Can pfsense do SSH port forwarding/tunneling?

corpengineer · Sep 9, 2014, 10:16 PM

Hello there. Can pfsense do SSH port forwarding/tunneling?

For example, can a remote user SSH to the WAN interface, then be able to connect to internal servers via SSH port forwarding/tunneling?

Thank you.

KOM · Sep 9, 2014, 11:29 PM

Yes. A single port forward rule will do it.

corpengineer · Sep 10, 2014, 4:16 PM

Is there documentation on this? When configuring port forwarding, I don't see any options to tunnel the traffic. Maybe I am looking in the wrong place?

Here's what I am trying to replicate, and want to replace the SSHd w/ pfsense:

Currently, I SSH to a server running SSHd (on a NAT'ed public IP) using Putty. Within Putty, there are options to SSH port forward, which re-maps local ports to private address space via SSH tunnels (like 127.0.0.1:8080 tunnels to 192.168.1.100:80). So once SSH'ed to the public IP, I can connect to internal servers via SSH port forwarding/tunneling 127.0.0.1:8080 (for example).

Thank you.

Stewart · Sep 10, 2014, 4:35 PM

I'm not sure if you really need all that. Let the router do the port adjustments. Have the router forward all requests from, say, port 4987 to port 22 on one of your internal IPs. Then you can connect to your PUBLIC.IP:4987 via Putty and pfSense will forward the request on.

corpengineer · Sep 10, 2014, 4:42 PM

We need SSH tunneling internally. But thank you though.

KOM · Sep 10, 2014, 4:55 PM

I misunderstood what you were looking for, sorry.

corpengineer · Sep 10, 2014, 5:09 PM

It's not a problem, I appreciate you guys trying to help.

So does this functionality not exist in pfsense?

What about the 'SSH Conditional' package, can this be used to accomplish ssh tunneling?

KOM · Sep 10, 2014, 6:07 PM

No idea.

kejianshi · Sep 10, 2014, 6:28 PM

If its linux, unix, BSD, it can proxy however a connection can be proxied, assuming you know how.

I used to use proxy on mine all the time, but really with a good VPN, I don't have much use for the proxy features now.

It still works fine - I just don't need it.

So, answer to your question, assuming you know how to set up your proxy on the client end, pfsense will proxy.

corpengineer · Sep 10, 2014, 7:58 PM

Thank you.

For this purpose solely, I was hoping for a quick/easy solution, w/o having to delve into conf files.

It seems to me that the 'SSH Conditional' package does what I am looking for. I'd just like to see a working example if possible. I've looked around, w/o any luck.

Thank you.

corpengineer · Sep 11, 2014, 7:18 PM

Using the package 'SSH Conditions', it does seem to work thus far (though haven't tried many variations) w/o digging into conf files.

Of note, some options w/in SSH Conditions do not seem to work, but at least it logs errors so you know.

Thank you to all who tried to assist.