Port Forwarding to RPi Fails

This port forwarding issue has me stumped. I’m hoping some of you with far more networking experience would be able to give me some direction to diagnosis the cause.

I have identical Raspberry Pi’s, one running on my home network and one running on my work network. I have a web server running on both and openssh since they are both headless.

  • Home network is Comcast Cable with a Netgear N300 Wi-Fi Router (WNR2000) connected to the cable modem.
  • Work network is Comcast Cable with a Netgear WNDR4500v2 connected to the Comcast Business Cable modem/router I think in bridge mode (it is not assigning any IPs this is all being done by the Netgear, something I’m thinking of changing by eliminating the Netgear and just use the Comcast modem/router).

I have port forwarded 80 and the ssh port on both Netgear routers to forward to the RPi on each of their networks.
What Works:

  • Locally ssh and browse to the default webpage and other services on the RPi’s like Gitea which runs its own webserver on its own port.
  • Outside of home network I can view the default webpage coming over port 80 from the home RPi.

What Doesn’t Work

  • No ssh access to either RPi from outside of their network even though ssh port is being forwarded.
  • Outside of work network I can’t view the default webpage I can’t see the default web page running on the “Work” RPi (perhaps this is related to the fact that the “Work” Netgear is attached to the Comcast Business modem/router.)
  • Outside of home network I can’t view Gitea even though its port is forwarded on the N300.

I would like to use these two RPi’s as a simple backup server that would give me local and remote copies of my files, but I need ssh to work between them in order to accomplish this goal.

I’m not running another firewall on either of the networks. I’ve tried using Duck DNS to give my networks which have dynamically assigned public IP’s from Comcast a web address. Duck DNS is working properly and I verified my WAN IP with http://www.canyouseeme.org/. Besides using “mysitename.duckdns.org:4000orwhateverportI’mforwarding” I have used the actual numbered WAN IP all with the same results described above.

Any ideas you can give to trace the source of the issue would be appreciated.

What are your internal IPs?

The ones assigned by the Netgear routers 192.###.#.###

Comcast is known to block ports like port 80 and other common ports, especially on a residential connection

Host on home system should have different internal IP. Why not site 2 Site VPN

Your ISP may block connections to port 22. We have run into this a few times. Try a higher port number.

I had heard that, but port 80 is the one that works. 22 doesn’t work, but I’ve also tried 3000 and that doesn’t work either. I’m not sure how high I need to go to find ports that aren’t blocked.
I’m not sure what you mean. On the home network every computer has a unique LAN IP assigned to it by the Netgear N300. They are all in the pattern of 192.168.#.###. These LAN IP are different from the WAN IP or public IP assigned to me by Comcast.

You mention a site 2 site VPN. I have no experience with a VPN, but perhaps that is the solution. Do I need to forward ports for a site to site VPN? If you have a link to share on setting up VPN’s that would be great, otherwise, I will just Google it and do some research on that. Thanks for the suggestion.

I will try a higher port on the “home” network tonight to see if I can get that to work, since I have port 80 forwarding working on that network. On the work network nothing that has been forwarded works.

Well, I tried using other ports. I found this support page on Xfinity’s support site that lists the ports they block and why. https://www.xfinity.com/support/articles/list-of-blocked-ports

However, port 22 is not one of the blocked ports neither is port 80 (as mentioned previously I can view static html pages served up from the RPi, but I can’t ssh into it). I also tried setting up port 5022 as my ssh port which is not one of the blocked ports either, but still can’t ssh into the RPi from outside of the home network.

One thing I haven’t tried. I noticed that there is a section for Port Triggering. I have not set up Port Triggering only Port Forwarding. Do I need to perhaps set up both Port Triggering and Port Forwarding on the N300 Netgear router in order to get it to open the ssh port to outside of the network?

I’m also still researching a site to site VPN.

Any other thoughts?

So I set up Port Triggering on 22 on the Netgear N300. Then when I tried to set up Port Forwarding for 22 that failed to work, the Netgear N300 threw an error complaining that port was already configured somewhere else. So I changed the Port Forwarding to a different port for ssh that resolves to the internal port of 22, and that was allowed in the configuration screen. Now when I connect from outside the network I can ssh into the Home RPi. I still don’t have any outside connections working on the Work RPi, so I will have to explore that further. I’m not sure why the change I made in Port Triggering caused a change in behavior, but that is the only thing I did differently this time.