Help "no route to host"

[root]

I have two machines that I administer remotely via ssh.
One of these machines suffered a power outage that lasted
several hours after which the linux machine on the network
would not boot.

I traveled to the site and brought the machine back up
and came home. Now I can't ssh into that machine.

In order to refresh my memory on the port-forwarding
process I decided to enable port forwarding into one
of the machines on my local network.

On my system I am using a Linksys/Cisco E4200 router.
On the router I enabled port forwarding of port 22
(external) to port 22 (internal) to the target machine
xx.yy.zz.24 on my LAN.

While I was at it I also enabled port forwarding of
ping to that machine.

For good measure I restarted sshd on the target machine.

I can ssh into the target machine from any other machine
on my LAN, but when I try to go outside and come back
into that machine I get a "no route host" message that
confounds me.

I spent most of this morning looking on the internet for
an answer without any luck.

Here are the particulars. From the outside, this machine
looks like XX.YY.ZZ.24 and I can ping it, or traceroute
to the machine.

ping and traceroute take two hops: 1) to my router,
2) to some address within my ISP (Charter) and then
to the target machine. ping within the LAN takes
about .25ms while ping going outside and back takes
about 20ms, confirming the traceroute.

However, when I try to ssh into the target machine
using the external address I get "no route to host".

Nothing I have tried has succeeded. Any suggestions
would be greatly appreciated. BTW, the target machines
I am trying to reach both run vanilla Slackware 14.1
32 bit.

Thanks for any suggestions.

[Rich]

root <NoE...@home.org> wrote:
> In order to refresh my memory on the port-forwarding
> process I decided to enable port forwarding into one
> of the machines on my local network.

> ...

> Here are the particulars. From the outside, this machine
> looks like XX.YY.ZZ.24 and I can ping it, or traceroute
> to the machine.

> However, when I try to ssh into the target machine
> using the external address I get "no route to host".

Does your network wiring look like this?

XX.YY.ZZ.24
|
router
|<-10.0.0.1
|--------|------------|
| |
Internal Internal
#1 #2
10.0.0.2 10.0.0.3

(Note, you may not be using 10.x.x.x internally, I just made those up).

So, you can do this from Internal #1:

ssh 10.0.0.3

and it works

But if you do this from Internal #1:

ssh XX.YY.ZZ.24

you get 'no route to host'?

Then that would be because on the internal network, connecting #1, #2,
and the router, address XX.YY.ZZ.24 does not exist. So there is "no
route" on the local network to reach XX.YY.ZZ.24.

XX.YY.ZZ.24 exists on a second interface, on the other side of the
router. It is effectively invisible to the local network. And unless
your router happens to allow an internal machine to 'loop back' over
the port forward on the external interface back to another internal
machine, the above won't work. Since it does not currently work, it is
likely the router does not support this mode. There may be a config
setting to turn such on, but I rather doubt one exists in a 'boxed
router' because this is a network route mode that few 'need' to ever
use on a normal basis.

You need to try to contact #2 from another system on the XX.YY.ZZ.24
side of the router. If you have no such system, you could grab a cheap
VPS just to use as a launch point to test, then drop the cheap VPS when
you are done.

[Chris Vine]

That seems very odd. My guess is that although you have set up port
forwarding for ping correctly, you have not done so correctly for port
22 (ssh), or you are using a custom port for ssh and not port 22 so the
port forwarding is not working, or your firewall has new rules since
you last booted which is blocking that port from an addresses
outside the local network.

Chris

[root]

When you try an address that is not on your local lan, the router
directs that request upstream through the cable modem into the
ISP network. In this case the ISP network recognizes that
XX.YY.ZZ.?? is within its network and directs the request back
to the corresponding cable modem (mine in this case). I can see
this happening for the ping and traceroute requests.

>
> XX.YY.ZZ.24 exists on a second interface, on the other side of the
> router. It is effectively invisible to the local network. And unless
> your router happens to allow an internal machine to 'loop back' over
> the port forward on the external interface back to another internal
> machine, the above won't work. Since it does not currently work, it is
> likely the router does not support this mode. There may be a config
> setting to turn such on, but I rather doubt one exists in a 'boxed
> router' because this is a network route mode that few 'need' to ever
> use on a normal basis.
>
> You need to try to contact #2 from another system on the XX.YY.ZZ.24
> side of the router. If you have no such system, you could grab a cheap
> VPS just to use as a launch point to test, then drop the cheap VPS when
> you are done.
>

Well your picture is pretty nearly what I have. Inside my LAN the
addresses are 10....... I would change your picture to insert
the cable modem. As far as the outside world goes the cable
modem is: XX.YY.ZZ.130. Inside my lan the target machine is
10.0.0.24. Inside my lan I can ping 10.0.0.24, or ssh into it.

I can also ping or traceroute XX.YY.XX.24. It turns out
that I can go outside an try to access. One of the two
machines I administer connects via ATT. I can ssh into
that machine and ssh XX.YY.XX.24 and I get the same
"no route to host" for port 22.

The other remote system I administer, the one which I can no
longer access, is identical to the target machine here, and
uses an equivalent Linksys router.

Thinking the problem might be the router I switched my
system to a different linksys router and the problem
persisted. So I switched to an older Netgear router
on which I installed dd-wrt. I wiped that router and
started fresh. Setting up port forwarding is about as
simple as it can be. But, even with the dd-wrt router
I get the "no route to host" message.

A common thread to my problems is the ISP Charter. I called
Tech Support at Charter and although they didn't know what
port forwarding was, or even what ssh was, they assured me
that Charter does not block any services. That assurance
doesn't make me certain.

[Rich]

Actually, if the router is a proper router, none of those packets ever
get any further than the router itself (i.e., they would never end up
in the ISP network at all), therefore you are likely not getting
the ISP reflecting the packet back to you.

Ping and traceroute use ICMP, which is handled differently than TCP,
which would explain why you seem to be able to ping XX.YY.ZZ.24 and
traceroute, but can't setup a TCP connect. Making the portforward you
want work over the router requires a NAT system that a boxed rounter
likely does not contain.

> > You need to try to contact #2 from another system on the XX.YY.ZZ.24
> > side of the router. If you have no such system, you could grab a cheap
> > VPS just to use as a launch point to test, then drop the cheap VPS when
> > you are done.

> Well your picture is pretty nearly what I have. Inside my LAN the
> addresses are 10....... I would change your picture to insert
> the cable modem. As far as the outside world goes the cable
> modem is: XX.YY.ZZ.130. Inside my lan the target machine is
> 10.0.0.24. Inside my lan I can ping 10.0.0.24, or ssh into it.

> I can also ping or traceroute XX.YY.XX.24. It turns out
> that I can go outside an try to access. One of the two
> machines I administer connects via ATT. I can ssh into
> that machine and ssh XX.YY.XX.24 and I get the same
> "no route to host" for port 22.

Implying that something is wrong somewhere with the port forward.
Either the setup is incorrect, or it is telling you it is
port forwarding, but not actually port forwarding.

> The other remote system I administer, the one which I can no
> longer access, is identical to the target machine here, and
> uses an equivalent Linksys router.

> Thinking the problem might be the router I switched my
> system to a different linksys router and the problem
> persisted. So I switched to an older Netgear router
> on which I installed dd-wrt. I wiped that router and
> started fresh. Setting up port forwarding is about as
> simple as it can be. But, even with the dd-wrt router
> I get the "no route to host" message.

Hmmm... Very odd. Is that 'no route to host' when arriving from the
10.x.x.x side, or 'no route to host' when arriving over the internet
from another location?

In any case, that swap should have removed issues of the other router
not working as advertised from the picture. Something else is up,
somewhere.

> A common thread to my problems is the ISP Charter. I called
> Tech Support at Charter and although they didn't know what
> port forwarding was, or even what ssh was, they assured me
> that Charter does not block any services. That assurance
> doesn't make me certain.

I'm not surprised that the low level techie you got on the phone didn't
know what those were. And yes, the 'assurance' has to be weighed
against the lack of technical knowledge. Their 'script' likely says
"no services are blocked" but the actual meaning may be that you can
make outbound connects, but inbound attempts to connect are blocked
(because who ever trys to "serve" data on the internet from a home
internet link........)

[root]

I googled for some information about the Charter user agreement. Among
a list of things Charter subscribers agree not to do is:

* Either of the following activities by a Subscriber using dedicated machines (also known as â machinesâ
or â dedicated serversâ ) or virtual dedicated servers (also known as â VDSâ , â VPSâ , â virtual
machinesâ , and/or â virtual serversâ ): (i) running a tunnel or proxy to a server at another host or
(ii) hosting, storing, proxy, or use of a network testing utility or denial of service (DoS/DDoS) tool in
any capacity.

It sounds as if this might be my problem.

[Chris Vine]

On Wed, 4 Nov 2015 06:12:59 +0000 (UTC)

However, running sshd does not amount to either of those things.

Your setup is practically identical to my own. I have often wondered
what would happen if my ISP implements carrier-grade NAT to overcome
any forthcoming or actual lack of IPv4 addresses: maybe that is what
your ISP is doing. So far I have not suffered from that problem myself.

Chris

[John F. Morse]

On 11/04/2015 12:12 AM, root wrote:
> I googled for some information about the Charter user agreement. Among
> a list of things Charter subscribers agree not to do is:
>
> * Either of the following activities by a Subscriber using dedicated machines (also known as â machinesâ
> or â dedicated serversâ ) or virtual dedicated servers (also known as â VDSâ , â VPSâ , â virtual
> machinesâ , and/or â virtual serversâ ): (i) running a tunnel or proxy to a server at another host or
> (ii) hosting, storing, proxy, or use of a network testing utility or denial of service (DoS/DDoS) tool in
> any capacity.
>
> It sounds as if this might be my problem.

Every computer is running some kind of "service" and to have such stupid
lawyer language shows how easy it would be to challenge them.

You have the money to hire a lawyer? Go for it.

Otherwise just do as you want with what you are paying for.

--
John

When a person has -- whether they knew it or not -- already
rejected the Truth, by what means do they discern a lie?

[Chick Tower]

On 2015-11-04, root <NoE...@home.org> wrote:
> * Either of the following activities by a Subscriber using dedicated

> machines... or virtual dedicated servers:

> (i) running a tunnel or proxy to a server at another host or
> (ii) hosting, storing, proxy, or use of a network testing utility or denial
> of service (DoS/DDoS) tool in any capacity.
>
> It sounds as if this might be my problem.

Are you trying to do things you didn't try before the power outage? If
not, then how do you explain that they worked before?
--
Chick Tower

For e-mail: aols2 DOT sent DOT towerboy AT xoxy DOT net

[root]

Chick Tower <c.t...@deadspam.com> wrote:
> On 2015-11-04, root <NoE...@home.org> wrote:
>> * Either of the following activities by a Subscriber using dedicated
>> machines... or virtual dedicated servers:
>> (i) running a tunnel or proxy to a server at another host or
>> (ii) hosting, storing, proxy, or use of a network testing utility or denial
>> of service (DoS/DDoS) tool in any capacity.
>>
>> It sounds as if this might be my problem.
>
> Are you trying to do things you didn't try before the power outage? If
> not, then how do you explain that they worked before?

That is a very good question. It has been some time since
I last used remote access to the machine that was down
due to a power outage. I haven't had a chance to travel
over to the machine to verify its current state. That
is why I am trying to go back over the steps to configure
remote access on my own system before I make the trip to
the subject machine.

I have made several calls to "Tech Support" at Charter
with no success. I am assured that Charter does not
block any traffic, but the symptoms seem to me to
arise not from a "block" but from a failure to
resolve a subnet address. As I have said previously
within my lan the target machine I want to open to
remote ssh access is 10.0.0.24. To the outside world
my home cable modem is addressed as XX.YY.ZZ.130.
The machine I wish to access is also on Charter but
the external world address is different (the XX,YY,ZZ)
are different. That machine used to be at
66.214.236.100, but was changed sometime recently.
Within that address the local machine was 66.214.236.32
which I set up with port forwarding port 22 into.

Similarly I set up a machine in San Diego, with ATT
as ISP and port forwarding. I can still get into the
machine in San Diego, but not the machine in Los Angeles.

It is the "no route to host" than directs my attention.
I don't get that message for PING so address resolution
within Charter is able to recognize that
XX.YY.ZZ.24 is an address within XX.YY.ZZ.130

BTW, I can ping various machines on my lan as well as
the remote machine without port forwarding port 1.

I conclude that address resolution within Charter
is different for ICMP packets from that for tcp
packets.

I have tried three different routers at my end.
The manual for my current router (Cisco E4200)
shows how to set up the router for online gaming
with an Xbox. I can't believe that Charter could
get away with locking out Xbox for their customers
so I must be missing something.

Thanks for responding.

[root]

root <NoE...@home.org> wrote:
>
> I have tried three different routers at my end.
> The manual for my current router (Cisco E4200)
> shows how to set up the router for online gaming
> with an Xbox. I can't believe that Charter could
> get away with locking out Xbox for their customers
> so I must be missing something.
>

I just drove over to the house that I can no longer
access via ssh. I checked the router settings and
there has been no change since the time I was able
to gain ssh access. Since I can still gain access
to another remote machine using AT&T isp, this proves
to me that the problem is with Charter.
>

[Rich]

root <NoE...@home.org> wrote:
> Chick Tower <c.t...@deadspam.com> wrote:
> > On 2015-11-04, root <NoE...@home.org> wrote:
> >> * Either of the following activities by a Subscriber using dedicated
> >> machines... or virtual dedicated servers:
> >> (i) running a tunnel or proxy to a server at another host or
> >> (ii) hosting, storing, proxy, or use of a network testing utility or denial
> >> of service (DoS/DDoS) tool in any capacity.
> >>
> >> It sounds as if this might be my problem.
> >
> > Are you trying to do things you didn't try before the power outage?
> > If not, then how do you explain that they worked before?

> I have made several calls to "Tech Support" at Charter
> with no success. I am assured that Charter does not
> block any traffic, but the symptoms seem to me to
> arise not from a "block" but from a failure to
> resolve a subnet address.

Typically (note, Charter 'could' do anything they wanted) for ISP
'blocks' one does not see "no route to host" one either gets a 'black
hole' (connection timeout) or a TCP RST return which is usually shown
as "connection refused" to the side attempting to make the connection.
It would be unusual (but not impossible) for an ISP block to return a
'no route to host' response.

> That machine used to be at 66.214.236.100, but was changed sometime
> recently. Within that address the local machine was 66.214.236.32
> which I set up with port forwarding port 22 into.

Ok, so the IP address of the machine you are trying to connect to
changed recently. Is that correct?

If correct, did you update the port forwarding rule on the router you
pass through that does forwarding to that machine to accomodate the IP
address change?

I ask because if the port forwarding at the other end is still
attempting to forward port 22 to the old IP address, and nothing is on
the old IP address, then the exact error message you would get back is
indeed "no route to host".

I.e., if you used to have this:

machine at 10.1.0.11 w/ portforward of 22 to 10.1.0.11

and the machine is now at: 10.5.4.33, but the port forward still says
22->10.1.0.11 (old IP), then you'll get back a "no route" error when
you try to reach out to the machine.

[root]

Rich <ri...@example.invalid> wrote:
> root <NoE...@home.org> wrote:
>> Chick Tower <c.t...@deadspam.com> wrote:
>> > On 2015-11-04, root <NoE...@home.org> wrote:
>> >> * Either of the following activities by a Subscriber using dedicated
>> >> machines... or virtual dedicated servers:
>> >> (i) running a tunnel or proxy to a server at another host or
>> >> (ii) hosting, storing, proxy, or use of a network testing utility or denial
>> >> of service (DoS/DDoS) tool in any capacity.
>> >>
>> >> It sounds as if this might be my problem.
>> >
>> > Are you trying to do things you didn't try before the power outage?
>> > If not, then how do you explain that they worked before?
>
>> I have made several calls to "Tech Support" at Charter
>> with no success. I am assured that Charter does not
>> block any traffic, but the symptoms seem to me to
>> arise not from a "block" but from a failure to
>> resolve a subnet address.
>
> Typically (note, Charter 'could' do anything they wanted) for ISP
> 'blocks' one does not see "no route to host" one either gets a 'black
> hole' (connection timeout) or a TCP RST return which is usually shown
> as "connection refused" to the side attempting to make the connection.
> It would be unusual (but not impossible) for an ISP block to return a
> 'no route to host' response.

When I try to connect to the machine I had been able to I
now get the "black hole". The connection times out.

>
>> That machine used to be at 66.214.236.100, but was changed sometime
>> recently. Within that address the local machine was 66.214.236.32
>> which I set up with port forwarding port 22 into.
>
> Ok, so the IP address of the machine you are trying to connect to
> changed recently. Is that correct?

The "world" address of that machine changed from 66..... now to
75....., but the final address, 32 in this case, has not changed.
In trying to ssh into the new address I use
ssh 75.....32 instead of ssh 66....32

>
> If correct, did you update the port forwarding rule on the router you
> pass through that does forwarding to that machine to accomodate the IP
> address change?

The port forwarding rules on the router only use the user side
addresses of the ports. As it turns out that machine uses the
default 192.168.1.xx. So, in the router I need only port
forward 22 (external) to 22 (internal) for 192.168.1.32
and no matter what the outside world address of the cable
modem is, the user side of the router stays the same.

>
> I ask because if the port forwarding at the other end is still
> attempting to forward port 22 to the old IP address, and nothing is on
> the old IP address, then the exact error message you would get back is
> indeed "no route to host".
>
> I.e., if you used to have this:
>
> machine at 10.1.0.11 w/ portforward of 22 to 10.1.0.11
>
> and the machine is now at: 10.5.4.33, but the port forward still says
> 22->10.1.0.11 (old IP), then you'll get back a "no route" error when
> you try to reach out to the machine.
>

You are mixing up what I can only refer to as the internal and
external IP addresses. Internal addresses are either
192...... or 10..... These are determined by the router
settings and cannot be changed by the ISP. The external
addresses are anything other than 192.xxx or 10.xxx.
The external addresses change whenever the ISP chooses.

I just spent another hour on the phone with Charter
"technical" support and still have not talked to
a single person that knew what ssh was, and they
all insist that Charter does not block any ports.

[Chick Tower]

On 2015-11-05, root <NoE...@home.org> wrote:
> Chick Tower <c.t...@deadspam.com> wrote:

>> Are you trying to do things you didn't try before the power outage? If
>> not, then how do you explain that they worked before?
>

> That is a very good question....

I know very little about networking, so it was the only thing I could
ask. :)