# Cant ping on remote router [Solved]

## apiaio

I would like to establishe remote connection between my home PC and notebook. It works locally in my home LAN. It doesnt work from the home LAN of my friend. I have enabled VNC ports 5800, 5900 and SSH port 22 in both routers. No respose.

Even ping to remote router does not work. But is up  *Quote:*   

> gentoo miro # nmap -Pn -p 14534,51234 91.127.97.183
> 
> Starting Nmap 6.47 ( http://nmap.org ) at 2015-12-20 18:19 CET
> 
> Nmap scan report for adsl-dyn183.91-127-97.t-com.sk (91.127.97.183)
> ...

 I think that I neglected something in routers configuration but dont know what.Last edited by apiaio on Tue Dec 22, 2015 4:11 pm; edited 1 time in total

----------

## Keruskerfuerst

Network setup?

----------

## apiaio

 *Keruskerfuerst wrote:*   

> Network setup?

 Sorry. But which files or commands want you see?

----------

## NeddySeagoon

apiaio,

Don't even think about VNC over the internet. Its not secure.

You can tunnel VNC over ssh or do X forwarding over ssh.

On the router at your home, you need to forward port 22 to your PC.

Your PC needs to run sshd with root logings disabled.

From your adsl-dyn183.91-127-97.t-com.sk you have an extra complication.  It appears you have a dynamic IP address.

That means it may change at any time.  Look at a service like no-ip as a work around.  That's not a recommendation, there are others.

----------

## apiaio

 *NeddySeagoon wrote:*   

> apiaio,
> 
> Don't even think about VNC over the internet. Its not secure.
> 
> You can tunnel VNC over ssh or do X forwarding over ssh.
> ...

 I have TightVNC installed. Man page of vncwiever says *Quote:*   

>   -via gateway
> 
>               Automatically create encrypted TCP tunnel to  the  gateway  machine
> 
>               before   connection,  connect  to  the  host  through  that  tunnel
> ...

 It should make transfer over internet secure. Have I uderstood it well?

 *Quote:*   

> 
> 
> From your adsl-dyn183.91-127-97.t-com.sk you have an extra complication.  It appears you have a dynamic IP address.
> 
> That means it may change at any time.  Look at a service like no-ip as a work around.  That's not a recommendation, there are others.

 Yes it is dynamic IP address. I followed up IPs on both routers and it seems, that IP addresses are changed only when routers are powered off/on or rebooted.

----------

## NeddySeagoon

apiaio,

That's correct as far as it goes.  Check how it does authentication.

Show us both routers port forwarding set up.

Tell us the make and model of both routers too, so we can get their on line manuals.

Trying a traceroute from Scotland, on the IP in your original post gives

```
$ sudo traceroute -AI 91.127.97.183

Password: 

traceroute to 91.127.97.183 (91.127.97.183), 30 hops max, 60 byte packets

 1  router (192.168.100.253) [AS55158]  0.890 ms  0.906 ms  0.926 ms

 2  losubs.subs.dsl4.wh-man.zen.net.uk (62.3.83.6) [AS13037]  13.261 ms  13.274 ms  13.690 ms

 3  ae1-118.cr1.wh-man.zen.net.uk (62.3.86.1) [AS13037]  13.719 ms  13.733 ms  13.743 ms

 4  ge-3-0-0-0.cr2.th-lon.zen.net.uk (62.3.80.45) [AS13037]  54.268 ms  54.297 ms  54.797 ms

 5  gi3-0.lonth-inter-1.interoute.net (195.66.224.53) [AS10026/AS4637]  23.760 ms  23.780 ms  23.794 ms

 6  ae2-0.lon-001-score-2-re0.interoute.net (84.233.218.185) [AS8928]  46.017 ms  44.300 ms  44.304 ms

 7  ae0-0.lon-001-score-1-re0.interoute.net (84.233.218.189) [AS8928]  50.002 ms  48.331 ms  48.337 ms

 8  ae1-0.ams-koo-score-1-re0.interoute.net (84.233.190.57) [AS8928]  48.336 ms  48.183 ms  48.180 ms

 9  ae0-0.ams-koo-score-2-re0.interoute.net (84.233.190.2) [AS8928]  48.172 ms  48.223 ms  48.239 ms

10  ae1-0.fra-006-score-1-re0.interoute.net (84.233.190.50) [AS8928]  48.339 ms  48.349 ms  49.448 ms

11  ae1-0.vie-per-score-1-re0.interoute.net (212.23.43.25) [AS8928]  49.441 ms  67.759 ms  67.769 ms

12  ae0-0.vie-per-score-2-re0.interoute.net (212.23.43.50) [AS8928]  67.778 ms  46.038 ms  46.049 ms

13  ae1-0.bts-001-score-1-re0.interoute.net (84.233.147.13) [AS8928]  46.058 ms  45.813 ms  45.825 ms

14  ae0-0.bts-001-score-2-re0.interoute.net (84.233.147.2) [AS8928]  45.822 ms  44.269 ms  44.262 ms

15  84.233.184.66 (84.233.184.66) [AS8928]  44.555 ms  45.289 ms  45.283 ms

16  st-static-bckb-249.213-81-233.telecom.sk (213.81.233.249) [AS6855]  45.245 ms  44.446 ms  44.899 ms

17  * * *
```

That suggests that  st-static-bckb-249.213-81-233.telecom.sk, your ISPs incoming gateway for me, is dropping ping requests. 

Of course,  91.127.97.183 may no longer be your public IP.  You can't count on it only changing at router power cycle.

Feel free to attempt to ssh to 5.9.82.14.  As you don't have an account, it will go through the password prompt three times before the attempt is rejected.

Count it as successful if you get asked to validate the host key.  That means you can at least get out from you ISP and receive a response.

Try this from your friends too. 

If you don't get a response, PM me the IP address(es) you tried from, the date and time of day and I'll check the logs.

The logs are already full of bots guessing usernames and passwords, so your login attempts will just add to the noise.

----------

## apiaio

Thanks for interesting communication.

On my table is TP-LINK TD-W8960N v1 00000000. On the desk of my friend is something what was delivered by internet provider and I am not able detect type at the moment. IMHO it is not important because we have the same provider and the same defafault GW 213.81.233. 249.

Port forwarding setup on my router:

```

NAT -- Virtual Servers Setup

Server Name    External Port Start    External Port End    Protocol    Internal Port Start    Internal Port End    Server IP Address    WAN Interface    Remove

VNC    5900    5900    TCP    5900    5900    192.168.1.100    ppp0    

Secure Shell Server (SSH)    22    22    TCP    22    22    192.168.1.100    ppp0    

vnc2    5800    5800    TCP    5800    5800    192.168.1.100    ppp0
```

Swapped quote to code tags above -- NeddySeagoon

Similar setting is on the friend router (not sure about port 5800).

 *Quote:*   

> gentoo miro # ssh 5.9.82.14
> 
> The authenticity of host '5.9.82.14 (5.9.82.14)' can't be established.
> 
> ED25519 key fingerprint is SHA256:PFqHSomzpGQ86kGgGKNGZNzXHxPOx61laEo5MbkWtIk.
> ...

 

----------

## NeddySeagoon

apiaio,

I have the user manual for your router.

As long as your PC has a fixed IP of 192.168.1.100 that looks correct for sshd.

You were able to reach my server, so we know you can get to the outside world with packets that have a destination port of 22.

Go to your ISPs website and see if they block any ports.  

Less enlightened ISPs tend to make it difficult for you to run servers at home by blocking ports like 25, 80, 443 and others.  

You may need to use another port for ssh to avoid your ISPs restrictions.

To test that, edit /etc/ssh/sshd_config and add another Port entry.  Make sure its not commented.  Restart sshd.

Now it will listen or the port you selected.  Choose a port >1023 and avoid port number clashes with other incoming services.

Fix your router to forward the new port.

You will need to give the -p option to the ssh command to connect to the new port.

Several uncommented port lines are allowed.

----------

## apiaio

Thanks for hints.

I phoned to the  ISPs service department. Exclusive of	 port 25 they dont block any other ports. Tomorrow I will try to set ssh connection as you suggest.

----------

## NeddySeagoon

apiaio,

If they really only block mail servers, it may yet be your router setup.

A TCP packet has a source and a destination port.

The source port can be anything, almost, but the destination port for ssh will default to 22.

Once ssh receives a packet (addressed to port 22) it makes a note of source port and replies to it.

I,m not sure what the 'External Port' does in your router setup but if it limits the range of permitted source ports, setting it to 22 will ensure it won't work as 22 will never be used as a source port number.  Try leaving the external port settings blank.

-- edit --

Your routers logs may have some hints for you too.

----------

## krinn

 *apiaio wrote:*   

> gentoo miro # ssh 5.9.82.14
> 
> The authenticity of host '5.9.82.14 (5.9.82.14)' can't be established.
> 
> ED25519 key fingerprint is SHA256:PFqHSomzpGQ86kGgGKNGZNzXHxPOx61laEo5MbkWtIk.
> ...

 

It doesn't mean you aren't connecting to ssh, in fact, it mean YOU are connecting to it.

How do you think your ssh found the host ED25519 keyfile if it's not because the connection is working?

Your ssh problem is not a port problem, but ssh configuration.

NeddySeagoon: the external range is just to ease life of user, vnc increase port range by one on each active connection, he could then define 5800-5810 external range to allow 10 connections to his vnc, in one entry instead of adding each entries.

It also allow someone connecting to a port to be match to a host with another port, allowing someone connecting to his router from port 44 be forward to a host to its port 22. Neat feature if the program cannot work on a different port or if you want aim a specific host on your network.

Two hosts use default 22 for ssh, but depending on external port that get knock, the router will forward to host1 or host2 the ssh query.

"External port" refer to his router port, and internal to his host port. So not source port of someone connecting to it, but the router port that get knock.

----------

## apiaio

 *Quote:*   

> 
> 
> It doesn't mean you aren't connecting to ssh, in fact, it mean YOU are connecting to it.
> 
> How do you think your ssh found the host ED25519 keyfile if it's not because the connection is working?
> ...

 

Yes we know that connection is working. NeddySeagoon wrote:

 *Quote:*   

> You were able to reach my server, so we know you can get to the outside world with packets that have a destination port of 22. 

 

Problem is resp. was that I was not able to reach my server. Now I can reach my router via ssh. Actually I can ping on my public address after enabling ICMP option on my router. So I would say, that basic problem is solved.

Port forwarding setup on my router now:

```
NAT -- Virtual Servers Setup

Server Name    External Port Start    External Port End    Protocol    Internal Port Start    Internal Port End    Server IP Address    WAN Interface    Remove

Secure Shell Server (SSH)    2222    2222    TCP    2222    2222    192.168.1.100    ppp0    

VNC    5900    5910    TCP    5900    5910    192.168.1.100    ppp0
```

Up to now I was not able to create connection with ssh tuneling. But this is question for new thread.

----------

## NeddySeagoon

apiaio,

Does it not work on port 22 too?

----------

## apiaio

 *NeddySeagoon wrote:*   

> apiaio,
> 
> Does it not work on port 22 too?

 I'am not sure. Today's test was from my friend's house to my PC. There is still enabled port 22. Next time I will try reversal connection. Problem is, that they have Win8 installation only and I do not want to complicate their life with linux and everytime I have to go there with my notebook.

Truth of the matter is that  this is  testing place only. Aim is to prepare connection to the 50 km remote place where I need to administrate MySQL server from time to time.

For completeness' sake. My PC runs under Gentoo and notebook and mentioned remote place under Sabayon.

----------

## NeddySeagoon

apiaio,

There are several free ssh clients for Windows. PuTTY comes to mind but there are others.

----------

