Access webgui from outside (public ip)?

srs

hello guys

If my WAN is a public ip (isdn, t1…), can I access webgui from internet using that public ip? I supose a firewall rule should be created to allow this; can I acess trought SSH (ssh -l root -p 222 x.x.x.x)??

thanks

GruensFroeschli

As long as you put rules on WAN that allow this –> yes it is possible.

srs

Is this the reason for this error, when I try to ssh my pfsense?

~$ ssh -l root x.x.x.x -p 222
ssh: connect to host x.x.x.x port 222: No route to host

??? ??? ??? ???

Ping to that ip works fine

jahonix

Yep.
First you have to create a rule on WAN to pass traffic to your gateway's SSH port.
If ping works fine from outside you have an allow ICMP rule on WAN already. Otherwise those packets would get dropped or rejected as well.

srs

where can I create this rules? firewall -> rules -> wan????

then
proto: tcp/udp
source: *
port: 222
destination: wan address
port: 222
gateway: *

I tested this and didnt work!

thanks a lot for your help

dotdash

I'll assume you changed the listening port to 222 under system, advanced.
Anyway the rule should be:
proto: tcp source:* port:* dest:wan address port:222 gateway:*
(ssh is tcp only. the destination port is 222, not the source)

srs

@dotdash:

I'll assume you changed the listening port to 222 under system, advanced.
Anyway the rule should be:
proto: tcp source:* port:* dest:wan address port:222 gateway:*
(ssh is tcp only. the destination port is 222, not the source)

I tested this rule with both gateway:* and gateway: x.x.x.x (this is the WAN gateway), but still have the same error:

~$ ssh -l root x.x.x.x -p 222
ssh: connect to host x.x.x.x port 222: No route to host

Could not this be a error in the Wan gw (in this case my wan router)??

thanks

dotdash

'No route to host' sounds like there is a problem getting to the pfsense box from where you were testing from. Double-check you can ping the address you are trying to ssh to from the box you are trying to connect from…

srs

Yes, I also think this is very strange.

I can ping from the host I am to the host that my pfsense is; but when I try to ssh it, I get that message (no route to host); when I traceroute my pfsense box, I can see the last router before my wan router; the strange is that I have another box that is in the same network, so it uses the same gw that my pfsense; in this box I can ping, ssh, everything…

in my opinion, even if I donot open my firewall to get in throught ssh, using nmap it should at least show me what ports are blocked, etc... but nmap, from that same machine, shows me this:

nmap x.x.x.x (pfsense wan ip)

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2007-10-10 12:54 BRT
Note: Host seems down. If it is really up, but blocking our ping probes, try -P0
Nmap finished: 1 IP address (0 hosts up) scanned in 0.297 seconds

I have some free ips from that network, so maybe later I may try another IP and see if the same happens to it; the ip I'm using in pfsense is the first in the range; the linux box (that works fine) is the 2nd; I can try set the 3rd to see what happens, but I also thinks that something is (should be) wrong...

is there any other test to do with it??
thanks!!

dotdash

1. Try and ssh to the firewall from the LAN side.
2. Go to advanced, disable the firewall, and try again from the Internet.

cmb

@srs:

in my opinion, even if I donot open my firewall to get in throught ssh, using nmap it should at least show me what ports are blocked, etc… but nmap, from that same machine, shows me this:

nmap x.x.x.x (pfsense wan ip)

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2007-10-10 12:54 BRT
Note: Host seems down. If it is really up, but blocking our ping probes, try -P0

(emphasis mine)

It doesn't respond to pings, if you want to see results you need to use -P0.

srs

@dotdash:

1. Try and ssh to the firewall from the LAN side.
2. Go to advanced, disable the firewall, and try again from the Internet.

I tryied ssh the wan interface, from the lan side and nothing happens, it keeps trying to contact without success.

cmb

can you ssh to the LAN IP?

srs

yes, this always worked; I never tryied ssh the wan because it was behind an adsl modem; now I'm using a frame relay circuit and do not have anything between me and internet.