Print Story Ask Husi
By ana (Thu May 11, 2006 at 06:39:53 AM EST) WFC, Writing Fun Challenge, networking, Ask Husi, fun loving cowwqas. (all tags)
But first, go read the Writing Fun Challenge stories, and vote, before the end of the upcoming weekend.

And now, on with the home networking query.

One thing more: the spellchecker doesn't like cowwqas.

OK, so I have a setup that I think is fairly common. We have DSL at home, and attached to the DSL modem is a Linksys wireless router (model # BEFW11S4, and I've RdTFM). The home network consists of:
  • giggles, an Ubuntu (Breezy Badger) linux machine hardwired to the router
  • fray, in iMac running MacOS 10.4.something
  • oldturtle, an ancient creaky Windows machine, running XP, and hosting an HP printer
  • irving and farley, two iBooks, running MacOS 10.4.x and 10.3.x respectively.
  • miscellaneous kitchen appliances, vacuum cleaners, and cats, who mostly ignore the network

Objective: I'd like to be able to ssh in to the machines (or a machine) on the internal home network, and (perhaps) host a modest website. It may be that the website yen can be satisfied by, and so that's not all that important for now.

The internal machines are running DHCP, getting mostly stable 192.168.*.* addys from the router as needed. The router in turn gets a DHCP IP addy from verizon that changes from time to time. I've registered a domain with (and should set up a cron job to keep it current, but haven't yet).

So far, I've found the port-forwarding thing on the linksys router, and set it up to forward port 22, which IANA assures me is used by ssh, to an internal addy which as of this morning was claimed by fray.

I've tried ssh-ing around the internal network, and that seems to work, once I figure out the IP addys du jour. I installed avahi on giggles, which helps with that.

Today's experiment, if you're still reading, was to ssh in from a machine at work. Result: timeout. Perhaps I should verify the dyndns addy is correct, but this is the same thing that's happened before.

Possible actions I've thought of so far:

  • Figure out how to assign a static IP addy to at least the desktop machines, so the port forwarding thing can work reliably.
  • Perhaps put either giggles or fray in the DMZ, relying on its internal firewalling instead of the router's.
  • Ask husi. Hence this diary

Any advice?

< TIHS SHOULD GIVE YUO PUZZ | BBC White season: 'Rivers of Blood' >
Ask Husi | 27 comments (27 topical, 0 hidden) | Trackback
Are you sure port 22 is open at work? by DesiredUsername (2.00 / 0) #1 Thu May 11, 2006 at 06:44:44 AM EST
Or is that what the port-forwarding is about--80->22?

Now accepting suggestions for a new sigline
I can ssh out, by ana (2.00 / 0) #2 Thu May 11, 2006 at 06:49:25 AM EST
yes, on whatever the default port is (presumably 22).

Can you introspect out loud? --CRwM

[ Parent ]
I can also by ana (2.00 / 0) #3 Thu May 11, 2006 at 06:49:55 AM EST
ssh in, from home.

Can you introspect out loud? --CRwM

[ Parent ]
no the port forwarding just means by 256 (4.00 / 1) #4 Thu May 11, 2006 at 06:55:39 AM EST
that when the linksys router gets a request on port 22 it's like "port 22? i don't want this. yo,, you want this port 22 thing?"
I don't think anyone's ever really died from smoking. --ni
[ Parent ]
why not go for by sasquatchan (2.00 / 0) #5 Thu May 11, 2006 at 06:56:08 AM EST
static IPs on the internal network. It's been a while since I did port-forwarding on the home router, but I thought one had (?) should (?) use static IPs for it. Or maybe just pick static IPs for the one or two machines that you need access to, and let the others be DHCP, since I think you can specify the DHCP range, and can then exclude the static IPs from that range.

Yeah by gazbo (4.00 / 1) #10 Thu May 11, 2006 at 07:08:08 AM EST
Dude, I can't imagine how one would go about port-forwarding to non-static IPs.  Even if you do get it working, it will break at some random time in the future when DHCP gets all...dynamic on yo ass.

I recommend always assuming 7th normal form where items in a text column are not allowed to rhyme.

[ Parent ]
going all OSI on you by bobdole (2.00 / 0) #20 Fri May 12, 2006 at 02:25:43 AM EST
I'd say it is impossible as DNS (which would easily solve the dynamic problem) and port-forwarding operates on different levels of the OSI-model.

On the other hand a couple of them newfangled router/accesspoint/firewall thingies does allow you to portforward to a machine based on it's dhcp-client name. Well at least mine does, but it's also got a setting letting me specify which clients should have receive an infinite lease from the dhcp-thing. So I don't know which of the two settings actually does the trick...

But I'd go down the static-ip for static (ie. non-laptop) machines any day, my self...
-- The revolution will not be televised.

[ Parent ]
sounds like a similar setup to mine by 256 (2.00 / 0) #6 Thu May 11, 2006 at 06:59:21 AM EST
and i can ssh in to home just fine, except for having to change the forwarding whenever my server gets a new ip lease and change the dns whenever rogers decides to change my ip.

here's an easy test for whether or not you have the forwarding set up properly:

from the box that you are forwarding ssh to, type "ssh" and see if you get a loopback.
I don't think anyone's ever really died from smoking. --ni

IPs by thunderbee (2.00 / 0) #7 Thu May 11, 2006 at 06:59:57 AM EST
Exclude a range of IPs from the dhcp.
Give static addresses to at least the sshable machine from the excluded range.
22 is indeed the ssh port.
Check that you are forwarding tcp/22 to the static IP.
Check that the router's firewall is not blocking forwarded trafic on port 22 ;-)

Can't help you with the BEFW11S4 though.

I have some fun stuff with my home network by gpig (2.00 / 0) #8 Thu May 11, 2006 at 07:02:56 AM EST
All of the machines in the internal network use static (intranet) IPs, not DHCP. I also have a static (internet) IP from my ISP.

I have NAT forwarding set up to ssh on a couple of different machines, and a web server. All of them are on non standard port numbers. So it's something like this (fictional example):

if my static IP is and the home network is on 192.168.0.*

1002 --> 22 (ssh to web server)
1003 --> 80 (web server serving web)
1004 --> 22 (ssh on other box)

I realise I could just have one ssh open and go through it to get to the other machine, but I'm a bit too lazy for that.
(,   ,') -- eep

I concur with sasquatchan by lm (2.00 / 0) #9 Thu May 11, 2006 at 07:04:35 AM EST
Give out static IP addresses for your internal boxen, or at least the ones that you want to ssh to from outside. IIRC, you should be able to mix and match by setting the DHCP server in the router to start a high number which effectively reserves the lower numbers for static use.

You may also have to set up port forwarding on your DSL `modem' before it will allow connections from outside to come in. Most of those things are really routers that do NAT and reject connections not initiated by something on the inside of the network.

There is no more degenerate kind of state than that in which the richest are supposed to be the best.
Cicero, The Republic
I dunno by ana (2.00 / 0) #13 Thu May 11, 2006 at 09:45:01 AM EST
if I can talk to the DSL modem thingie directly. Seems it just kind of "is".

Can you introspect out loud? --CRwM

[ Parent ]
telnet to it's IP address from inside your network by lm (2.00 / 0) #15 Thu May 11, 2006 at 10:26:09 AM EST
I bet you a donut that you'll either get a shell or a login prompt, most likely the latter.

There is no more degenerate kind of state than that in which the richest are supposed to be the best.
Cicero, The Republic
[ Parent ]
hm. by ana (2.00 / 0) #17 Thu May 11, 2006 at 10:32:55 AM EST
Not sure what it's IP addy would be. It's on the other side of the router, you see. Router is; the DHCP clients are .1.100-series names, and I think that's all it'll tell me about.

Can you introspect out loud? --CRwM

[ Parent ]
The IP of the ``modem'' by lm (2.00 / 0) #18 Thu May 11, 2006 at 10:57:33 AM EST
Is the default gateway used by your linksys router.

There is no more degenerate kind of state than that in which the richest are supposed to be the best.
Cicero, The Republic
[ Parent ]
Um by ana (2.00 / 0) #26 Fri May 12, 2006 at 09:02:36 AM EST
doesn't seem to have a default gateway.

Can you introspect out loud? --CRwM

[ Parent ]
just one? by LilFlightTest (2.00 / 0) #24 Fri May 12, 2006 at 08:39:28 AM EST
why not three?
Send me to Austria!
[ Parent ]
Because I have to watch my girlish figure by lm (2.00 / 0) #25 Fri May 12, 2006 at 08:50:50 AM EST
I don't want to strain my back because I'm carrying around a pony keg under my shirt from eating three donuts.

There is no more degenerate kind of state than that in which the richest are supposed to be the best.
Cicero, The Republic
[ Parent ]
You're basically there by yicky yacky (2.00 / 0) #11 Thu May 11, 2006 at 07:09:17 AM EST

Your set-up is not so disimilar to ours.

Statically assign the IP of the webserver. This can be done at the router, usually under "static routes" or somesuch in its config, then port-forward port 22 to this address. You then have to change the router's DHCP assignment so that it starts assigning IP addresses outside a range which doesn't include the webserver.

On our network, is the router, .0.2 and .0.3 go to static machines which are hardwired-in, .0.4 goes to the webserver and the router is set to use .0.8 and above for DHCP requests.

It's adviable to use a non-standard port for the SSH daemon - we run it up on 34543 or somesuch. This cuts down an incredible number of attempted SSH hacks as port 22 just isn't open and they just bounce. Otherwise, your /var/log/messages will get full of taiwanese kids trying all the default accounts, like 'apache', 'root', 'guest' etc. which modern unixs helpfully configure in advance. You can specify the port ssh uses to connect at the client.

Doing this means that the domain names, as opposed to IP numbers won't necessarily match from inside and outside the network. There are a few solutions to this. 1.) Hack the hosts file on the router (if it has one) to route named requests accordingly; 2.) Hack the hosts files on the individual computers; 3.) Run BIND or somesuch inside the network. For a network of that size, running DNS/BIND isn't really worth it, so do 1 or 2. Remember, you only need to do this for internal machines which need to use hostnames. You can still happily use network-specific IPs without bothering.

Vacuity abhors a vacuum.
Thanks. by ana (2.00 / 0) #14 Thu May 11, 2006 at 09:57:54 AM EST
The idea of using nonstandard ports for this makes excellent sense. I don't think I can get at the router's hosts file; it has a web interface and that seems to be all I get.

Can you introspect out loud? --CRwM

[ Parent ]
static IPs are a pain in the ass by clover kicker (2.00 / 0) #12 Thu May 11, 2006 at 08:00:00 AM EST
Your linksys dhcpd might support reserving IPs to specific MAC addresses.

(My home network has a file server, so I run my own dhcpd)

Stuff by ni (2.00 / 0) #16 Thu May 11, 2006 at 10:30:56 AM EST
  1. As others have said, you should probably: a) Give the machine you want to access a static IP address. (You can probably just pick one a few higher up than the router is likely to assign and it'll work) b) If your router allows it, specify this machine at the DMZ. This is the easiest (although slightly less secure) way to do these things.
  2. You have some kickass machine names. I may steal "fray" for my own nefarious purposes.

my experience is that people will do amazingly stupid things in conjunction with their crotches -- persimmon
fray... by ana (2.00 / 0) #23 Fri May 12, 2006 at 07:32:45 AM EST
comes from this comic, a far-future telling of a vampire slayer's tale by Joss Whedon. Because she's a kick-ass machine.

Can you introspect out loud? --CRwM

[ Parent ]
ditto the others, and by theantix (2.00 / 0) #19 Thu May 11, 2006 at 09:49:13 PM EST
based on what you describe I think your best bet will be to set your webserver/ssh box, with fray as the second choice if you think that will stay powered on more often.

As others have said, you want to do static dns instead of of DMZ, which should be pretty easy to configure.  if you need some help with this on the weekend, let me know and I'll try to step you through it and help.

You sir, are worse than Hitler.

Update... by ana (2.00 / 0) #21 Fri May 12, 2006 at 05:14:59 AM EST
OK, so I mucked around with stuff last night. I gave fray a static IP addy on the internal net, and that seems to work.

I pinged with our (then-current) IP addy from the DHCP server at verizon. It's still serving the one from before that. How long does it take to get a new IP addy through the system?

I verified that I could ssh into fray from the work machines, using the correct IP addy. So, yay!

Oddly, I couldn't ssh directly from my laptop to fray using the outside-universe IP addy. Perhaps the fact that they're both using that addy confuses things or something. I don't really need to be able to do this, because I can ssh around the internal network using internal IP addys.

I installed DarwinPorts and then irssi on fray, and verified that it all works (albeit with some significant delays that might be due to the fact that the terminal windows were logged in from here to there and back multiple times).

Today, though, things timeout. Turns out our old friend the balky wireless router and/or DSL modem is at fault. From time to time it needs rebooting, and (of course) verizon's DSL gives me a different IP addy when that happens, so I was trying the wrong IP addy. Must fix this.

So I can see this thing working, if I can find out what IP addy the home machines have at a given time. If dyndns doesn't propagate fast enough, is there another solution? I could set up a cron job at home to e-mail me the addy or ssh in or something twice a day, I suppose...

Oh, and thanks to mns for letting me use his network all this time. What with the moving thing coming up, that's apparently shut down for a month or two.

Can you introspect out loud? --CRwM

and... by ana (2.00 / 0) #22 Fri May 12, 2006 at 06:13:13 AM EST
i forgot the domain name i'd reserved. using the correct one in fact produces last night's/this morning's updated IP addy, which would work, i'm thinkin, but for the rebooted router. tomorrow, fershure.

Can you introspect out loud? --CRwM

[ Parent ]
I guess I owe you a donut by lm (2.00 / 0) #27 Fri May 12, 2006 at 09:15:38 AM EST
But if you check the STATUS page on the Linksys, it will probably list a default gateway even if you haven't specified one on the SETUP page.

The official word on DNS is that it takes 24 to 72 hours to propagate through the entire Internet. Realistically, it usually happens in just a few hours. Part of that depends on the time of day. In the old days, quite a few servers only updated once or twice a day and everyone down stream from them wouldn't get updated until after they did. Nowadays, most of the important servers get updated multiple times per hour.

There is no more degenerate kind of state than that in which the richest are supposed to be the best.
Cicero, The Republic
[ Parent ]
Ask Husi | 27 comments (27 topical, 0 hidden) | Trackback