I'm  using what I believe is the Blue Curve modem. A tall blue-gray cube, nicely decorative, with a single light on the lower right corner of the sloped top?

Yes.The admin site at 10.0.0.1. The Advanced menu/ Port Forwarding.

The settings show as active and are saved between admin sessions. 

I've tried setting the IPv6 addresses of the forward target hosts but still not working. Firewall is off. 

Do you know of anyway of testing from within the LAN? I had a friend attempt from their LAN while I tried different targets but that was a lot of bother for them. 

Good suggestion but that's not the issue. I've discovered that I can connect via the standard ssh port but not via a custom port. 

Ah ha. I can test  via my phone. If I disconnect my phone from my wifi then I can get a SSH connect through the forward -- only through the standard SSH port though. I'll keep looking into it. 

Thanks for the response. 

> but not via a custom port. 

What port-number, or range of port-numbers?  I think that Shaw blocks 25/TCP "incoming" to every cable-modem.

Can you "allow" a range of ports to get "through" your Shaw device, and try each port, and then check the "firewall-log" on your computer that is running the SSH-server, to see if the Windows (Linux?) firewall is blocking-and-logging?

The port that's failing is 2423

There might be another wrinkle in that access is through key only on that machine. The one that is succeeding is on 22 and only password protected. So there are some more combinations to try. 

The firewall doesn't seem to be at issue. Behavior is same with firewall off. I tried tinkering with the *router* firewall by setting it to 'custom'. Made no difference either. 

@sboston your ask is quite outside our scope of support and I personally haven't tested these features before. @mdk is vastly knowledgable. Others in the Community may chime in as well. 

> The port that's failing is 2423.

That is a "non-standard" port, i.e., not listed in "C:\Windows\System32\Drivers\etc\services" as being a port-number that Windows would expect to be active.  So, that port-number should be "available" for your SSH-server.

Another possibility is that your computer has changed its IP-address, e.g., from "192.168.0.12" to "192.168.0.34", because the computer was powered-off for a while. When you rebooted it, it would issue a DHCP-request, and the DHCP-server "inside" the Shaw router would have responded with a different IP-address than before.  So, your "port-forwarding" rule -- "forward incoming 2423/TCP to "192.168.0.12" -- needs to be updated to target "192.168.0.34".