Unable to SSH over Internet; local SSH successful

Do you you have LittleSnitch installed?

Do you have an Anti-virus/Anti-Malware product installed?

These products have been known to block SSH connections from a non-local IP address. Just this past month someone else in the forums found that LittleSnitch was cause the exact problem you are describing.

If you do not think you have such a utility, you can try booting into Safe Mode which should NOT load any 3rd party additions and test. If that works, then some 3rd party addition is interfering. If it still does not work, then it is one thing eliminated and we look for others.

Instructions on booting into Safe Mode: <http://support.apple.com/kb/ht1564>

You can look in the Applications -> Utilities -> Console -> system.log logs for ssh connection requests and see if the Mac is logging the local and remote connection requests. Use "ssh" in the Search window in the upper right corner, then select each of the different log files in the left column to see if there are any interesting entries with ssh in them. Hopefully, if you have a utility blocking ssh connections from a non-local IP address, it logs it and you find the problem that way.

Stupid question. When you setup your static IP address, it was in the same subnet as the router? Such as 192.168.1.nnn (assuming your router is 192.168.1.1).

The most common home router IP subnet address ranges are 192.168.0.*, 192.168.1.*, 192.168.2.*, 10.0.0.*, 10.0.1.* although any 192.168.*.*, 10.*.*.*, or 172.16.*.* through 172.31.*.* are valid home LAN IP address ranges.

In addition to Bob's excellent suggestions, I'd point out that whatever cable/DSL modem you have your router plugged into may be involved (assuming the modem and router are not the same device). It depends on whether that device is managing the network or acting as a "pass-through" device, and just passing on all traffic to the router to handle. If the modem is managing the network, you'll need to pass port 22 through that.

Also, this may be a stupid question, but just to head off a potential problem... when outside the local network, you are trying to ssh into the IP address of your network as the outside world sees it, and not to the internal IP address, right?

fr599 wrote:

Could you suggest any way I could check whether the modem is managing the network? Its one of those modems given to me by my ISP (Comcast 😠).

Most likely, that modem is managing the network, but I'm not an expert in this area. I once knew how to do this with a specific configuration, which involved a modem that was just a dumb pass-through device. It was more dumb luck on my part than anything, and at the time, if the modem had been an issue, I would likely have been stymied completely.

It sounds like you don't have an Apple router, so I can't give you specific instructions other than to say to check and see if your router is in bridged mode. If it is, the modem is managing the network and the router is just following instructions, in a manner of speaking. But how to check that, I don't know... it will vary depending on your router.

On running a port scan using the Network Utility app, I found that port 22 was detected only when I gave the static IP of my machine and NOT with the router (network) IP. Is it supposed to be so? I was under the assumption that since I have configured port forwarding on my router, port 22 should be detected on scanning with the router's IP.

This is my Network Utility port scan of my public IP address:

Port Scan has started…

Port Scanning host: nn.nn.nn.nn

Open TCP Port: 22

Port Scan has completed…

So yes, you should see something if your Port 22 is open.

Is your Comcast device a modem, or a modem/router/WiFi device?

If it is a simple modem, then it should not care (until this afternoon, I had a basic Comcast modem (with VoIP phone support) that feed into my Airport Extreme WiFi router), and that basic modem did not interfere with port forwarding. Since my Airport Extreme is my router, that is where my Port Forwarding is setup.

If you have a modem/router/WiFi device from Comcast, then that is the place Port Forwarding needs to be setup up _AND_ you cannot have any other active router in your home. That means if you have a 2nd WiFi router in your home, you need to make sure that device is in bridge mode.

I said that until this afternoon, I had a simple Comcast router. This afternoon, I swapped out the basic modem for the Comcast modem/router/WiFi/VoIP device. HOWEVER, as soon as it was activated, I called Comcast and asked them to put the devcie into "Bridge" mode. It took a few tries, as initially the WiFi radio did not shut off. But eventually the got is configured in Bridge mode and the WiFi radio turned off. So it is again a simple modem with VoIP support. _AND_ it still allows my Airport Extreme to port forward my ssh port (I did verify that I should ssh via my public IP address back into my in house system).

I think you need to focus on your router. You may want to see if <http://portforward.com/> has guidance for your specific router.