SOLVED: external putty / winscp access - broken. replies to wrong interface

[rossbcan]

After updating to latest hassio / ssh+web terminal I can no longer access hassio using external ssh apps. Ssh web terminal works.
I traced the problem to replies going to wrong interface due to interface metrics.

Config:
username: admin password: redacted authorized_keys: [] sftp: false compatibility_mode: false allow_agent_forwarding: false allow_remote_port_forwarding: false allow_tcp_forwarding: false ssh port 2323

Network Interfaces:
`~ # ifconfig enp0s3
enp0s3 Link encap:Ethernet HWaddr 52:54:00:12:34:56
inet addr:10.0.2.15 Bcast:10.0.2.255 Mask:255.255.255.0
inet6 addr: fe80::a6bb:83cb:c467:abce/64 Scope:Link
inet6 addr: fec0::76d7:53c0:97ed:878/64 Scope:Site
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:110642 errors:0 dropped:0 overruns:0 frame:0
TX packets:76387 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:27680946 (26.3 MiB) TX bytes:20794510 (19.8 MiB)

~ # ifconfig enp0s4
enp0s4 Link encap:Ethernet HWaddr 52:54:00:12:34:57
inet addr:192.168.10.180 Bcast:192.168.10.255 Mask:255.255.255.0
inet6 addr: fe80::6ff8:48e7:d687:41a6/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:44833 errors:0 dropped:0 overruns:0 frame:0
TX packets:35400 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:5406704 (5.1 MiB) TX bytes:5161221 (4.9 MiB)`

Original routing table:
# route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default 10.0.2.2 0.0.0.0 UG 100 0 0 enp0s3 default 192.168.10.1 0.0.0.0 UG 101 0 0 enp0s4 10.0.2.0 * 255.255.255.0 U 100 0 0 enp0s3 172.30.32.0 * 255.255.254.0 U 0 0 0 hassio 172.30.232.0 * 255.255.254.0 U 0 0 0 docker0 192.168.10.0 * 255.255.255.0 U 101 0 0 enp0s4

External client requests come in on enp0s4 and are answered using enp0s3 causing connection fail. Si, I altered the interface metrics to favor enp0s4.
command: "ip route del default via 10.0.2.2; ip route add default via 10.0.2.2 metric 1234"

Altered routing table:
# Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default 10.0.2.2 0.0.0.0 UG 100 0 0 enp0s3 default 192.168.10.1 0.0.0.0 UG 101 0 0 enp0s4 10.0.2.0 * 255.255.255.0 U 100 0 0 enp0s3 172.30.32.0 * 255.255.254.0 U 0 0 0 hassio 172.30.232.0 * 255.255.254.0 U 0 0 0 docker0 192.168.10.0 * 255.255.255.0 U 101 0 0 enp0s4

This allows external ssh clients to connect, but breaks web terminal access and many other HA UA features.

I attempted policy based routing by installing iproute2 packsge, then:

echo 200 isp2 >> /etc/iproute2/rt_tables ip rule add from 192.168.10.180 table isp2 prio 1 ip route add default via 192.168.10.1 dev enp0s4 table isp2

The first ip rule add command results in "not supported", for unknon reasons (kernel config?)

So, how can I have external ssh access, webterminal and rest of HA UI working?

Thanks;
Bill

[rossbcan]

I observed that if I ssh into ha from my qemu host, connects ok, using the original ha default routes and metrics.
So, I added ssh port (2223) to qemu command (in addition to ha port forward):

-netdev user,id=vnet,hostfwd=tcp::8123-:8123,hostfwd=tcp::2223-:2223 -device virtio-net-pci,netdev=vnet

All is now good: Webterminal, HA UI and external putty / winscp all working.

May want to document this "somewhere" for qemu hassio VM users.

Still unsure what HA / ssh +wt changes resulted in breaking external access (via HA IP address)

Thanks;
Bill

[rossbcan]

same port forward solution for samba share: ports 137, 138, 139, 445