To avoid confusion I'll call:
- x.x.x.20 -> local1
- x.x.x.30 -> local2
- Apple device outside your home network -> remote1
You say:
I've setup NAT on the AP to forward external ports 22 to the x.x.x.20
and 10022 to x.x.x.30.
which I interpret like this:
________ +-----------------+ +-----------+
/ \ - port 22 ----|-----------------|------> | local1:22 |
+---------+ ( ) | | +-----------+
| remote1 | - ( Internet ) | Airport Express |
+---------+ ( ) | | +--------------+
\________/ - port 10022 -|-----------------|------> | local2:10022 |
+-----------------+ +--------------+
That is, local2 is reachable on [public IP address of Airport Extreme]:10022.
However, the ssh commands you run in your question use the default SSH port (that is, 22/tcp), and connect to local1:22 (more exactly: they connect to [public IP address of Airport Extreme]:22, which forwards the connection to local1:22).
You must modify the ssh command you run on remote1 like this (notice option -p 10022):
remote1$ ssh -p 10022 -f -N -R 2222:localhost:22 [username at local2]@[public IP address of Airport Extreme]
-p 10022 tells ssh which port to connect to, while 2222:localhost:10022 tells ssh to allocate a socket on local2 to listen to port 2222 and forward any packet sent to that port to port 22 on remote1:
+------------+ +----------------------+
| | | |
| remote1:xx | -- SSH (port 10022)--> | local2:10022 (SSH) |
| | | |
| remote1:22 | <--- SSH tunnel ------ | local2:2222 (alloc'd |
| | | by ssh) |
+------------+ +----------------------+
Now you can access remote1 from local2 as follows:
local2$ ssh -p 2222 remoteuser@localhost
(You use -f in your command which sends ssh to the background. The sshd process that binds to port 2222 and runs on local2 will continue to execute even if you stop Remote Login in System Preferences:
To stop it, list it:
local2$ lsof -i | grep 2222
local2$ sshd 855 jaume 14u IPv6 0x4857f 0t0 TCP localhost:2222 (LISTEN)
and kill it with kill <PID>:
local2$ kill 855
where PID is the second value in lsof's output line.)
First of all, I would suggest setting this up with the Time Capsule first (unplug the AirPort Express). Then, once you have it working on the Time Capsule, you can duplicate it with the AirPort Express.
Option 1
If you want to lock things down as much as possible, then "No Access" should be the default:
And then create a new entry for the cell phone for when you do want to allow access:
However, that will mean that you have to create entries for all of your other devices as well.
Option 2
So your alternative is to make the default "Everyone is welcome":
But then specify when the cell phone is allowed to access:
Which to try?
I would use Option 1 unless you have so many other devices connecting that it would be impractical.
Option 2 seems like it would be easier to setup, but I have to admit I have not tried it myself.
Time Zone
Time Zone information is set here:
Note that I am still using AirPort Utility 5.6.1 because I find it a lot easier to use than AirPort Utility 6.
You can use 5.6.1 on Mountain Lion, despite what the installer will tell you.
See http://www.tuaw.com/2013/01/22/use-automator-to-get-the-airport-utility-5-6-1-working-on-os-x-1/ and http://www.macworld.com/article/1167965/mountain_lion_and_the_ancient_airport_base_station.html for details on how to install it.
Best Answer
You're asking a lot of different stuff here.
Here's the question I am going to try to answer:
"How can I bring my Airport devices into my Nagios monitoring more closely?"
OK so first of all, Nagios supports SNMP and (most?) Airport devices support SNMP. So "all" you have to do is configure the Airport SNMP settings and then set up Nagios to ingest the data.
Unfortunately the current version of the Apple's Airport Utility (6.3.1) removed the interfaces to the SNMP settings in the Airport. You can still download the old version (5.6.1) from Apple but the installer for the old version of the Airport Utility refuses to run on Mountain Lion! However it turns out that it is only the installer that is broken in ML!
Some crazy genius has written and made available an Automator workflow that works around this and allows you to install the old version of Airport Utility. I just tried it and it worked. Was then able to use it to set the SNMP settings of my Airport devices.
If this ends up working for you and you accept my answer, you should consider rewriting the question so that the question and the answer match.