小米路由器３折腾记：SSH wan port forwarding端口重定向

Step 1 SSH破解

根据以下文章进行操作，注意只有老的开发版本的固件才支持刷入ＳＳＨ登录工具，最新的开发版固件是不支持的，小米官方没有给出说明，这一点很坑，浪费很多时间按照官方文档在尝试，却始终不成功。　https://gist.github.com/rambolee/468ee988d2cf80224a6ac4675c141b4f

Step 2 设置wan port forwarding

a) 因为小米路由器３的固件是基于openwrt开发的，所以以root身份SSH登录路由器系统后，按照openwrt给出的方法设置wan port forwarding
https://wiki.openwrt.org/doc/howto/port.forwarding
外网测试结果：失败
b) 在小米路由器３的web UI上设置串口重定向
外网测试结果：失败
经过多重分析后未发现失败原因，通过public IP仍然无法ssh login。初步怀疑小米自身的固件做得偏向与安全和保守，所以下一步是尝试刷第三方开源固件。

Step ３刷入第三方开源固件Padavan

根据reddit上的操作指南刷入俄罗斯开发者Andy Padavan开发的开源固件Padavan。
Xiaomi Mi WiFi Router 3 alternative Firmware
https://www.reddit.com/r/openwrt/comments/4iunp9/xiaomi_mi_wifi_router_3_alternative_firmware/
[Guide] How to install Padavan custom firmware on the Xiaomi Mi Router 3：https://www.reddit.com/r/Xiaomi/comments/5d0wmx/guide_how_to_install_padavan_custom_firmware_on/

Step 4 设置端口重定向

wan->Port Forwarding

Screenshot from 2018-09-20 23:28:27.png

外网测试结果：失败

ssh: connect to host xxx.xxx.xxx.xxx port 22: Connection refused

Step 4 查找分析原因

根据以下链接进行排查
https://ubuntuforums.org/archive/index.php/t-906252.html
发现

yangyong@vultr:~$ ssh -vvv yongyang@PUBLIC_IP -p 443
OpenSSH_7.5p1 Ubuntu-10ubuntu0.1, OpenSSL 1.0.2g  1 Mar 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: resolving Publi_IP port 443
debug2: ssh_connect_direct: needpriv 0

然后又找到这篇帖子，怀疑到是ＩＳＰ没有提供Public IP, 而是多用户共享一个Public IP, 而且设置了很多端口限制。
https://bitbucket.org/padavan/rt-n56u/issues/31/port-forwarding-not-working
Andy Padavan里面提到
"
I see:

Pure PPPoE (w/o MAN). eth3 is not obtained IPv4 address. Goto "WAN - Internet Connection", set "PPPoE & MAN access:" No
Port forwarding via 443 is done, NAT completed, FORWARD completed. FORWARD drop 0 packets (except INVALID state).
"
我的小米路由器３上网络状态是这样的

/home # iptables -L -nv -t nat
Chain PREROUTING (policy ACCEPT 421 packets, 51876 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 vserver    all  --  *      *       0.0.0.0/0            192.168.1.3         

Chain INPUT (policy ACCEPT 197 packets, 12158 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 43 packets, 3339 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 42 packets, 2743 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  126  7560 SNAT       all  --  *      eth2.2  192.168.31.0/24      0.0.0.0/0            to:192.168.1.3
    1   596 SNAT       all  --  *      br0     192.168.31.0/24      192.168.31.0/24      to:192.168.31.1

Chain upnp (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain upnp-post (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain vserver (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 to:192.168.31.33:22
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:192.168.31.33
/home # iptables -L -nv
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  974  167K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
  238 14642 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:1723
    0     0 ACCEPT     47   --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 vpnlist    all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpts:33434:33534

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0           
    0     0 TCPMSS     tcp  --  ppp+   *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x06/0x02 TCPMSS clamp to PMTU
 3902 1352K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
  213 12780 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0           
    0     0 vpnlist    all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT

Chain OUTPUT (policy ACCEPT 1194 packets, 376K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain bfplimit (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain upnp (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain vpnlist (2 references)
 pkts bytes target     prot opt in     out     source               destination

然后按文中的操作Goto "WAN - Internet Connection", set "PPPoE & MAN access:" No
发现无Internet访问

Step 5　找电信运营商中国电信确认公网IP地址的问题

中国电信那边的答复是需要配置静态公网ＩＰ地址才能从外网访问内网，企业宽带套餐才分配静态公网IP，而普通宽带是不分配公网ＩＰ的，而且有很多端口访问限制。
知乎上关于家庭公网ＩＰ地址分配的讨论
https://www.zhihu.com/question/27443119
https://www.zhihu.com/question/24043585
询问电信工作人员，是否可以给普通宽带套餐的客户分配ＤＨＣＰ动态的公网ＩＰ，等待答复中，待更新。

更新

电信客服告知个人和家庭用户是不提供公网IP地址的。