To avoid confusion I'll call:
- x.x.x.20 -> local1
- x.x.x.30 -> local2
- Apple device outside your home network -> remote1
You say:
I've setup NAT on the AP to forward external ports 22 to the x.x.x.20
and 10022 to x.x.x.30.
which I interpret like this:
________ +-----------------+ +-----------+
/ \ - port 22 ----|-----------------|------> | local1:22 |
+---------+ ( ) | | +-----------+
| remote1 | - ( Internet ) | Airport Express |
+---------+ ( ) | | +--------------+
\________/ - port 10022 -|-----------------|------> | local2:10022 |
+-----------------+ +--------------+
That is, local2 is reachable on [public IP address of Airport Extreme]:10022.
However, the ssh
commands you run in your question use the default SSH port (that is, 22/tcp), and connect to local1:22 (more exactly: they connect to [public IP address of Airport Extreme]:22, which forwards the connection to local1:22).
You must modify the ssh
command you run on remote1 like this (notice option -p 10022
):
remote1$ ssh -p 10022 -f -N -R 2222:localhost:22 [username at local2]@[public IP address of Airport Extreme]
-p 10022
tells ssh
which port to connect to, while 2222:localhost:10022
tells ssh
to allocate a socket on local2 to listen to port 2222 and forward any packet sent to that port to port 22 on remote1:
+------------+ +----------------------+
| | | |
| remote1:xx | -- SSH (port 10022)--> | local2:10022 (SSH) |
| | | |
| remote1:22 | <--- SSH tunnel ------ | local2:2222 (alloc'd |
| | | by ssh) |
+------------+ +----------------------+
Now you can access remote1 from local2 as follows:
local2$ ssh -p 2222 remoteuser@localhost
(You use -f
in your command which sends ssh
to the background. The sshd
process that binds to port 2222 and runs on local2 will continue to execute even if you stop Remote Login in System Preferences:
To stop it, list it:
local2$ lsof -i | grep 2222
local2$ sshd 855 jaume 14u IPv6 0x4857f 0t0 TCP localhost:2222 (LISTEN)
and kill it with kill <PID>
:
local2$ kill 855
where PID is the second value in lsof
's output line.)
Best Answer
the article currently titled "AirPort Utility 6.x: Set NAT options for your base station or AirPort Time Capsule" and currently available at http://support.apple.com/kb/PH5103 has:
To set NAT options, your base station or AirPort Time Capsule must be set up to share its Internet connection using DHCP and NAT.
Open AirPort Utility, located in the Utilities folder in the Applications folder. Select the base station you want to set up, then click Edit. Enter the password if necessary.
Click Network and then choose DHCP and NAT from the Router Mode pop-up menu.
Select Enable NAT Port Mapping Protocol.
NAT Port Mapping Protocol (NAT-PMP) is an Internet Engineering Task Force Internet Draft, an alternative to the more common
Universal Plug and Play (UPnP) protocol implemented in many NAT routers. NAT-PMP allows a computer in a private network (behind a NAT router) to automatically configure the router to allow clients outside the private network to contact this computer.
Included in the protocol is a method for retrieving the public IP address of a NAT gateway, which allows a client to make this public IP address and port number known to peers that may wish to communicate with it. This protocol is implemented in current Apple products, including Mac OS X 10.4 or later, AirPort Extreme and AirPort Express networking products, AirPort Time Capsule, and Bonjour for Windows.
Select “Enable default host,” and enter the IP address of the host.
A default host is a computer on your network that is exposed to the Internet and receives all inbound traffic. A default host may be useful if you use a computer on your AirPort network to play network games, or want to route all Internet traffic through a single computer.
You can also set up port mapping to direct network traffic to a specific computer on your network.
the article currently titled "AirPort Utility software and firmware downloads" and currently available at http://support.apple.com/kb/ht1998 tells you where to get Airport Utility.