User profile for user: ctlow
ctlow Author
User level: Level 1
10 points

External SSH tunnel fails with cellular modem

Failure to run an SSH tunnel through a cellular broadband modem


For years I keep connected to home computer, while travelling, using protocols I have documented at https://ctlow.ca/SSH-VPN_MacOSX.html. Ups and downs but have essentially kept it running.


Until now. For various reasons, I have switched from a cable-modem to a cellular-modem, and as far as I can tell, the ISP has it locked down pretty tight. It is not only closed but invisible to the ShieldsUp! service at grc.com.


(But the cellular modem doesn't allow port-reassignment.)


After reconfiguring SSH private/public keys from scratch, I got it to run from within my home network, but it simply times out if I try it from somewhere outside it.


On the server ("host", "remote"), I have turned on Remote Login, including "Allow full disk access for all users", just to get this far.


Should I look at my firewall? I had it working before this new modem.


I have a dynamic DNS service which has always worked seamlessly.


I'm using a very basic Terminal command, from the client, like:

ssh server.account@ddns_account.dynamic_name_server.com


And as I said, that will run from within the home network only.


Am I missing anything obvious?


Thanks to all.

Posted on Jan 6, 2026 6:57 PM

Reply
Question marked as Top-ranking reply
User profile for user: MrHoffman
MrHoffman
User level: Level 10
146,137 points

Posted on Jan 7, 2026 2:37 PM

ctlow wrote:

Thanks, MrHoffman,

Your assumptions are correct. I looked at the MacOS firewall, …


The built-in macOS firewall can be left at its default.

My ISP is a major cellphone-network company with a poor history of customer service, which doesn't seem to have affected its profitability, so I can try that, but I don't think I will get very far.

Major companies can serve different customers including themselves, and sometimes less so their subscribers.

They recently provided me with this brand-spanking-new cellular broadband modem, not by Ubiquiti, for a price I couldn't turn down, SSH functionality or not, so my only options I think are to return it and go back to my (expensive) cable-modem service, or live with it.


I usually use the ISP device in its bridged mode or replace it entirely where permissible and feasible, and then install gear appropriate to the tasks. ISP gear focuses on basic functions and low cost of support. Pretty much everything g else is a distant third, at best.


Interestingly, to me, the modem configuration website does list "port forwarding", but it is poorly described in the documentation, and they list in their help files that it is not possible with this model. The port-forwarding page looks like this:

Here is a generic description ofhttps://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers.


WAN port is the port facing the internet, and LAN port is the port in the internal net the traffic will get forwarded to, and the internal client is which internal host is involved. Between those two sides of the boxis usually NAT, network address translation. Because of some design fallout, NAT usually blocks all incoming IPv4 traffic. What happens with IPv6 varies. It may pass through, or it may be blocked.


Here is what the Ubiquiti port-forwarding equivalent looks like:


This is very similar ro what you are looking at, though the grouping allows the rule to operate with groups or whatever local ports or whatever local hosts together, rather than dealing with one port or one host at a time.

I don't know what most of that means. I know what a WAN and a LAN are, but not what to do with them here. Probably irrelevant to my question.

You will need a port-forwarding WAN-side rule for TCP port 22 (or another port, if you want to use a non-default port) to the internal LAN-side TCP port 22 on whichever computer is offering the ssh server on the internal network.


Here are the ports used by Apple software: TCP and UDP ports used by Apple software products - Apple Support


Here are the reserved ports, and you will usually want to recognise or (depending on what you are doing) avoid using these, if you are (for instance) picking your own WAN-side port to forward to some LAN-side host and TCP 22 LAN-side: https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers.


TCP port 8022 is not assigned, so you can conceivably “borrow” that for your external port, and set your ssh command to use (for instance) ssh -p 8022 which will then get port-forwarded to TCP 22 on whichever internal computer, once the port-forwarding rule is established. Or you can forward TCP 22 to TCP 22, but every gremlin on the internet will poke at that port. And poke lots. I usually use a VPN server and not ssh here, not the least of which is because that can forward some or all of the client app traffic using built-in tools. And I usually have firewalls with embedded VPN server capabilities.


I have more to learn about traceroute, but this command (names changed):

traceroute server.account@ddns_account.dynamic_dns_server.com

It’s usually traceroute to just the host name, without an account.


When you are making up a domain name, the domains example.org, example,com, and example.net are available, and are reserved for this and related uses.

ran for many minutes.

The first line reads (names changed):

www.company-wifi.com (192.168.x.y)  3.359 ms  2.765 ms  2.746 ms

It got up to 64 lines of:

* * *


It’s not gettig anywhere, though I;d usually use traceroute yourfirewall.example.com as the parameter, using whatever host name is temporarily yours thanks to DDNS.

and then went back to the command-line.

I don't know of any firewall-embedded VPN server. I didn't see anything like that when I looked at the MacOS one in System Settings.

To determine what features this ISP-provided box supports, you’d have to check the documentation for your ISP-provided firewall / gateway / router / NAT box.


A VPN server in the firewall is usually the best spot, as it deals with NAT, one of the scourges of IPv4.


Once the VPN is connected, your client would be effectively be another host on the same target internal network.


If the firewall lacks VPN server capabilities, it’s possible to run a VPN server on an internal host and set up port forwarding to access that, but that’s more effort and can meet some issues. Particularly around NAT, a scourge of IPv4.

View in context
17 replies
User profile for user: ctlow
ctlow Author
User level: Level 1
10 points

Jan 10, 2026 9:59 AM in response to BobHarris

Thanks, Bob and this is probably me, but, having installed tailscale on two computers, "allowed" several things on both machines in System Settings ... I'm hanging at Tailscale's Define a Service page (which is what it says to do next). There a little field labelled Ports, which asks "Which ports does this service listen on?", and "Learn More" takes me to a page about endpoints, which I do not understand. Lots of industry terms, and, sentence-by-sentence, I'm understanding approximately none of it.


For example, "This feature is disabled by default, meaning that endpoint data is never collected or shared between your devices unless you choose to enable endpoint collection."


That means ... I don't need it? What is endpoint data? What is the significance of someone (who?) collecting or sharing data between devices. Isn't that why I'm doing this?


Anyway, all of the default ports in that field are grayed-out, with the cheery message that "Only hosts advertising all listed ports will be eligible candidates."


Then there's another field labelled "Service tags", to do with ACL tags (something to do with advanced file permissions), "No tags assigned", and a link to "Manage tags in Access Controls", which again is in a language foreign to me.


I suppose it's because of Ports being grayed-out that the "Define Service" button at the bottom is also non-functional.


Anyway, you've both been marvellous and patient with me, but it seems that I know far less than you might think.


For illustration, I've looked at the Wikipedia page for Tailscale, and understand approximately none of that either.

Could it be as simple as: once the tailscale service is running in the background (but the app itself won't stay open, and won't open when I double-click it), then do I just fall back to using SSH through Terminal? If so, I'm sure that the commands are around there somewhere.

__


I was hoping that I could set my new (cellular broadband) modem/router to "bridge" mode (but then: "ethernet" or "cellular"?), which might enable me to use my old Wi-Fi router, because that I know how to configure that for Terminal SSH access.


So, unless there's something very basic I'm missing about Tailscale, could that not work?


Thanks so very much again. I would say "sorry for being such a ...", but it grows repetitive.

Reply

External SSH tunnel fails with cellular modem

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up