Port forwarding problem
-
It is my recollection that some SSH servers need to be configured to specify which IP addresses are allowed access.
I suggest you check your SSH configuration. SSH log might record failed access attempts.
As johnpoz suggested, tcpdump is a useful tool to verify your access attempt passes various points along its path.
Have you reset firewall states after setting up your port forward? See Diagnostics -> States, click on Reset States tab.
-
Post your port forward and firewall rules. Also… on the linux server... make sure it's actually listening on port 22... and that the software firewall is either off... or has 22 allowed. I would turn it off for testing.
-
Here's my NAT rule
Interface - WAN
External address - any
Protocol - TCP
External port range - from: SSH to:(other)
NAT IP - 10.1.2.232
Local port - SSH
No XMLRPC Sync - Not CheckedAnd my Firewall Rule
Action - Pass
Disabled - not checked
Interface - WAN
Protocol - TCP
Source - "not" not checked Type: Any Address: Blank
Advanced / Source port range - from: any to: any
Source OS - any
Destination - "not" not checked
Type: Single host or alias
Address: 10.1.2.232
Destination port range - from: SSH to: SSH
Log - checked
Advanced Options - all empty
State type - keep state
No XMLRPC Sync - not checked
Schedule - none
Gateway - defaultI deleted the rules regarding port 2222, since they weren't working anyway.
I tried doing screenshots but the forum says my image files are too large and I don't wanna mess with that.
To answer other questions - yes I have reset the states - And I also did a packet capture on port 22 while making an attempt to connect, and this was the result:
11:00:28.624981 IP 66.87.74.16.17597 > x.x.x.2.22: tcp 0
11:00:31.614608 IP 66.87.74.16.17597 > x.x.x.2.22: tcp 0
11:00:37.626820 IP 66.87.74.16.17597 > x.x.x.2.22: tcp 0x's for privacy
-
Also worth mentioning, tcpdump isn't logging anything at all when I do "tcpdump port 22" and attempt to connect to the server. Just for testing's sake, I also enabled ssh on the pfsense box and established a connection to it from the LAN side, and ran the same command "tcpdump port 22" and it logged my connection to the pfsense box.
-
You can use a service like photobucket.com, which will export the html image code… allowing you to post screenshots.
-
You haven't told us the 'source address' and 'destination address' fields in your NAT rule. Only 'external address' which isn't one of the fields. Confusing! ;)
Steve
-
^ exactly. there is no external address field in nat, do you mean src is set to any. Then what is your dst address in the nat, it should be wan address. If you put in the IP address of your server then no it would never work. Because the wan would never see traffic dest of your private IP address. All traffic on your wan interface would be a dst of your wan address.
Once your wan rule allows the traffic in, then the nat would nat and forward that traffic to where you want it to go.
Nor did you list what the source port in your nat rule is set too in your above. Just post a screen shot.. As to it being too large - what the hell are you using to take it with print screen, that is going to be a BMP file? Use one of the 1000's of free tools out there to take your screen shot and save it in a format that makes sense, jpg, png, etc. And they also allow you to reduce size and quality to make for very small size.
Windows 7 has the built in snipping tool for example.
By default your firewall wan rule should be autocreated when you setup the nat/forward.
-
You haven't told us the 'source address' and 'destination address' fields in your NAT rule. Only 'external address' which isn't one of the fields. Confusing! ;)
Steve
I told you everything that's in the rule…
Anyway, the problem with posting screenshots was that I was trying to post all of my screenshots in one post... thus why the forum was saying too large. Anyway, here's screenshots... broken up over multiple posts
Attached here is my NAT settings
 -
And firewall settings
 -
Firewall rule page 1
 -
Firewall rule page 2
 -
Firewall rule page 3
 -
What version of of sense are you running? I don't see interface on the nat rule
It's on the edit page but not the rule listing.
Are you using old 1.x line?
-
Hmm, looks like 1.2.3 or earlier. You should update when you have an opportunity to so safely.
Anyway you should have 'external address' set to 'interface address'.Steve
-
I'm using 1.2.3. I have a captive portal with user self registration, which is why the old version. There was a php script posted here on the forums by another user for user self registration that I am using (modified of coarse), but it does not work on 2.0+, just older versions of pfSense.
-
Well couple things – again not seeing WAN as interface on the actual listing of the rules. But only in your edit, did it get unselected somehow?
Also is that other nat working? And I agree with stephenw10 the external should be set to WAN interface address not any. Also your edit along with interface, but why would your external port be 22-any, you don't want to foward 23 to 22 do you. Your dst is ssh-ssh so your external should match that ssh-ssh
-
I FOUND THE PROBLEM! ;D
It actually has to do with the captive portal. I had to add to and from rules in the allowed IP addresses list. I already had added the server's MAC to the MAC Pass-Through list, and thought that was all I needed to do, but I was wrong. Now that I have added the IP address of the server to the "allowed IP addresses" list in Captive Portal section it is working as it should be.
Thank you guys for helping me troubleshoot. :) You all have been quite helpful!
