using ssh to connect to netgate?
-
@ctmoore said in using ssh to connect to netgate?:
those people should be able to ssh in?
pfSense is a router.
It's not comparable to something known as a server.IMHO : one or some people that trust each other and know what they are doing can all share the same admin login : no real need to create several users to 'manage' the router.
Normally, ones set up, the console or SSH isn't needed. On the vast majority of the pfSense installs these (console or SSH afterwards) are never used again.
The SSH access - or console, in certain ways, is even more important as the GUI access. It should be set up, especially if your pfSense router isn't in front of you on your desk.
The SSH access - or console access, is important when things go bad because one of the first things that can go down is the GUI. -
@Gertjan said in using ssh to connect to netgate?:
The SSH access - or console, in certain ways, is even more important as the GUI access. It should be set up, especially if your pfSense router isn't in front of you on your desk.
And for that reason, many routers also have serial ports that can be connected to a modem, for access when there's a problem blocking access via the Internet.
-
Thanks everyone for these replies. To give a bit of background, this pfsense appliance is being used for research, so the students who are setting things up need remote access for the various configurations they are going to try out. I have set up accounts for them, and have turned on ssh for each of their accounts. I also set up the wan port on the appliance to our network, and arpwatch confirmed a dhcp assignment. The webgui shows the wan as active, etc.
My current issue is that I still don't seem to be able to ssh into the appliance for remote management and config (yes I know it is not a server; I am thinking in terms of other switches I can manage remotely through ssh and their own cli). ssh to admin@<dhcp assigned IP address> isn't working, it doesn't show on ping or anything (tho as a firewall maybe it's laying low?). But how on earth do I ssh into this thing with an ssh-enabled (as noted above) account? I haven't even gotten to the console issue yet, since this puppy has a mini usb port (?!) for console access instead of an rj45 port....
Apologies for the length of time in replying, I have been traveling but can now sit down and hash this thing out.
-
I'm assuming you're trying to get in from the WAN side? WAN allows no inbound access by default. If you want to ssh in from WAN side, you need to add a firewall rule to the WAN rules to allow it.
-
@ctmoore said in using ssh to connect to netgate?:
since this puppy has a mini usb port (?!) for console access instead of an rj45 port....
That's common these days. There should be a USB - serial port adapter connected to that USB port. Just plug in the cable and use a serial terminal app to use it.
-
@KOM said in using ssh to connect to netgate?:
I'm assuming you're trying to get in from the WAN side? WAN allows no inbound access by default. If you want to ssh in from WAN side, you need to add a firewall rule to the WAN rules to allow it.
What I have often done is ssh to a computer behind the firewall and ssh from there. Of course, you should be able to ssh directly to the LAN side interface. This is assuming you have public addresses on the LAN.
-
@KOM Well the WAN must be allowing DHCP replies in?
@JKnott the lan side is a private testing area, such that whatever they do in there is contained within the lan by the pfsense appliance. Besides, if y ou were using ssh to get into a LAN-side server, wouldn't you have to go through the firewall to get to it? Maybe my mental map of this is all wrong. I see this as my normal, functional network having one appliance (the netgate) newly added to it. Behind the netgate is some whizbang experimental cluster I personally care nothing at all about other than that it stays behind the netgate. The students on the WAN side that are playing with it do not have physical access to the cluster (or the netgate).
So I'd need to set up the firewall for ssh access to the netgate as well as through it to get to any of the servers on the other side of it...
-
I thought you were trying to get in from the WAN side. Yes, you would have to go through the firewall and configure the rules accordingly. So, if you were to allow any address on the LAN, so that the students can reach their systems, then you should be able to access the LAN side address, without opening access to the WAN side address.
-
@JKnott I am confused :)
I see this as follows:
WAN netgate LAN (my established network, <magic> <mysterious black box cluster of stuff> in which I control DHCP, etc) Has outside/internet contact, etcEveryone is on the WAN. I want to give a specific set of students, whose project is in the LAN side and quarantined behind the netgate, acces sto the netgate so they can configure their research cluster however they want, as far as I am concerned, so long as their network and traffic is otherwise quarantined on their side of the netgate. But their access comes from my side of the network.
Is that how I should look at it? I did double check whether I could access the netgate by an URL on the WAN ip address (eg maybe I'm fixating on ssh for no good reason) but that doesn't respond.
Is this an appropriate starting point?
https://docs.netgate.com/pfsense/en/latest/firewall/remote-firewall-administration.html -
This post is deleted! -
@ctmoore said in using ssh to connect to netgate?:
Is that how I should look at it? I did double check whether I could access the netgate by an URL on the WAN ip address (eg maybe I'm fixating on ssh for no good reason)
I have already told you, if you have the firewall configured to allow access to the LAN, then the LAN side address should be reachable. As someone else mentioned, if you want WAN side access, then it has to be enabled. Then there is also a serial port connection, using a USB cable and serial terminal app. Those are your 3 choices, take your pick.
-
All I have managed to do is put a laptop onto the LAN directly (eth2) for the default 169 webgui and no other config besides setting the WAN and a couple of users. So if I config the firewall with that laptop to allow WAN incoming for http/s, then in theory they would get this same webgui interface when navigating to the wan-side dhcp assigned address?
Sorry, I deal much more with the likes of arista and mellanox switches rather than this kind of box and that's all straight up terminal, cli and good old fashioned rj45 serial ports hooked up to a CAS for when network goes bupkus.
-
What's a 169 webgui? Are you using addresses in the 169.254 range???
As I mentioned, that USB connected serial port should work fine. Have you tried it?
-
You're probably going to have to post up some screens of your config so we can see what's going on. We're just guessing at this point, and that isn't an effective way of solving your problem.
-
@JKnott I am talking about taking a laptop, running cat6 from its eth port to netgate's eth2 port, and opening the browser to 192.168.1.1 That's all I've managed to do configuration wise and is not how I want the students getting to it. I used that WebGUI to set up the WAN on ix0, to ensure it's getting DHCP (which I confirmed on my end with arpwatch). I set up two
admin user accounts (and made sure that ssh was enabled for them both). At this point, I apparently need to use this same approach to get the firewall opened up for ssh and/or http/s (probably both) through the WAN. And then at THAT point, navigate to the dhcp-acquired address from the WAN in order to either ssh in or bring up the WebGUI on that side? Right now the netgate box is unresponsive to ssh, ping, or http on the WAN side.I'll worry about any kind of console access later.
-
@ctmoore said in using ssh to connect to netgate?:
At this point, I apparently need to use this same approach to get the firewall opened up for ssh and/or http/s (probably both) through the WAN.
Not if you're trying to get at it from LAN. When we said that, we weren't sure how you were trying to get at it.
If you can get to WebGUI then you should have no problems sshing into pfSense, assuming you've enabled that feature.
-
@KOM No; I can get to it from the LAN through the straight-out-of-the-box-unconfigured method of physically clomping a laptop to the netgate's eth2 port. But I want to be able to get to the netgate and set it up from the WAN side so the researchers can do it themselves (and heck, so I don't have to lug this damn thing downstairs every time). They most assuredly are not going to clomp down to the machine room and set up camp next to the rack it's installed into. I need them to access the webgui from the wan.
(Maybe it's not clear; the only way to the lan is through the netgate, so until then...)
Anyway, I could not agree more. Which screenshots would be the most helpful for you to see?
-
OK now I get it.
You need one rule on WAN that allows tcp/22. Is the WAN on the Internet or is it on a private network?
-
If this is not a public WAN-type environment then all you have to run is this:
pfSsh.php playback enableallowallwanThat is all I do when I make a new lab VM.
Standard disclaimer about not doing that on an actual public interface yadda yadda yadda applies.
-
@KOM the WAN is from our VLAN which is a mix (I know I know, remember research/experimental environment here) of public/private IP addresses. Right now, it's getting one of our private IP addresses.
I just put in a firewall rule for allowing ssh on the WAN, and I'm almost there!
root@wan:~# ssh admin@dyn21 The authenticity of host 'dyn21 (172.x.x.x)' can't be established. ED25519 key fingerprint is <blah blah>. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'dyn21,172.x.x.x' (ED25519) to the list of known hosts. Password for admin@cluster.wan.com: Connection to dyn21 closed by remote host. Connection to dyn21 closed. root@wan:~#(previously the ssh would just time out.)
Just for kicks/more info, I tried one of the accounts I added via the LAN-side webGUI:
root@sysnet:~# ssh mgr@dyn21 Password for mgr@cluster.wan: Password for mgr@cluster.wan: Password for mgr@cluster.wan: mgr@dyn21's password: ^C root@sysnet:~#now that seems kind of odd. I'm wondering if that's because the "name" from the dhcp (dyn21) doesn't match
the self name I gave it in the webGUI (cluster)? It did seem to try both.What exactly kind of prompt or response would I get with a successful ssh to the NetGate box? I'm not sure what
sort of platform it is running at that point. I did hit return a couple of times before ^C out.
