SSH WAN Access with Statip IP IPTV: Probable bug report and solution patch

[Juglar]

Hi:

I post this here, instead of in the originating thread, for visibility.

In my previous post #13 of thread "Can't access with SSH from the WAN my Asus AC68 with FW 380.64_2", post #13 ("Juglar, post: 323517, member: 53001", please, could anybody teach me how to link here another thread's post?), I located a probable bug in recent Merlin versions:

The problem is that, if I configure "Static IP" for "WAN Connection Type" (and, then, fill-in all the required IPs) , a connection through SSH from the WAN cannot be stablished. However, if I configure there "Automatic IP" (and leave everything else the same) the connection is stablished and working well.

( https://www.snbforums.com/threads/c...asus-ac68-with-fw-380-64_2.38922/#post-323517 )

Investigating further, I've found the difference in the iptables INPUT chain between Auto IP and Static IP:

For AutoIP (correct), the rule is:

0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:12345

For Static IP (wrong), the rule is:

0 0 ACCEPT tcp -- vlan2 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:12345

To patch-correct it, it is enough to execute (better including it in the firewall-start user script in "/jffs/scripts/firewall-start") the following shell command:

iptables -I INPUT 12 -i ppp0 -p tcp --dport 12345 -j ACCEPT

(the 12 makes it insert the new rule little before the wrong line, 14 in my current configuration case, but it could be different depending on the specific router configuration. You can find it with "iptables -vnL INPUT" ).

Doing that, SSH can be accessed from WAN even with Static IP IPTV.

The main annoyance is that it uses a fix port number (the 12345 written is not my real one, of course), but should use the one configured on the Webgui. For me, it's not so worrying, as I don't change it offten.

But I firmly propose to solve this in the FW, if it is possible to do it in Merlin.

Thanks,

Juglar

 

[RMerlin]

Your provider is using either PPPoE or Static routed - it cannot be both. If it uses PPPoE, then you should not use Static. That's why Static does not use the ppp0 interface (which shouldn't even exist then).

 

[Juglar]

Your provider is using either PPPoE or Static routed - it cannot be both. If it uses PPPoE, then you should not use Static. That's why Static does not use the ppp0 interface (which shouldn't even exist then).

My provider is Movistar, the biggest one in Spain. So, the configuration would be the most widely used in Spain for customers with IPTV (service called "Movistar +") , like me. Asus made an appreciable effort to incorporate the service to their routers and it is so advertised in Spain (actually, that is how I decided to by their AC68U).

My ppp0 interface DOES exist (if not, the patch contributed would not work, and it truely does).

I think the confusion might come from there being two different "WAN Connection Type" fields in the settings:

For the first one, under WAN/Internet Connection, I have set "PPPoE" and, little below, for "Get the WAN IP automatically", I have "Yes". So, yes, I have PPPoE with automatic WAN IP address.

For the second one, under LAN/IPTV/"Select ISP Profile", I have set "Movistar Triple VLAN". There, clicking the button "IPTV Connection", a window pops up, titled "IPTV Connection Settings", with another "WAN Connection Type" field: it is in this field where I NEED to set "Static IP" (and fill-in with my IPTV static address, assigned to me by my provider), to be able to watch IPTV. I suppose it refers to the IPTV IP address asignment, inside the IPTV VLAN. It is this one which currently makes SSH accessible from the WAN when configured as "Automatic IP", but not when as "Static IP", which is the one needed.

Please, don't doubt to tell me if you think I can help you investigating this.

Thanks,

Juglar