router connects to forwarded port 443 every 20 seconds

[dakreepy1]

Hi,
Yesterday I upgraded my asus router from an ac66u to an 87u and so far i am seeing a connection from the router to my local machine happen every 20 seconds.

some background:
I'm running an ssh server on my machine on port 443 and I am forwarding port 443 on the router to the local machine. With the old router, it was business as usual, but with the new router when i forward 443 to 443 i keep seeing the router attempt a connection to port 443 on my machine every 20 seconds. If i disable the port 443 forward the connections stop. I also tried forwarding port 22 to 443 on my local machine and i don't see the connections every 20 seconds.

Both routers are running the latest Merlin firmware and i've looked at logs on the 87u and so far i'm not finding anything at all. I do not have https enabled on the router for the admin page so i'm a little puzzled here.

The issue is a little annoying since my ssh server software pops up a window on every connection attempt. The main reason for using port 443 is so that I can get through some restrictive firewalls that only allow 80 and 443 outbound.

If i had to guess i'm thinking there is some sort of keepalive happening on the router checking 443 and when i forward the port those requests get sent over to my machine, but that is just a guess. It would be nice to figure this one out, other than this everything seems to be working great with the Merlin firmware.

 

[RMerlin]

It's not your router connecting to your SSH server, it's some random person on the Internet trying to connect to your IP's port 443, wondering if you are hosting a website.

 

[dakreepy1]

Hi Merlin, first thanks for the reply and the great firmware!

I was thinking the same but the popups show me the originating ip address and I see that it is my router's ip of 192.168.1.1. I do have random people on the internet connecting as well as search spiders but those will always show a public ip address and a client connection string. I just checked and so far it seems like the connection attempts have stopped a little over an hour before posting this reply. Prior to that i see those attempted connections for a good 4 hours every 20 minutes in my ssh logs. I'm not sure if maybe someone is spoofing a private ip as the source connecting to my public ip which is getting forwarded but i guess i'll find out eventually. Also i never saw this happen with my old ac66u router ever. It is now really a mystery since it has stopped. I'll see if it happens again and hopefully i can see if i can grab a netstat output to see if the connection is listed in the output. I'm not sure what else to check if it starts up again...

 

[dakreepy1]

So perhaps it may not be coming from the internet at all. I just tried an ssh app on my phone while connected to my wireless but using my public dns name and behold! it did not use my phone's private ip as the originating address but instead used my router's ip address as the originating host. So i think there is some machine on my network connecting to my router's public ip on port 443 and getting nat'd using the router's ip as the source. I currently have my nat loopback mode as Merlin, but when i was troubleshooting this earlier i tried the asus one and got the same results. If it starts up again i'll see if disabling the nat loopback will stop the connections.

 

[RMerlin]

So perhaps it may not be coming from the internet at all. I just tried an ssh app on my phone while connected to my wireless but using my public dns name and behold! it did not use my phone's private ip as the originating address but instead used my router's ip address as the originating host. So i think there is some machine on my network connecting to my router's public ip on port 443 and getting nat'd using the router's ip as the source. I currently have my nat loopback mode as Merlin, but when i was troubleshooting this earlier i tried the asus one and got the same results. If it starts up again i'll see if disabling the nat loopback will stop the connections.

Some security/antivirus suites will scan port 443. That's where I would look first.