Port Forward / Manual Config change

[davereid]

Hi All,
I have been working on creating a tunnel out of a corp network using port 443 and connecting over the internet to my openssh server (with a gargoyle router in front of it) on port 443 (and then tunnelling back but thats irrelevant at the moment).

I changed my management port in the router from https on port 443 to port 444 and setup a port forward rule in the gui to point to the right internal address.

After signficant time trying i couldnt get a connection, but i could see it leave the corporate network, get rejected but not have any information in the log of the router.

I have checked through ssh on the router the /etc/config/firewall config file and have found that even though i changed 443 from the remote access port to 444, it still remained in the config.

Code: Select all

config remote_accept 'ra_443_443'
option local_port '443'
option remote_port '443'
option proto 'tcp'
option zone 'wan'

but it also created directly below it the changed details.

Code: Select all

config remote_accept 'ra_444_444'
option local_port '444'
option remote_port '444'
option proto 'tcp'
option zone 'wan'

This is the same for the config remote_accept 'ra_80_80' I want this on a different port and its in the config twice - once as the old and once as the new config.

i went through and commented out each line i didnt want in these rules

Code: Select all

#config remote_accept 'ra_443_443'
#option local_port '443'
#option remote_port '443'
#option proto 'tcp'
#option zone 'wan'

and ran /etc/init.d/firewall restart

This instantly started working for me with my tunnelling.

What concerns me is not that its not working, but:

1. Is commenting the rule out going to break anything else - it doesnt appear to have just yet
2. why did it leave behind the old config at all after it was change din the gui?

thanks

[ispyisail]

I'm working on a similar problem

corp network

Can use deep packed inspection and block openvpn

But you/we might have better luck with "stunnel"

https://www.datenzone.de/blog/2012/01/i ... n-openwrt/

[ispyisail]

re-read your post

failsafe reset or reflash your router

The config can get corrupt especially openvpn

When its up and running its rock solid

[Lantis]

I'll also chime in that you should be using the gargoyle firewall restart scripts, not the init.d ones.

[davereid]

Thanks all for your responses:

I'll also chime in that you should be using the gargoyle firewall restart scripts, not the init.d ones.

ok i will do in future thank you

re-read your post

failsafe reset or reflash your router

The config can get corrupt especially openvpn

When its up and running its rock solid

thanks - im not using openvpn though - im using openssh (minor difference - i know..) do you think the config is becoming / is currently corrupt.

I'm working on a similar problem

corp network

Can use deep packed inspection and block openvpn

But you/we might have better luck with "stunnel"

https://www.datenzone.de/blog/2012/01/i ... n-openwrt/

well yes - thats also an issue that the traffic is getting identified as SSH and that is on the forbiden apps list but this is more about the actual setup rather than the obfuscation