AP 121 SSH on Watchguard

  • 1
  • Question
  • Updated 4 years ago
  • Answered

I can't reach no ap121 accesspoints on SSH behind every watchguard firewall. The ap's are connected with port 12222 UDP to the hivemanager, but when i want to access the accesspoints with the ssh client i cant reach them. I've got port 22 open from the inside to the outside of the watchguard. Someone know what the problem could be?
The error i get is: The selected device has rejected setting up an SSH connection to HiveManager.
Photo of Joost Jansen

Joost Jansen

  • 2 Posts
  • 0 Reply Likes
  • Confused

Posted 4 years ago

  • 1
Photo of Andrew MacTaggart

Andrew MacTaggart, Champ

  • 483 Posts
  • 86 Reply Likes
Depends on your setup, there are so many scenarios

Internal HIVE or Online HIVE?

Online HIVE you would have to open FW from HM[IP] to AP-NAT[IP] any source port to destination port 22, I doubt that your APs have their own dedicated internet IP.

if you are onsite with the AP, just use putty and enter the internal AP IP

---Stop reading--- if the above is the case

you would have to give a bit more info about the topology?

assuming Internal HIVE and an Internal firewall

you say you have port 22 open from inside to outside

22 would be the destination port from HM perspective of the AP, the return traffic would need to be allowed from AP source port 22 to what ever port the HM used as source. Stateful firewall would handle this for you otherwise you would have to have some rules for return traffic.

for example, my firewall builds a return connection for traffic initiated from the inside to the outside[stateful].

TCP outside inside, idle 0:00:14, bytes 1723, flags UIO

and here is a typical ssh exchange

13:29:59.198815 IP[My random Port] > mgmt.mydomain.ssh[tcp 22]: Flags [.], ack 13744, win 2641, options [nop,nop,TS val 473159848 ecr 1174521690], length 0
13:29:59.198979 IP mgmt.mydomain.com.ssh[tcp22] >[my random port]: Flags [P.], ack 1, win 8326, options [nop,nop,TS val 1174521690 ecr 473159848], length 112


If your APs are at remote location, you are better off using a VPN session to the remote location and then using SSH to the APs, but that would be my personal choice. If this is an internal firewall, ignore this.

scanning for ssh ports is all the rage now.

so that warning being said and assuming internal firewall
so no NAT involved

from HM [inside] to AP [outside]
FW rule would be allow HM[source] to AP121[destination] source port any destination port 22

if firewall is stateful, you should be good to go, assuming NAT is not involved

if not you have to allow return traffic

from AP [outside] to HM [inside]
allow AP IP to HM IP Source port 22 destination port any