OpenWRT, WDS and strange SSH problem

Some time ago we've switched from cabled setup to fully wireless... and today we've found that we are unable to SSH to any machine. Here you'll find the whole story and how to fix the problem.

The setup

Ethernet cable (coming from provider's coaxial-to-ethernet convertor) with white (static public) IP.

To this cable the main router is connected. That main router is running OpenWRT and acts as a WDS-enabled access point.

Some secondary routers, also running OpenWRT, connected wirelessly to the main one. Those routers are:

  • retranslate the internet further via WDS;
  • allows wired connection via their ports.

Some devices, connected to secondary routers by wire or wirelessly.

The problem

If the end-user device is connected directly to the main router (by cable or WiFi) - then everything is OK.

If the end-user device is connected to one of the secondary routers - it can't SSH to any host.

ssh -v shows that it hangs on waiting for remote host reply, but telnet to 22 TCP port shows that reply comes.

tcpdump shows that no replies are received when ssh is executed.

The solution

The solution is to switch default firewall rules on secondary routers to all ACCEPT (i.e. input, output, forward).

It may be a lame way, but since we don't need firewalling inside the network, this solution is acceptable.