I was a little reluctant to post that error message from SSH, as I think perhaps it could be misleading. I don't believe it's indicting a key exchange error per se, I think it's from the code in SSH that deals with key exchange as the first part of establishing a SSH session. I think they key part of the error is "Connection closed by remote host" meaning "the Draytek sent us a FIN packet" and this is indeed what I see in TCPdump. After the client sends the first data packet, the Draytek sends a FIN. I don't believe this is connected. I suspect what is happening is that after the client receieves the ACK at the end of the three-way handsake, it repies with the client banner. At the same time, the SSHd checks the ACL and sees that the host is not allowed and so ends the connection. The three-way handshake is done in kernel space, so SSH won't be able to check the ACL until that is complete.

I did not try to connect to 192.168.0.0/24 first. I tried on another subnet and then moved to 192.168.0.0/24, to test a theroy that access was possible only from the subnet the router's LAN port was in. I have also attempted connection from my desktop, also outside 192.168.0.0/24 and that fails too. I believe that changing IPs only cause keyex issues when the server changes IP and not the client. Indeed, I've moved around the work on my laptop and always been able to reach my SSH server.

I should probably also mention that the laptop and desktop both run Debian Linux and not Windows.

I didn't know about Inter-LAN, I shall have to take a look at that.

Are you hosting any VLAN subnets on your Vigor 2620, or are all other subnets hosted by the other router(s)? Are you using any VLAN-ing for the separated subnets at all?

If you have only one subnet hosted on the Vigor router (i.e. VLAN disabled), then the Inter-LAN won't be applicable. And sorry, yes, you're right, I was thinking about the server changing IP and not the client, so ignore that suggestion, apologies my mistake.

I do feel that there is some sort of routing complexity, like you say, that is causing the Vigor to refuse your external subnet connection, possibly because the vigor isn't hosting that external subnet and so refuses to allow the connection for a subnet it is not the router authority for.

If you were to enable the VLAN feature on the Vigor (if it isn't already) and create a brand new subnet, then assign that to one of the SSID's on the Vigor, then connect to that SSID from your Linux laptop, can you then SSH in from that brand new subnet?