A few weeks ago I rebooted gateway hardware trying to troubleshoot a problem and I suspect I got an upgrade on the firmware for the CG3000DCR. After the reboot, I was unable to connect directly to port 22 from outside which I have mapped through to an internal server. At first the problem was that some other service was intercepting the connection (announcing itself as some type of broadcom device after I supplied a username). After a few days, that route stopped even getting to the login prompt. That's really annoying, but I shifted to an alternative port so I could continue to use the server remotely. The second problem has been really unreliable network connections that cause the SSH connection to drop every 5 minutes if I am using it interactively. I have tested from several external locations with the same results, so I am pretty sure the problem is close to the customer (i.e. my) end. It is fine from within the LAN, so not the server itself. I have run pingplot for quite a few days now and see a fair bit of packet loss from the sf19th.ca.sfba.comcast.net point onwards, though not always perfectly correlated with the connection dropping. See below. SSH is barely usable, and the port 22 interception is really annoying. The connection is mostly fine at a bandwidth level, but for anything requiring a socket stay open, it's useless. What do I need to do to fix this?
Solved! Go to Solution.
One further piece of information. This is the message I get trying to connect to my IP address. Looks like one of your routers exposing its internal access connection:
Broadcom Corporation Embedded BFC SSH Server (c) 2000-2012
WARNING: Access allowed by authorized users only.
Seems similar to problems mentioned here: http://www.broadbandreports.com/forum/remark,28263772
Not to be a nuisance but I haven't heard a peep from your Tier 2 group and the problems continue unabated. Ssh attempts to connect to port 22 hit the broadcom device (not my hardware) again. Ssh logins via alternative ports die if too much traffic in the upload direction goes through (meaning if I type for a minute 😞 ). Overall my high speed comcast connection is behaving like a bad low end dialup connection that drops every few minutes. This has been going on for weeks at this point.
I had a somewhat similar problem so I'll throw in my 2 cents. I could not get a response from port 22 over the internet except "Connection refused" which was odd because my server, like yours, accepted SSH connections from inside my network just fine. I called Comcast support and they said my CG3000 had port 22 forwarded correctly. When I said "That's nice but it doesn't work" they graciously effered a more expensive service plan. After dinking around a while I found that if I forward port 24 from the internet to port 22 on my server, I can connect successfully from the internet using port 24. Apparently there is something wrong with the CG3000 that is commandeering port 22 on the public side, but the private side is fine.
Couple of weeks now with no direct access to port 22, the broadcom server getting in between and my logins via an alternative port dropping after typing for a few minutes. I also see bandwidth dropping to ~ 1.5 mbits/second in the evenings which makes the connection difficult to use for remote desktop or streaming. Given the price of the connection, I expected a lot more. When can I expect tier 2 support to contact me?
Tier 2 did finally get back to me, and yes the modem had been misconfigured to intercept port 22. It's fixed now and I can ssh though. That connection is more stable and usable for extended periods but it does drop every hour or two. Overall, I'm not very impressed with the stability of long term connections. Bandwidth is also dropping 10x down to 1-> max 3 megabits routinely every evening making it hard to use things like remote desktop,
Well, now port 24 is not working out. nmap shows this is used for private email - on the modem I presume. I now forwarded a high number port 7063 to port 7063 on my ssh server and configured it to use that port. All is well in ssh-land for me now.
Are you running with static IP's? If not, it is possible that you are colliding with ports that Comast wants to use to communicate with their modem/router.
Having used many ISPs over the years, I have found the best way to keep my hair and get sleep is to:
- get 1 or more static IPs
- dump the ISP HW into brigde mode (TrueStaticIP, ow whatever they call it)
- get a descent router/FW, like a Sonicwall TZ series