can't ssh from host to remote

Gilbert T. Gutierrez, Jr. mailing-lists at phoenixinternet.net
Mon Jul 21 14:04:42 MST 2014


Mike, what I was trying to walk you through is outlined on several web 
pages if you do a search. I have included one of those links for your 
convenience. Your provided modem/router (router 1) uses either DSL or 
Cable for its WAN/Internet port. I would heavily suggest against you 
making any changes to router 1. SOHO routers typically have a cluster of 
ports which can be lumped together under the title LAN. Most SOHO 
routers will have a port off the side from that grouping to help you 
distinguish the fact that it is the WAN/Internet port.

http://library.techguy.org/wiki/Connecting_two_SOHO_broadband_routers_together

Gilbert


On 7/20/2014 8:19 PM, Michael Havens wrote:
> there is my problem..... I can't get into the settings page of the 
> extra router. hmmmm. I tried lynx from the computer w/o (one of the 
> computers connected to it) the gui and now it is asking for login 
> credentials.... I wonder what they are? found it! Okay... well lynx is 
> useless with this!
>
> Goofy me..... I can use my brother's computer (which is connected to 
> the router in question). There is a setting for DHCP Server.... I'll 
> disable that!
> As for setting it to bridge mode...
> I think there is one setting it might be: a choice in the operating 
> mode between "Gateway" and "Router"
>
> Thanks for letting me know about the LAN ports.
>
> :-)~MIKE~(-:
>
>
> On Sun, Jul 20, 2014 at 6:47 PM, sean <sean.a.ritzler at gmail.com 
> <mailto:sean.a.ritzler at gmail.com>> wrote:
>
>     You don't have to change the firmware. Just make your extra wireless
>     device a wireless bridge + ethernet switch without DHCP. Problem
>     solved. By the way, those 4 ports ARE the LAN ports.
>
>     On Sun, Jul 20, 2014 at 6:44 PM, Michael Havens <bmike1 at gmail.com
>     <mailto:bmike1 at gmail.com>> wrote:
>     > cool.... apparently if I do the firmware upgrade I'll be able to
>     receive as
>     > well as send.
>     >
>     > :-)~MIKE~(-:
>     >
>     >
>     > On Sun, Jul 20, 2014 at 6:17 PM, Michael Havens
>     <bmike1 at gmail.com <mailto:bmike1 at gmail.com>> wrote:
>     >>
>     >> I think I should give you the models of my devices:
>     >> the router is a wrt54g and the modem is a pk5000. I did a
>     little more
>     >> searching and read that I can change the firmware on the router
>     but if
>     >> memory is correct if I screw up it becomes a brick so I need to
>     ask what the
>     >> benefits are and if there is another way to do it. I just
>     looked closely at
>     >> the router and it is labled as a wireless router and a 4 port
>     switch.
>     >>
>     >> :-)~MIKE~(-:
>     >>
>     >>
>     >> On Sat, Jul 19, 2014 at 11:39 AM, Michael Havens
>     <bmike1 at gmail.com <mailto:bmike1 at gmail.com>> wrote:
>     >>>
>     >>> >Why were rules written for the second router but not the first?
>     >>> >Is it because it was connected first? Could we write the
>     rules we need?
>     >>>
>     >>> What I meant was the second was connected to the first.
>     >>>
>     >>>
>     >>> :-)~MIKE~(-:
>     >>>
>     >>>
>     >>> On Sat, Jul 19, 2014 at 11:31 AM, Michael Havens
>     <bmike1 at gmail.com <mailto:bmike1 at gmail.com>>
>     >>> wrote:
>     >>>>
>     >>>> > Going the other way, you have no rules to pass
>     >>>> > the communication through.
>     >>>>
>     >>>> Why were rules written for the second router but not the
>     first? Is it
>     >>>> because it was connected first? Could we write the rules we need?
>     >>>>
>     >>>>
>     >>>> :-)~MIKE~(-:
>     >>>>
>     >>>>
>     >>>> On Fri, Jul 18, 2014 at 3:34 PM, Gilbert T. Gutierrez, Jr.
>     >>>> <mailing-lists at phoenixinternet.net
>     <mailto:mailing-lists at phoenixinternet.net>> wrote:
>     >>>>>
>     >>>>> NAT is the reason. The ping is being translated from one
>     network to
>     >>>>> another as well as telnet. Going the other way, you have no
>     rules to pass
>     >>>>> the communication through.
>     >>>>>
>     >>>>> Gilbert
>     >>>>>
>     >>>>>
>     >>>>> On 7/18/2014 2:44 PM, Michael Havens wrote:
>     >>>>>
>     >>>>> so according to your tutorial 192.168.0.x is not on the same
>     subnet as
>     >>>>> 192.168.1.x. If that is correct why can I ssh (and ping and
>     telnet....) from
>     >>>>> client to host but not host to client?
>     >>>>>
>     >>>>> :-)~MIKE~(-:
>     >>>>>
>     >>>>>
>     >>>>> On Fri, Jul 18, 2014 at 12:30 PM, Michael Havens
>     <bmike1 at gmail.com <mailto:bmike1 at gmail.com>>
>     >>>>> wrote:
>     >>>>>>
>     >>>>>> telnet localhost 22 from the server received no answer from
>     the client
>     >>>>>> telnet 192.168.1.101 22 from the client received no answer
>     from the
>     >>>>>> server
>     >>>>>>
>     >>>>>> I'll get back to you about the research project
>     >>>>>>  (and as a private message)
>     >>>>>>
>     >>>>>> :-)~MIKE~(-:
>     >>>>>>
>     >>>>>>
>     >>>>>> On Fri, Jul 18, 2014 at 6:41 AM, <kitepilot at kitepilot.com
>     <mailto:kitepilot at kitepilot.com>> wrote:
>     >>>>>>>
>     >>>>>>> Hello Michael:
>     >>>>>>> the 'Net' is a hodgepodge of protocols, all abiding to the
>     'OSI Layer
>     >>>>>>> Model' to work properly
>     (http://en.wikipedia.org/wiki/OSI_model).
>     >>>>>>> Troubleshooting your SSH connection should be a fairly simple
>     >>>>>>> proposition, because there are only so many moving parts
>     (Three!).
>     >>>>>>> As anything under the OSI model, nothing on an upper layer
>     will work
>     >>>>>>> unless the necessary components of the lower layer are
>     working.
>     >>>>>>> AND you *HAVE* to troubleshoot each layer separately.
>     >>>>>>> So how does this go?
>     >>>>>>> Well, lets take a look at your SSH problem...
>     >>>>>>> 1.- In order for the SSH connection to work you need 3 things:
>     >>>>>>> 1.1.- a SSH server,
>     >>>>>>> 1.2.- a SSH client and,
>     >>>>>>> 1.3.- a TCP/IP connection.
>     >>>>>>> *EACH* one of the lines above is a separate project and
>     *HAS* to be
>     >>>>>>> addressed as such.
>     >>>>>>> Lets cover the basics first, the TCP/IP connection:
>     >>>>>>> You *HAVE* to *KNOW* The Mantra:
>     >>>>>>> "In order for any 2 devices to establish a TCP connection
>     they have
>     >>>>>>> to share a physical link and they need addresses in the
>     same subnet".
>     >>>>>>> The statement above is a pretty dense one, and has several
>     >>>>>>> implications, number one being: What does "subnet" mean?
>     >>>>>>> Another is: what about IPs in different subnets?
>     >>>>>>> We'll get there...
>     >>>>>>> As there are already several books written (and to be
>     written) about
>     >>>>>>> the few lines above, I'll water it down to the bare minimum:
>     >>>>>>> The subnet is defined via the netmask, and implies that
>     "ON" parts of
>     >>>>>>> the netmask are always equal in all the addresses on a
>     network segment, so:
>     >>>>>>> Network:
>     >>>>>>> 192.168.0.0/24 <http://192.168.0.0/24> or
>     >>>>>>> 192.168.0.0 with netmask 255.255.255.0 means that
>     >>>>>>> *ALL* the addresses in *THIS* network are going to look like
>     >>>>>>> 192.168.0.${SOMETHING_ELSE}
>     >>>>>>> '192.168.0' is the "Network", and "${SOMETHING_ELSE}" is
>     the "Host".
>     >>>>>>> You can not use "Host 0" (because that defines the
>     network) and you
>     >>>>>>> can not use the highest number (255) because that's the
>     'broadcast address'.
>     >>>>>>> Which means that any '/24" (slash 24) network can address 254
>     >>>>>>> 'hosts'.
>     >>>>>>> Network:
>     >>>>>>> 192.168.0.0/16 <http://192.168.0.0/16> or
>     >>>>>>> 192.168.0.0 with netmask 255.255.0.0 means that
>     >>>>>>> *ALL* the addresses in *THIS* network are going to look like
>     >>>>>>> 192.168.${SOMETHING_ELSE}.${SOMETHING_ELSE}
>     >>>>>>> '192.168' is the "Network", and
>     "${SOMETHING_ELSE}.${SOMETHING_ELSE}"
>     >>>>>>> is the "Host".
>     >>>>>>> You can not use "Host 0.0" (because that defines the
>     network) and you
>     >>>>>>> can not use the highest number (255.255) because that's
>     the 'broadcast
>     >>>>>>> address'.
>     >>>>>>> Which means that any '/16" (slash 16) network can address
>     65534
>     >>>>>>> 'hosts'.
>     >>>>>>> The reason why '255' is the highest number is because IPv4
>     addresses
>     >>>>>>> (and netmasks) are represented in memory in 4 bytes, each
>     number one byte.
>     >>>>>>> Bytes are 8 bits, but that's a different book that you
>     need to read
>     >>>>>>> too, lets move on with the network.
>     >>>>>>> Things get pretty interesting (and math pretty convoluted)
>     when you
>     >>>>>>> define networks like 192.168.127.0/25
>     <http://192.168.127.0/25>
>     >>>>>>> If yo want to see all variations, you can be lazy (like
>     me) and run:
>     >>>>>>> ipcalc 192.168.0.127/25 <http://192.168.0.127/25>
>     >>>>>>> Finally, "Netmasks" are a patch to the first defined (and
>     >>>>>>> shortsighted) 'Address Type' as class A,B,C or D, but I'll
>     let you research
>     >>>>>>> that yourself.
>     >>>>>>>
>     >>>>>>> Well, that's all good, but how do you talk to other
>     addresses?, I
>     >>>>>>> talk to google.com...
>     >>>>>>> That's a valid question, but
>     >>>>>>> 1.- it is not part of *THIS* SSH problem and
>     >>>>>>> 2.- you don't 'talk to google'.
>     >>>>>>> We'll talk more about how devices find each other in a
>     network down
>     >>>>>>> below, but in order to talk to devices outside your
>     network you need the
>     >>>>>>> 'Routing Protocol' (implemented at [SURPRISE!] 'the
>     router') which is
>     >>>>>>> nothing else than a table of rules stating 'this IP goes
>     that way'.  In your
>     >>>>>>> case, all addresses go the same place (the router) so the
>     router becomes the
>     >>>>>>> 'Default Gateway'.  As to resolve google, you need the
>     DNS, but you knew
>     >>>>>>> that...   :)
>     >>>>>>>
>     >>>>>>> Now that we know what an IP address is, lets move on to
>     the "Physical
>     >>>>>>> Link".
>     >>>>>>> Well, a cable will do...
>     >>>>>>> In the wireless world, the "Association" is the link.
>     >>>>>>> And how do you validate that?
>     >>>>>>> iwconfig will tell you what (if anything) you are
>     associated to.  No
>     >>>>>>> association, no link, no connection, no SSH.
>     >>>>>>> ifconfig will tell you what (if anything) you are wired
>     to.  No wire,
>     >>>>>>> no link, no connection, no SSH.
>     >>>>>>> Ain't that simple?   ;-)
>     >>>>>>> So we have a link...
>     >>>>>>> And we have IP addresses in the same subnet.
>     >>>>>>> So we are connected!!! 8-)
>     >>>>>>> Not so fast Armando!!!
>     >>>>>>> The fact that your addresses match is not necessarily a
>     validation,
>     >>>>>>> because each computer may be connected to a different
>     router providing the
>     >>>>>>> same NAT(ed) address!
>     >>>>>>> NAT?
>     >>>>>>> Yes NAT (Network Address Translation protocol), but that's yet
>     >>>>>>> another book, so lets water it down:
>     >>>>>>> NAT is the protocol that allows you to have an 'outside
>     visible
>     >>>>>>> address' and an 'inside invisible network' in a router.
>     >>>>>>> NAT (as Netmask) was implemented mainly to alleviate the IPv4
>     >>>>>>> shortage address because of the 'class A,B,C or D'
>     mistake, but as a
>     >>>>>>> byproduct, you can 'hide' behind it, which provides some
>     level of security.
>     >>>>>>> How you hide is yet another bookshelf and essentially
>     means that you cannot
>     >>>>>>> access devices 'behind the router' unless the device
>     initiates the
>     >>>>>>> connection first, and that's how you raise a WEB site from
>     'behind the
>     >>>>>>> router' and why you can SSH from 'inside to outside the
>     router' but not the
>     >>>>>>> other way around, so lets move on...
>     >>>>>>> So, how do we know that we are connected to the same router?
>     >>>>>>> Ah, glad you asked:
>     >>>>>>> ARP!
>     >>>>>>> Or Address Resolution Protocol.
>     >>>>>>> *ALL* data transmission is done at OSI layer 2.
>     >>>>>>> Quick implementation manual:
>     >>>>>>> OSI layer 1: Cable or association.
>     >>>>>>> OSI layer 2: MAC address.
>     >>>>>>> OSI layer 3: IP address.
>     >>>>>>> Your network doesn't know (and doesn't care) about IP
>     addresses.  The
>     >>>>>>> IP address is there to resolve the MAC address.
>     >>>>>>> When you say:
>     >>>>>>> ping 192.168.0.1
>     >>>>>>> that generates a 'who has' request from the ARP protocol.
>     >>>>>>> That request is broadcasted to anyone on the physical link
>     (OSI layer
>     >>>>>>> 1)
>     >>>>>>> The device with the IP address interrogated by 'who has'
>     answers with
>     >>>>>>> its MAC address.
>     >>>>>>> This IP/MAC address pair is then saved to the ARP table.
>     >>>>>>> >From there on (and even though the IP address goes along
>     in the
>     >>>>>>> TCP/IP header) all transmissions are sent to the MAC address.
>     >>>>>>> But then again, how do you know that your 2 boxes are
>     talking to the
>     >>>>>>> same router?
>     >>>>>>> arp -n|grep 192.168.1.1
>     >>>>>>> Same MAC?
>     >>>>>>> Same box.
>     >>>>>>> Different MAC?
>     >>>>>>> Same Michael...   ;-)
>     >>>>>>> What do we know so far?
>     >>>>>>> Well, we know something about line 3 of the very first
>     paragraph.
>     >>>>>>> What about line 2?
>     >>>>>>> Type
>     >>>>>>> which ssh
>     >>>>>>> You have it or not, and you know what to do, so lets move
>     to line 1.
>     >>>>>>> We now need to troubleshoot the SSH server.
>     >>>>>>> Well, that boils down to 2 things, it is working or not...
>     >>>>>>> You *KNOW* that the SSH server is 'listening' (although not
>     >>>>>>> necessarily working) when you can connect to the 'port'
>     >>>>>>> Port?
>     >>>>>>> Yeah, port...
>     >>>>>>> Lets move on up in the OSI model to the application layer.
>     >>>>>>> In order to establish a TCP connection you need an IP
>     connection and
>     >>>>>>> a port (or a socket and a port)
>     >>>>>>> The port is to the application what the IP address is to
>     the MAC.
>     >>>>>>> So if the port is listening, the application is awake.
>     >>>>>>> And how do we know?
>     >>>>>>> There are only 975143684 possible ways to validate a 'port
>     is open'
>     >>>>>>> (or listening) but I am a simple boring guy, so I do:
>     >>>>>>> telnet localhost 22
>     >>>>>>> I either get an answer or not.
>     >>>>>>> If I get an answer, then we are most likely all good, but
>     if I don't
>     >>>>>>> get an answer then the ramifications are staggering and
>     I'm not even going
>     >>>>>>> to think about it.
>     >>>>>>> In order to check that the other port listens then you:
>     >>>>>>> telnet ${REMOTE} 22
>     >>>>>>> Again, we either get an answer or not.  And the 'not'
>     means another
>     >>>>>>> Sunday drive to the library...
>     >>>>>>> Finally, why 22?
>     >>>>>>> Because that's the SSH port and it is defined in the
>     configuration
>     >>>>>>> file, which you can change to further complicate your (or
>     someone else's)
>     >>>>>>> life.
>     >>>>>>> But who and where defined 22 as the SSH port?
>     >>>>>>> grep -i ssh /etc/services
>     >>>>>>> And who wrote /etc/services?
>     >>>>>>> http://www.iana.org/
>     >>>>>>> And how do I know all this crap?
>     >>>>>>> Because I finished LFS!!!!    ;-)
>     >>>>>>> I hope you see everything now as clear as mud.
>     >>>>>>> Keep this message handy, you'll need to read it several
>     times...
>     >>>>>>> Keep in mind that what I have written here is a GROSS
>     >>>>>>> oversimplification of several bookshelves contained in
>     several buildings and
>     >>>>>>> written along several decades all over the World, it's
>     free advice, you
>     >>>>>>> can't sue me...   :)
>     >>>>>>> And always remember:
>     >>>>>>> For every question there exists a simple, direct and wrong
>     answer.
>     >>>>>>> if you have any question,
>     >>>>>>> you will get any answer...
>     >>>>>>> ET
>     >>>>>>> PS: Research project:
>     >>>>>>> Why doesn't 'ping' use a port?
>     >>>>>>> Why is 'ping' 'setuid(ed)'
>     >>>>>>> What are 'routable' networks?
>     >>>>>>> What are 'non-routable' networks?
>     >>>>>>> What does it mean if you get and IP address like
>     169.254.0.0/16 <http://169.254.0.0/16>
>     >>>>>>> Why do you always have a 127.0.0.1 address in your boxes?
>     >>>>>>> Who defines (and where are the documents that define) all
>     these
>     >>>>>>> protocols? (RFC anyone?)
>     >>>>>>>
>     >>>>>>>
>     >>>>>>> Michael Havens writes:
>     >>>>>>>>
>     >>>>>>>> okay, so I bought a used computer to do Linux from
>     scratch on. Well,
>     >>>>>>>> I'm
>     >>>>>>>> going to ssh from my primary computer to the new computer
>     but got a
>     >>>>>>>> 'Connection timed out' error. After googling for a bit I
>     discovered
>     >>>>>>>> ufw was
>     >>>>>>>> to blame.
>     >>>>>>>> after I disabled the firewall I could ssh from 192.168.1.101
>     >>>>>>>> <parasite> to
>     >>>>>>>> 192.168.0.4 <host>
>     >>>>>>>> the error I got going the other way was the connection
>     timed out
>     >>>>>>>> error:
>     >>>>>>>> ssh mike at 192.168.1.101 <mailto:mike at 192.168.1.101>
>     >>>>>>>> ssh: connect to host 192.168.1.101 port 22: Connection
>     timed out
>     >>>>>>>> After googling some more I thought perhaps openssh-server
>     wasn't
>     >>>>>>>> installed... but it is. So please.... what is the
>     problem? I verifed
>     >>>>>>>> openssh-client is installed but I don't know what it
>     could be. Could
>     >>>>>>>> you
>     >>>>>>>> help me out?
>     >>>>>>>> :-)~MIKE~(-:
>     >>>>>>>
>     >>>>>>> ---------------------------------------------------
>     >>>>>>> PLUG-discuss mailing list -
>     PLUG-discuss at lists.phxlinux.org
>     <mailto:PLUG-discuss at lists.phxlinux.org>
>     >>>>>>> To subscribe, unsubscribe, or to change your mail settings:
>     >>>>>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>     >>>>>>
>     >>>>>>
>     >>>>>
>     >>>>>
>     >>>>>
>     >>>>> ---------------------------------------------------
>     >>>>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>     <mailto:PLUG-discuss at lists.phxlinux.org>
>     >>>>> To subscribe, unsubscribe, or to change your mail settings:
>     >>>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>     >>>>>
>     >>>>>
>     >>>>>
>     >>>>> ---------------------------------------------------
>     >>>>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>     <mailto:PLUG-discuss at lists.phxlinux.org>
>     >>>>> To subscribe, unsubscribe, or to change your mail settings:
>     >>>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>     >>>>
>     >>>>
>     >>>
>     >>
>     >
>     >
>     > ---------------------------------------------------
>     > PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>     <mailto:PLUG-discuss at lists.phxlinux.org>
>     > To subscribe, unsubscribe, or to change your mail settings:
>     > http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>     ---------------------------------------------------
>     PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>     <mailto:PLUG-discuss at lists.phxlinux.org>
>     To subscribe, unsubscribe, or to change your mail settings:
>     http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>
>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phxlinux.org/pipermail/plug-discuss/attachments/20140721/346676e7/attachment.html>


More information about the PLUG-discuss mailing list