it running
>> routed where it fed into a bastion host that dealt with a LAN, and
>> other public IP servers.
>
> That sounds hopeful, thanks.
>
> Do you remember if you updated the firmware?
>
>> I don't recall how I set it up, but I do recall it suffered from some
>> serious amnesia unless you made sure you saved the settings and
>> rebooted. It was not a challenge, or I would remember it.
>
> I quite like the way you can use "Apply" to try out settings and they're
> not made permanent until you explicitly save them.
>
>> The key is this, any machine or device behind this device is going to
>> have to have a public IP address. This is either going to be static or
>> dynamic, depending on your provider. For simplicity lets say you have
>> SOLWISE (routed NOT nat) -> SINGLE MACHINE. If you have a static IP
>> address, assign it to the machine. If your dynamic, you've probably
>> already got DHCP up and running.
>
> See my response to Graham regarding addressing.
>
>> Assuming all this is good to go, and spotting your SSH reference, I'm
>> guessing Linux, Have you added an IPTables rule to allow inbound on
>> port 22?
>
> Yes, and it worked fine with my old router (Vigor 2600).

Short answer, I'll dig it out and check the F/W. I never updated it - I'm
starting to get memories of having to mess around with it a bit.


--
political correctness: The safety net protecting deaf blind disabled
ethnic minority gays & lesbians with odd religious beliefs from reality

"Geoff Clare" <(E-Mail Removed)> wrote in message
news:tdcbp6-(E-Mail Removed)...
> Graham J wrote:
>> "Geoff Clare" <(E-Mail Removed)> wrote in message
>> news:3mo9p6-(E-Mail Removed)...
>>> I'm trying to set up a Solwise SAR-600E ADSL router to do simple routed
>>> IP. I have unticked the NAT and firewall boxes in the WAN settings and
>>> set the LAN address of the router to the same as the WAN address it
>>> gets from my ISP. This works fine for accessing the Internet from
>>> computers on the LAN, but when I try to use ssh from a computer on the
>>> Internet to one on my LAN, it can't connect (times out).
>>>
>>> I have tried a lot of things to solve this. Details are in my Solwise
>>> forum post at http://www.solwiseforum.co.uk/showthread.php?t=9449
>>>
>>> Has anyone else got one of these routers and managed to get routed IP
>>> to work "normally" (i.e. incoming connections allowed as well as
>>> outgoing). If so, how?
>
>> So what IP address does your computer have? It can't be the same as the
>> LAN IP address of the router, now can it? But it must have an IP address
>> ... yes?
>
> I have a block of 8 static IPs, x.y.z.120/29. The router is x.y.z.126
> and the computers I am trying to reach on the LAN are x.y.z.121 and
> x.y.z.122.

Ah! You should have said at the outset ...

--
Graham J

Graham J wrote:
> "Geoff Clare" <(E-Mail Removed)> wrote in message
> news:tdcbp6-(E-Mail Removed)...
>> Graham J wrote:
>>> "Geoff Clare" <(E-Mail Removed)> wrote in message
>>> news:3mo9p6-(E-Mail Removed)...
>>>> I'm trying to set up a Solwise SAR-600E ADSL router to do simple routed
>>>> IP. I have unticked the NAT and firewall boxes in the WAN settings and
>>>> set the LAN address of the router to the same as the WAN address it
>>>> gets from my ISP. This works fine for accessing the Internet from
>>>> computers on the LAN, but when I try to use ssh from a computer on the
>>>> Internet to one on my LAN, it can't connect (times out).
>>>>
>>>> I have tried a lot of things to solve this. Details are in my Solwise
>>>> forum post at http://www.solwiseforum.co.uk/showthread.php?t=9449
>>>>
>>>> Has anyone else got one of these routers and managed to get routed IP
>>>> to work "normally" (i.e. incoming connections allowed as well as
>>>> outgoing). If so, how?
>>> So what IP address does your computer have? It can't be the same as the
>>> LAN IP address of the router, now can it? But it must have an IP address
>>> ... yes?
>> I have a block of 8 static IPs, x.y.z.120/29. The router is x.y.z.126
>> and the computers I am trying to reach on the LAN are x.y.z.121 and
>> x.y.z.122.
>
> Ah! You should have said at the outset ...
>
I suspect the issue is that with NAT and the firewall allegedly OFF,
there is still a default to block incoming SYN packets, or silently
discard them anyway.

It may be better to use the firewall and open explicit ports.

Can you ping the internal machines from outside? That's a good start to
at least establish routing is working.

Spamtastic Spastic wrote:
> Just checking it now - mine was a SAR600ER running 3.6.0/D.
>
> I do have some notes about it being a bitch to get to route right.
> Similar to your issues in fact. I thought I had kept a working config for
> it, but I can't find it. I'll have a sniff for it.

Thanks for taking the trouble to dig out your old one. I'm now
feeling rather sheepish, as you went to the trouble for nothing - it
turns out the problem was not with the SAR-600E.

Someone on the Solwise forum suggested I used tcpdump to see if
anything was getting through the router. I could see the ssh SYN
packets coming through. Now that I knew the router wasn't at
fault, I investigated other avenues and eventually worked out it
was a complicated issue with VPNs and routing.

The gory details, in case anyone is interested...

Normally when I do the ssh that was failing, I am located in the office
at the "far end". After changing my router, to test that I could ssh
from a computer there to one here, while being located here instead of
there, I first had to ssh from here to there, and I can only do that
via a VPN. With the VPN running, the ssh SYN packet was reaching the
computer here via the normal route, but the response was being sent via
the VPN (thus appearing to the other end to have come from a different
address).

Lesson learned: when you change something and then test whether things
are still working and find they aren't, always consider what _else_ is
different, not just the thing you changed.

--
Geoff Clare <(E-Mail Removed)>