Can't SSH nor access lighttpd from wan

[rod]

The facts:

I have lastest build of merlin working good so far. Was able to set up entware, aria2 and control it from outside, have also managed to install owncloud and use it with self-signed certificate, from anywhere (phone, computer client, web). Had the webcam working in https also, had the tomatoware build enviroment working in /opt/tomatoware.

Then I stumble upon the post for automatic ban of ips using ipset and iptables... tested, and realized it was not build with suppor for RT-N16, so I deleted the firewall.sh and firewall-start.sh that the post proposed and go back to the old firewall-start I had. Rebooted the router and... could not access anything from outside, with the exception of the routers web configuration using port 8443.

Tryed all, enabling and disabling ssh, ssh from wan, ssh login, ssh port forward, changed ports.. but I can't enter anymore to the shell from outside.

Created a VPN and then yes, I can access again the shell from outside using 192.168.1.1 as if I am home.

Finally, decided to apply factory settings... but still not work
Installed back aria2, lighttpd. Restored Owncloud directory on www...

I can only enter the webadmin (no shell, owncloud nor lighttpd)
The only news is that I can also control aria2 from webui again connecting to the dinamic IP.

Also, if I enable ping response, it works.

From the inside, I enabled logging of dropped packets and they appear (a lot of them, inlcuding my ssh requests)

But I don't know the reason. The iptables rules from the old firewall-start are in the chain.

The output from iptables -L is:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:81 
ACCEPT     udp  --  anywhere             anywhere            udp dpts:6881:6999 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpts:6881:6999 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:6800 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:6800 
DROP       all  --  anywhere             anywhere            state INVALID 
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     all  --  anywhere             anywhere            state NEW 
ACCEPT     all  --  anywhere             anywhere            state NEW 
ACCEPT     udp  --  anywhere             anywhere            udp spt:bootps dpt:bootpc 
ACCEPT     tcp  --  anywhere             router.asus.com     tcp dpt:www 
ACCEPT     tcp  --  anywhere             router.asus.com     tcp dpt:8443 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:1723 
ACCEPT     gre  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh 
DROP       all  --  anywhere             anywhere            

Chain FORWARD (policy DROP)
target     prot opt source               destination         
TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU 
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            state INVALID 
ACCEPT     all  --  anywhere             anywhere            
DROP       icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            ctstate DNAT 
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FUPNP (0 references)
target     prot opt source               destination         

Chain PControls (0 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain logaccept (0 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere            state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `ACCEPT ' 
ACCEPT     all  --  anywhere             anywhere            

Chain logdrop (0 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere            state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `DROP ' 
DROP       all  --  anywhere             anywhere

Any help would be highly apreciated.
PS: Also tryed unpluggin the usb hard drive (to unload entware) and still the ssh packets are dropped by kernel.

 

[rod]

Flash new firmware scheduled

Sad enough, my last resort is to flash ROM. I will wait until .44 comes out and flash it.

With everything default and all usb unplugged, will try to enabl ssh access from outside, if it works.. I will slowly and step by step, restore all the services that I made work, and I will include enough power off/on cycles to be sure to detect the dropping issue (if it reappears, of course). In that case, I will post here for the curious, what was the combination of services/configs that let me out of ssh and lighttpd access from the outside, but not out of ping/webconfig and aria2 remote control

 

[rod]

Getting better

After flash new rom, clear nvram, unplug usb drive and still can not login from ssh nor access https in lighttpd, I started to use VPN, but it was not enough.

I tryed something different. In port forward I added two rules from alien ports outside to correct ports in ssh and https inside router and it worked.

In the past, I tryed with and without port forwarding, using the same ports from outside to the inside... but with no success.

Now I have back owncloud (in version 7) and ssh access to the router from outside without using VPN.