Nat & ssh problem

danswartz

Is the LAN subnet 192.168.0.0/24? If not, this is more complicated. If it is, are you sure the ssh server has a default route pointing at the pfsense?

spazio

Yes, the lan config is 192.168.0.1/24

And yes the ssh server has a default route, here is the config:
root@server:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.0 * 255.255.255.0 U 0 0 0 eth0
default pfsense.box 0.0.0.0 UG 100 0 0 eth0

I also tested it with 2 other ssh server i have on the lan segment and got the same time out from the external.

danswartz

Hmmm, can you post interface info, nat and rules?

spazio

The wan
pppoe with isp and is always connected
FTP Helper disable
Block private networks enable
Block bogon networks enable

The lan
IP configuration
Bridge with none
IP address 192.168.0.1 / 24
FTP Helper enable

NAT:
If Proto Ext. port range NAT IP Int. port range Description
WAN TCP 22 (SSH) 192.168.0.10 ssh server
(ext.: interface ip) 22 (SSH)

Rules:WAN
Proto Source Port Destination Port Gateway Schedule Description
* RFC 1918 networks * * * * * Block private
* Reserved * * * * * Block bogon
TCP * * 192.168.0.10 22 (SSH) * * ssh server

Rules:LAN
Proto Source Port Destination Port Gateway Schedule Description
* LAN net * * * * Default LAN -> any

Everything is pretty much iso. There is nothing special about the network.

danswartz

Odd, looks okay, as far as I can see. Curious, if you change the port number (on the outside) to some non-standard port (a good idea anyway) like 2222, does it work?

spazio

This is weird, just tested with port 2500 and here is the raw firewall log entry:

Mar 17 09:22:52 pf: 586569 rule 71/0(match): block in on ng0: (tos 0x0, ttl 59, id 2421, offset 0, flags [DF], proto TCP (6), length 60) 72.55.39.133.38982 > 74.10.205.142.22: S, cksum 0x5057 (correct), 1651357223:1651357223(0) win 5840 <mss 2="" 3328663370="" 1366,sackok,timestamp="" 0,nop,wscale="">The default deny rule apply and the packet is rejected here it is:
@71 block drop in log quick all label "Default deny rule"</mss>

danswartz

did you change the rule too, or just the nat entry? note that the rule applies to the post-nat, so that would stay port 22.

spazio

First i deleted the nat and rule on port 22 and then created a new nat on port 2500 that created automaticly the rule.

danswartz

it shouldn't have blocked it then :(

thafener

Spazio,

Did you find a solution for this meanwhile as I have the same problem with NAT over here.
I have solved it once in a absolutely strange way. I have delted all FW and NAT rules, made
a backup of the box and made a fresh install. Then I have created the rules manually again.
Then I have made the rules created by NAT the first ones and it worked for some 10 days
but it has stopped working again. :-[

cheers thafener

spazio

Nop, still have the same problem and it gets worst. I took another machine, did a completly new install from dist cd and the same problem occurs. The default deny rule block everything. I can't even get the packet to go tru once in a while like my other network.

Here is my understanding of the problem, the packet are discarded on a first come first served. It like if the default deny rule is the first, the packet is discarted so the other added rule do not apply.

This is weird, nat is usually pretty much strait forward, is there somebody that does technical incident call service?

danswartz

can you post your /tmp/rules.debug?

thafener

hi danswartz

here's mine as a example… renamed it to rules.txt

Thx thafener

rules.txt

danswartz

In a couple of places, you have rules saying {tcp udp} for a tcp service - get rid of the udp it just confuses things. Also, your post refers to 192.168.0.10, but the rules are referencing 192.168.1.2 - is this an error, or did you change the IPs and not post that? Anyway, this all looks correct - the only thing I can see as a possible issue (that might explain the inbound SSH request not getting through and not being blocked by PF) is snort. I have stopped using snort myself, due to false positives that resulted in good hosts being blacklisted. Could that be it?

thafener

Hi danswartz

Sorry I did not mean to confuse you, it was not the logfile of the threat starter but I have
exactly the same problem, I cannot access 192.168.1.2 in the LAN segment and found no lasting
solution so far.
Well I am not using snort but I will check the rest

Thx thafener

danswartz

Oh, sigh. This is confusing. I hadn't noticed I was dealing with two different posters :( So, thafener, when you try to connect to ssh from outside, is it blocked by the default rule or it just goes nowhere?

thafener

Sorry for all that mess danswartz I do not think that the ssh packages are blocked by the default rule as I can see
them pass in the firewall log but I cannot connect to the ssh host which is possible of course from the LAN side.
It is really confusing that I already "solved" this by making the SSH NAT rule the first one and it has been working
fine for a while but unfortunately the problem occured again.
I have a second PFsense system running in a different location and here it is the same with natting FTP.
I cannot access both boxes from here but I'' get back to this with a little more detailed log output tomorrow morning.

cheers thafener

thafener

Ok here's some output and some screenshots of this phenomenon…first of
all a packet capture of the WAN interface on Port 22...

08:09:08.760774 IP 217.71.243.136.1651 > 83.79.5.14.22: tcp 0
08:09:11.726431 IP 217.71.243.136.1651 > 83.79.5.14.22: tcp 0
08:09:17.742044 IP 217.71.243.136.1651 > 83.79.5.14.22: tcp 0

Please find the screenshots of the NAT rule and the Log viewer attached
below…

fwlog1.jpg_thumb

fwrule1.jpg_thumb

danswartz

Are you absolutely 100% positive there is no trace of the connection on LAN side? Can you run a capture there too?

thafener

I have made a captore in full detail but could not find packets on port 22 for host 192.168.1.2 :-\