I have a Vigor 2620LN running firmware 3.9.9.1_BT.  Behind the LAN interface are a number of subnets.  It seems to be only possible to SSH to the router from the local subnet, otherwise the connection will fail.  I have tried the connection from my laptop, plugged into the various subnets on the local network and it only works in the same subnet as the router LAN port.  Other services, such as HTTPS and telnet are accessible anywhere on the local networks.  Looking at Wireshark, I see the three-way handshake complete and then the client sent a packet containing the client banner, then the Draytek closes the connection.  It seems to suggest to me that there is some kind of host based ACL in the SSH config.  I have searched the web interface and CLI and I cannot find any way to configure it.  Can anyone offer any advice, please?

I think on 2865/2866/2927 series you'd allow this from:-

System Maintenance / Management / LAN Access Setup / Apply To Subnet

2620 might be different though since it's that bit older.

Thanks. That option is indeed there and I've tried it but sadly, it didn't help.

Hi Mike

I have tried the connection from my laptop, plugged into the various subnets on the local network and it only works in the same subnet as the router LAN port.

Your router only has two LAN ports, so do you mean you can only SSH into the router when directly connected to one of these two ports?

If that is correct, do you therefore have another VLAN capable switch connected to one of those ports as well, which isn't allowing connection to the SSH service on the router (even when you're on the same VLAN subnet via that external switch) or are you using Wireless VLANs as well?

Do you have Inter-LAN enabled, I imagine you do, and are you trying to access the router via the default LAN's gateway address or via the VLAN subnet's gateway address?


Personally, I am able to SSH into a 2862 (FW 3.9.9.8) from a VLAN'd subnet which isn't the default LAN1 subnet, and is via an external switch; all permissions permitted of course, as mentioned by ianfretwell earlier.

 

There's quite a complex network plugged into the router's LAN port. The LAN port is IPd as 192.168.01/24. There are other routers in the 192.168.0.0/24 subnet and they have their own subnets (192.168.1.0/24, 192.168.2.0/24, etc.)

Provided that I am connected to 192.168.0.0/24, then I can SSH to the router. If I am connected to any of the other subnets, then SSH does not work. It failed to connect with "kex_exchange_identification: Connection closed by remote host".

Other services ARE accessible from the other subnets including HTTP, HTTPS and telnet to the router.

Looking at TCPdump, I see the three-way handsake and then the client sends a data packet and the router replies by closing the connection.

I suspect it's some kind of "hosts allow 192.168.0.0/24" on the router but as far as I can tell, one can't get arbitary command line access to a Draytek (please correct me if I'm wrong, as I'd love to do this)

Ok, so it's a key exchange problem, most likely because your first ever connection from your laptop happened when you were on the 192.168.0.0 network. Once you jump onto another network and get given a different IP address, the key exchange will fail.

See this post:
https://www.draytek.co.uk/forum/routers-and-firewalls/25289-ssh-to-2862-from-linux

But seeing as you are on a Windows laptop, this string won't work for you... ...let me workout the correct string to connect, alternatively, you may also have a local cached key list on your laptop that you could simply delete the 192.168.0.0 entry from, and try to connect again - from the non 192.168.0.0 subnet(s).