External access to home issue

[Nebu_Retski]

I don't know Slovene, so sorry for the English

It seems that I'm unable to access my home server (nor my Desktop) running ssh from outside my LAN network. Inside my LAN I am perfectly able to access my home server (and Desktop) and I am able to access ssh servers that are outside my network (i.e. from home to work). Previously I had a different ISP and router and back then I never had an issue.

Some details about my setup:
T2 modem: MILAN MIL-SM801G
Router: TP-LINK TL-WR741ND v1.9 (connected to the modem)
Both server and desktop are connected to my router. Both of them have static ip's configured in the router setup and that seems to be working perfectly fine.

I use a no-ip domain to have easy access to my home ip, but using the ip directly (obtained from router status page) didn't solve anything either. I have setup a port forwarding entry in my router to the correct port that my ssh server is listening to.

Router security settings.
Basic security: DISABLED SPI firewall, ENABLED PPTP, L2TP, IPSEC passthroughs as well as FTP, TFTP, H323 ALG's, this should let my ssh connection pass through.
Advanced security: DISABLED DoS protection, FLOOD filtering (ICMP, UDP, TCP-SYN), ... Basically everything is disabled to prevent it from interfering with my ssh connection (for now).

No special routing setup in the router (aside from port forwarding).

No firewalls present on either the server or desktop.


What I have tried:
Changed to various ports to check for port filtering by T2, but I was told by the technical help desk that T2 does not filter ports/traffic
The technical help desk was able to ping my T2 modem and supposedly also my router, however when I try to ping/traceroute from work to home I do not get a reply (100% packet loss), traceroute seems to be blocked before it reaches my home.

traceroute from work to home (by using IP):

traceroute to xx.xx.xx.xx (xx.xx.xx.xx), 30 hops max, 60 byte packets
1 f9gw.ijs.si (194.249.156.9) 0.586 ms 0.740 ms 0.917 ms
2 194.249.61.129 (194.249.61.129) 0.827 ms 1.295 ms 1.427 ms
3 larnes6-T1-2.arnes.si (178.172.81.136) 0.520 ms 0.732 ms 0.495 ms
4 six2.t-2.si (91.220.194.14) 0.784 ms 0.798 ms 0.851 ms
5 * * *
6 * * *
7 * * *
snipped the rest because all other hops also give * * *

traceroute by using a public service: http://ping.eu/traceroute/

traceroute to xxxxxxx.no-ip.com (xx.xx.xx.xx), 30 hops max, 60 byte packets
1 static.185.212.4.46.clients.your-server.de 46.4.212.185 de 2.599 ms 2.879 ms 2.882 ms
2 hos-tr4.juniper2.rz13.hetzner.de 213.239.224.97 de 14.997 ms
hos-tr1.juniper1.rz13.hetzner.de 213.239.224.1 de 0.140 ms
hos-tr3.juniper2.rz13.hetzner.de 213.239.224.65 de 14.991 ms
3 hos-bb2.juniper4.rz2.hetzner.de 213.239.240.138 de 2.820 ms 2.829 ms 2.815 ms
4 ae55.edge7.Frankfurt1.Level3.net 195.16.162.253 gb 12.715 ms 12.719 ms 12.715 ms
5 vlan60.csw1.Frankfurt1.Level3.net 4.69.154.62 us 26.450 ms
vlan70.csw2.Frankfurt1.Level3.net 4.69.154.126 us 25.850 ms 28.457 ms
6 ae-92-92.ebr2.Frankfurt1.Level3.net 4.69.140.29 de 25.817 ms
ae-72-72.ebr2.Frankfurt1.Level3.net 4.69.140.21 us 25.161 ms
ae-82-82.ebr2.Frankfurt1.Level3.net 4.69.140.25 de 25.687 ms
7 ae-1-10.bar1.Ljubljana1.Level3.net 4.69.151.185 us 25.657 ms 26.360 ms 26.300 ms
8 * * *
9 * * *
10 * * *
No reply for 3 hops. Assuming we reached firewall.

I also tried connecting my Desktop (also running an ssh server) directly to the T2 modem (bypassing my router) and then I tried to connect over ssh to my desktop (from work). I also tried to ping and a traceroute. Now ping still fails, but traceroute seems to end up to my Desktop (see below), however I am not able to login to my desktop over ssh (I always get connection timed out).

traceroute to xx.xx.xx.xx (xx.xx.xx.xx), 30 hops max, 60 byte packets
1 static.185.212.4.46.clients.your-server.de 46.4.212.185 de 1.188 ms 1.374 ms 1.432 ms
2 hos-tr1.juniper1.rz13.hetzner.de 213.239.224.1 de 0.136 ms 0.205 ms 0.201 ms
3 hos-bb2.juniper8.rz1.hetzner.de 213.239.240.139 de 2.868 ms 2.793 ms 2.854 ms
4 nbg-s1-rou-1001.DE.eurorings.net 134.222.107.20 nl 3.213 ms 3.438 ms 3.506 ms
5 ffm-s1-rou-1102.DE.eurorings.net 134.222.227.117 nl 6.883 ms 6.937 ms 6.934 ms
6 ffm-s2-rou-1041.DE.eurorings.net 134.222.229.74 nl 6.927 ms 6.831 ms 6.817 ms
7 ffm-b12-link.telia.net 213.248.86.233 7.392 ms

8 ffm-bb1-link.telia.net 213.155.132.208 7.216 ms
ffm-bb1-link.telia.net 213.155.135.106 7.305 ms
ffm-bb2-link.telia.net 213.155.135.12 44.725 ms
9 win-bb2-link.telia.net 80.91.246.143 19.648 ms
prag-bb1-link.telia.net 213.155.132.241 59.912 ms
prag-bb1-link.telia.net 213.155.131.217 25.072 ms
10 win-b4-link.telia.net 213.155.133.77 132.730 ms
win-b4-link.telia.net 213.155.132.177 94.945 ms
win-b4-link.telia.net 213.155.132.129 19.706 ms
11 t2-ic-131844-win-b4.c.telia.net 213.248.79.230 31.015 ms 25.577 ms 30.989 ms
12 84-255-250-45.core.t-2.net 84.255.250.45 si 25.877 ms 25.808 ms 25.877 ms
13 * * *
14 xx-xx-xx-xx.dynamic.t-2.net xx.xx.xx.xx si 26.045 ms 26.022 ms 31.458 ms

Currently I don't know what else to try. It doesn't look like it's an issue with my router, but I have no clue what the issue would be. I'm hoping someone is able to point me in the right direction.

[magecu]

If the option FLOOD filtering (ICMP, UDP, TCP-SYN) is on then your router doesn't respond to ping requests, so ping doesn't help you in this case.

Also t-2 has a few levels of security:
HIGH Security inbound (internet -> local network) all ports closed, outbound only a few ports are left open
MEDIUM Security inbound all ports are closed, outbound most ports are left open
LOW Security inbound most ports are open, outbound most ports are open
STATIC IP all ports are open in both directions

If your connection is on anything above low security, you will have issues accessing your servers.

You can use this site to check your ports:
http://www.yougetsignal.com/tools/open-ports/

Keep in mine that on the computer to which the port is forwarded, a program that listens to this port has to be running, otherwise the computer will not respond to the request and it will look like the port is closed.

[Nebu_Retski]

If the option FLOOD filtering (ICMP, UDP, TCP-SYN) is on then your router doesn't respond to ping requests, so ping doesn't help you in this case.

I know, I meant that I had it disabled or else ping definitely wouldn't work

Also t-2 has a few levels of security:
HIGH Security inbound (internet -> local network) all ports closed, outbound only a few ports are left open
MEDIUM Security inbound all ports are closed, outbound most ports are left open
LOW Security inbound most ports are open, outbound most ports are open
STATIC IP all ports are open in both directions

Can I turn this security off in the T2 service webpage?

You can use this site to check your ports:
http://www.yougetsignal.com/tools/open-ports/

Yup my ports seem to be closed. Yesterday I was told by a technical help desk agent that T2 doesn't close any ports, maybe he messed up with inbound vs. outbound traffic.

Keep in mine that on the computer to which the port is forwarded, a program that listens to this port has to be running, otherwise the computer will not respond to the request and it will look like the port is closed.

Both my home server and my desktop are running an ssh server and on my home network I can login over ssh to both (i.e. from desktop -> server and from server -> desktop) so I know they are listening. My router is setup to forward inbound traffic on my ssh port to my home server. I have run this setup successfully for nearly a decade, but it was on a different ISP. Now I know the T2 seems to be closing ports by default, I will have to take a look at disabling this T2 security, but unfortunately it might take a couple of day's because my girlfriend lost the login and password and now we will need to obtain it through our landlord (who's name and tax number is on the contract).

[magecu]

Try calling the technical support again.
When calling chose the technical support, I doubt you will get ti resolved quickly enough at the main desk.

And just ask them directly to set your connection to low security, don't forget to have an invoice at hand if they will need any addition data from you.
From my experiences I think you should be set by today if everything goes well.