My Metroflex MM2211 (in route mode—I can’t get bridge mode
to work, even though that’s what I really want) won’t allow me
to forward outside ports 22, 80, and 443. It claims it’s using
them for the management interface. However, all tests I’ve
done from outside indicate that there’s nothing listening on
those ports. It is listening on those ports on the LAN side,
and that’s OK, since I can secure access to the LAN side of the
modem.

How to I make sure my Metroflex isn’t listening on any
outside ports? I consider any such listening ports to be a
serious security problem.

If it’s not listening on those ports, why won’t it let me
forward them. I consider being able to ssh into my system from
outside to be an absolute necessity.

Grant, I’m assuming you are using the 2211-NG (running 4.3.x firmware). To simplify things, I connected a 2211-NG to a 3rd party access point in my lab and ran a port scan to the WAN port of the 2211-NG and found ports 22, 80 and 443 in listening mode. From a computer connected to the 3rd party AP I was able to use SSH and/or HTTPs to manage the 2211 using its WAN IP address (be aware the 2211 will automatically change to HTTPs (port 443) when being accessed using HTTP (port 80)). The LAN IP address is ‘protected’ by NAT if the 2211 is in Route mode, so the LAN IP address is by default not reachable from the outside.

Port Forwarding is used to make computers on the LAN side available to computers on the WAN side (read: Internet). If you want to access your private computer from the Internet using SSH (port 22), you need to configure a Port Forwarding rule like this:

Start port: 2222, End port: 2222, Protocol: TCP, Server IP address 192.168.30.123, Server port 22, Enable

With the above rule you are telling the 2211 to accept traffic from the WAN port on TCP port 2222, forward that to your private computer with IP address 192.168.30.123 using TCP port 22 on the LAN side.

When you’re on the Internet instruct your SSH client to use port 2222 to the WAN IP address of the 2211 and you will be forwarded to your private computer. If you want to use SSH to connect to the 2211 from anywhere on the Internet, instruct your SSH client to use port 22 to the WAN IP address of the 2211 and you will be connected to the management interface of the 2211 (which is username/password protected).

Ruckus Support

I’m assuming you are using the 2211-NG

The model number is MM2211-EXT, but the web pages appear to
match the NG docs.

[I just checked, and it’s running 4.3.0.0.110]

I connected a 2211-NG to a 3rd party access point in my lab and
> ran a port scan to the WAN port of the 2211-NG and found ports
> 22, 80 and 443 in listening mode.

That’s not acceptible from a security standpoint. How do
I close outside ports?

Port Forwarding is

Thanks, I know what port forwarding is.

With the above rule you are telling the 2211

Thanks, I know how port forwarding works.

When you’re on the Internet instruct your SSH client to use port 2222

Some places that I work from firewall outbound TCP connections
and only allow connections to specific ports (e.g. port 22 for
ssh).

Could you please tell me how to configure the MM2211-EXT so
that it’s not listening on any outside ports?

Grant, please send an email with subject “Can’t forward some ports” to support@ruckuswireless.com so we can discuss this further in private.

Ruckus Support