Connecting two separate WANs for Port Forwarding

[NeutralEagle]

Hello,

I have spent a lot of time researching and attempting to connect two routers, where one is connected with a public static IP, and the other by a static nonpublic IP. I need the router with nonpublic IP to be reachable from outside network permanently.

Configuration:

Site PUBLIC:
Router Asus AC66u running latest Merlin release (RT-AC66U_380.70_0)
Example external IP: 111.111.111.111
Router Internal IP: 192.168.1.1

Site PRIVATE:
Router TP-Link Archer C7 AC1750 v5 running latest OpenWRT (https://openwrt.org/toh/hwdata/tp-link/tp-link_archer_c7_v5)
Example external IP: 222.222.222.222
Router Internal IP: 192.168.2.1
Device that needs to be exposed to the internet: 192.168.2.200

PUBLIC accept outside connections to port 5555, and forward them to PRIVATE, which will forward them to a device on LAN.
Example: 111.111.111.111:5555 will be accepted by router in PRIVATE by a device in LAN 192.168.2.200:80

Could somebody please offer a step by step guide how to make this work or at least confirm if my attempts are possible? I am open to learning new things
I have local access to both these routers whenever needed, so setup can be made locally if required.

I have looked into reverse SSH tunneling which should by my opinion be very possible and is probably the best and most secure option. I have managed to create a reverse SSH tunnel between the two routers, but never managed to make the forwarding to work.

EDIT - Diagram:

 

[eibgrad]

You lost me. The router you call PRIVATE appears to have a public IP (222.222.222.222). So what makes this "private" in your eyes? I could understand if the PRIVATE router has a private external IP (e.g., 192.168.1.2) because its WAN is connected to a LAN port on the PUBLIC router. But I assume that's not the case. It appears that the PUBLIC router is doing a redirect back out to the other router w/ another public IP (222.222.222.222).

So you need to do a better job of explaining this config, because it's not clear. Perhaps add a diagram.

 

[NeutralEagle]

Hello and thank you for your reply.
I have added a diagram to the original post, which I hope should help explain this situation.

PUBLIC has a NAT 1:1 meaning it is accesible from the outside
PRIVATE has an unspecified NAT 1:X making it unaccessible from the outside

Both have static IPs, but only PUBLIC leads "directly" to the final router. PRIVATE would have to be port forwarded on ISPs side, which they have already denied, even for 1 port.

 

[abailey]

Is the Tunnel a VPN? If so then you should be able to port forward directly form the "Public" router to the endpoint. Example: 111.111.111.111:5555 forward directly to 192.168.2.200:80.
The public router should know the route. If not you might have to add a route statement telling it how to get to the 192.168.2 network.

I guess the real question is how do you have the tunnel set up.

 

[NeutralEagle]

Tunnel setup is the point of this thread. I have attempted to set it up(reverse SSH), but never got it to forward ports.
VPN is not a good solution for me as the end device would have to connect to the VPN just to check something. That is too many steps each connection and prevents things like home automation autofiring based on conditions remotely.

This is why I was looking for a reverse ssh tunnel. Thanks for spending time on this.

 

[eibgrad]

Thanks for the diagram.

I *think* I see where the confusions comes from. What you call the "public" network is actually just a NAT router with which you've mapped public IPs to devices on the *private* network behind that NAT router (NAT 1:1, aka one-to-one or static NAT). The other "private" router is just your typical NAT router, w/ a single public IP on the WAN.

In my parlance, those are both private networks, but one using NAT 1:1 and the other NAT 1:X. But I don't want to belabor the point. Just so long as I correctly understand the config. And I'm not even sure if it matters when it comes to solving this problem. It may be completely irrelevant.

 

[eibgrad]

On the face of it, I don't see why SSH wouldn't work. It might help if we saw the actual commands you created for each side. Otherwise we're just left to guess what may be the problem. And at this point, I'm not even sure you need *reverse* tunneling. Usually that's only necessary if the remote side has a firewall you don't control and can't otherwise penetrate (e.g., trying to access your PC at work through the corporate firewall).

Btw, something to beware of. SSH is notorious for being rather "unstable" when used 24/7. That's why autossh was invented. It monitors the SSH tunnel and rebuilds it should it fail. That's why SSH is better suited for short term or on-demand usage. Not saying you shouldn't use SSH, but just realize that you may have to consider something like autossh to keeps things running reliably. I also wouldn't consider SSH quite as secure as OpenVPN (whatever legitimate objections you may have to using it).