SSH tunnels

In the past I’ve relied on the ability to create SSH tunnels for troubleshooting remote networks. I modify my SSH config file with a block like this where <remote IP> is a device on the remote LAN and xxxx/yy are relevant ports.

Host some-modem
    HostName <modem IP> 
    User user
    Port 2332
    LocalForward xxxx <remote IP>:yy

During login I’m prompted for the user’s password and receive an “OK” once it’s connected. At this point the tunnel is active and I can use a browser to access the target port locally. It allowed me to:

  1. establish secure HTTP connections to LAN devices which lacked HTTPS support, without the overhead of creating VPNs or similar extra work, and
  2. create temporary port forward rules, without the downtime and loss of connection required by a modem reboot

It was extremely convenient and useful. However, I’ve discovered this is apparently no longer supported. When I attempt to tunnel over RV50 modems running ALEOS 4.15.0 I see the following error in my terminal:

channel 7: open failed: administratively prohibited

which (according to online resources) indicates that sshd no longer uses the default value (Yes) for


Since I can still access target devices through conventional port forwarding rules, I’m forced to agree this is the explanation (versus the second most popular explanation: the remote hostname can’t be resolved).

Looking through release notes back to 4.13.0, I found this possibly related change under the Security Enhancements section:

Prevented Reverse SSH from being used to proxy network traffic.

I also found this forum post and this article from 2016 explaining how to create a Reverse SSH connection to access the serial port. They seem to imply that tunneling was never really supported, only the modem serial port was meant to be exposed.

I’m disappointed tunneling is no longer available and would love to see that capability restored. I think it’s completely reasonable to have it disabled by default, but also think it’s a feature that has merit and there should be a way of enabling it via ACEmanager.

Hi pokeeffe,

Sorry for this inconvenience. I would say that there would be no change in the future.


Thank you jerdung for the kind reply. That is reasonable, though I still consider it a bummer. Best regards