Cannot SSH in from external network
-
Hello,
I am fairly new to PFSense and I have it setup the way I want for the most part but I cannot get this one last thing working. I am running an SSH server on the internal network. I am able to SSH to it fine from any box within the network. However, when I attempt to SSH into it from outside, it doesn't even seem to try. There is nothing showing up in the logs and the SSH attempt simply times out. Just as a test, I connected my SSH server to the ISP router and I can SSH in fine if connected to that (which is what I had setup before adding PFSense) so I know I am missing a configuration inside PFSense.
Some notes:
- I am running the SG-2220 with the wireless functionality and all my clients are connected to the wifi bridge.
- The SSH server does have PFSense as the gateway
- The SG-2220 is connected to the ISP modem
- I have assigned a static IP to the SSH server
- I have tried connecting to the SSH from an external wireless network (I have a karma wifi device) as well as mobile 4G
- I have this rule setup on the WAN (first I setup the NAT and then it setup this rule automatically)
Protocol Source Port Destination Port Gateway Description
IPv4 TCP * * 192.168.10.16 22 (SSH) * NAT Forward to SSH ServerI am sure this is just a stupid newbie mistake on my part but I cannot for the life of me figure out where my error is. Any help would be appreciated and thank you in advance.
-
Do you have the SSH Server on pfSense enabled?
Check under System -> Advanced -> Admin Access at the bottom. If you have SSH Server on pfSense running on port 22 to as well there might be a conflict.
Also another suggestion is try to enable protocol TCP/UDP (both). I know shouldn't need to but test if any changes.
-
Thank you for the reply.
I tried your suggestion for disabling SSH on PFSense gateway and no luck. I also tried updating the rule to TCP/UDP and same problem.
-
Is your pfSense box connected to the ISP router in "Bridge" mode?
Check the WAN address on your pfSense box, if it's getting a 192.168.x.x address then you're double natting and wont be able to SSH in with your current setup.
Get a Bridge mode connection so your pfSense WAN gets and external address or you'll have to try a double port forward setup. -
My Bridge has the following member interfaces:
- LAN
- WIFI
The assignments are:
WAN is igb0 (The WAN port)
LAN is igb1 (The LAN port)
WIFI is ath0
BRIDGE is BRIDGE0 (the aforementioned LAN/WIFI bridge)When I check the interface status, I do indeed see that WAN has a 192.168.0.X IP (which is the ISP network). If I understand how wifi works in PFSense, I need the bridge in order to have the wireless network work. So how would I modify this configuration to allow the wifi access point and correct this setup?
I used the following guide: https://www.servethehome.com/how-to-setup-wi-fi-with-pfsense/. I know in his guide that he has WAN as igb1 but when I looked at the documentation for this device (https://www.netgate.com/docs/sg-2220/io-ports.html) it stated it was igb0. Also when I tried igb1 for WAN I had no connectivity.
Thank you again!
-
0/ 192.168.0.X is an RFC1918 space. You won't be able to reach anything from Internet there. (Are you double-NATed?)
1/ You shouldn't bridge this in the first place.
2/ Set the proper tunables so that you filter the bridge and not the individual interfaces. https://doc.pfsense.org/index.php/Interface_Bridges -
I am an idiot. I didn't catch what you guys meant by Double NAT until I actually sat down and thought about it. Logged into ISP router and fixed the forwarding and now it works.
Thanks again all!