using ssh to connect to netgate?
-
This post is deleted! -
@ctmoore said in using ssh to connect to netgate?:
Is that how I should look at it? I did double check whether I could access the netgate by an URL on the WAN ip address (eg maybe I'm fixating on ssh for no good reason)
I have already told you, if you have the firewall configured to allow access to the LAN, then the LAN side address should be reachable. As someone else mentioned, if you want WAN side access, then it has to be enabled. Then there is also a serial port connection, using a USB cable and serial terminal app. Those are your 3 choices, take your pick.
-
All I have managed to do is put a laptop onto the LAN directly (eth2) for the default 169 webgui and no other config besides setting the WAN and a couple of users. So if I config the firewall with that laptop to allow WAN incoming for http/s, then in theory they would get this same webgui interface when navigating to the wan-side dhcp assigned address?
Sorry, I deal much more with the likes of arista and mellanox switches rather than this kind of box and that's all straight up terminal, cli and good old fashioned rj45 serial ports hooked up to a CAS for when network goes bupkus.
-
What's a 169 webgui? Are you using addresses in the 169.254 range???
As I mentioned, that USB connected serial port should work fine. Have you tried it?
-
You're probably going to have to post up some screens of your config so we can see what's going on. We're just guessing at this point, and that isn't an effective way of solving your problem.
-
@JKnott I am talking about taking a laptop, running cat6 from its eth port to netgate's eth2 port, and opening the browser to 192.168.1.1 That's all I've managed to do configuration wise and is not how I want the students getting to it. I used that WebGUI to set up the WAN on ix0, to ensure it's getting DHCP (which I confirmed on my end with arpwatch). I set up two
admin user accounts (and made sure that ssh was enabled for them both). At this point, I apparently need to use this same approach to get the firewall opened up for ssh and/or http/s (probably both) through the WAN. And then at THAT point, navigate to the dhcp-acquired address from the WAN in order to either ssh in or bring up the WebGUI on that side? Right now the netgate box is unresponsive to ssh, ping, or http on the WAN side.I'll worry about any kind of console access later.
-
@ctmoore said in using ssh to connect to netgate?:
At this point, I apparently need to use this same approach to get the firewall opened up for ssh and/or http/s (probably both) through the WAN.
Not if you're trying to get at it from LAN. When we said that, we weren't sure how you were trying to get at it.
If you can get to WebGUI then you should have no problems sshing into pfSense, assuming you've enabled that feature.
-
@KOM No; I can get to it from the LAN through the straight-out-of-the-box-unconfigured method of physically clomping a laptop to the netgate's eth2 port. But I want to be able to get to the netgate and set it up from the WAN side so the researchers can do it themselves (and heck, so I don't have to lug this damn thing downstairs every time). They most assuredly are not going to clomp down to the machine room and set up camp next to the rack it's installed into. I need them to access the webgui from the wan.
(Maybe it's not clear; the only way to the lan is through the netgate, so until then...)
Anyway, I could not agree more. Which screenshots would be the most helpful for you to see?
-
OK now I get it.
You need one rule on WAN that allows tcp/22. Is the WAN on the Internet or is it on a private network?
-
If this is not a public WAN-type environment then all you have to run is this:
pfSsh.php playback enableallowallwanThat is all I do when I make a new lab VM.
Standard disclaimer about not doing that on an actual public interface yadda yadda yadda applies.
-
@KOM the WAN is from our VLAN which is a mix (I know I know, remember research/experimental environment here) of public/private IP addresses. Right now, it's getting one of our private IP addresses.
I just put in a firewall rule for allowing ssh on the WAN, and I'm almost there!
root@wan:~# ssh admin@dyn21 The authenticity of host 'dyn21 (172.x.x.x)' can't be established. ED25519 key fingerprint is <blah blah>. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'dyn21,172.x.x.x' (ED25519) to the list of known hosts. Password for admin@cluster.wan.com: Connection to dyn21 closed by remote host. Connection to dyn21 closed. root@wan:~#(previously the ssh would just time out.)
Just for kicks/more info, I tried one of the accounts I added via the LAN-side webGUI:
root@sysnet:~# ssh mgr@dyn21 Password for mgr@cluster.wan: Password for mgr@cluster.wan: Password for mgr@cluster.wan: mgr@dyn21's password: ^C root@sysnet:~#now that seems kind of odd. I'm wondering if that's because the "name" from the dhcp (dyn21) doesn't match
the self name I gave it in the webGUI (cluster)? It did seem to try both.What exactly kind of prompt or response would I get with a successful ssh to the NetGate box? I'm not sure what
sort of platform it is running at that point. I did hit return a couple of times before ^C out. -
It's FreeBSD. If you login as admin or root you should see the console menu:
steve@steve-MMLP7AP-00 ~ $ ssh admin@fw321.stevew.lan Password for admin@fw321.stevew.lan: pfSense - Netgate Device ID: f4341e45555574780446 *** Welcome to pfSense 2.5.0-DEVELOPMENT (amd64) on fw321 *** WAN (wan) -> igb0 -> v4/DHCP4: 172.21.16.140/24 LAN (lan) -> igb1 -> v4: 192.168.140.1/24 OPT1 (opt1) -> igb2.500 -> v4: 10.0.25.68/25 0) Logout (SSH only) 9) pfTop 1) Assign Interfaces 10) Filter Logs 2) Set interface(s) IP address 11) Restart webConfigurator 3) Reset webConfigurator password 12) PHP shell + pfSense tools 4) Reset to factory defaults 13) Update from console 5) Reboot system 14) Disable Secure Shell (sshd) 6) Halt system 15) Restore recent configuration 7) Ping host 16) Restart PHP-FPM 8) Shell Enter an option:Other users just reach a prompt:
steve@steve-MMLP7AP-00 ~ $ ssh steve@fw321.stevew.lan Password for steve@fw321.stevew.lan: [2.5.0-DEVELOPMENT][steve@fw321.stevew.lan]/home/steve:Is 'cluster.wan' what you named the firewall?
Steve
-
@stephenw10 Yes, I'm not getting any response when I ssh in (I hit return a few times).
correct, "cluster" is the name I gave the netgate box (on the default lan webgui, which I can access by directly eth to the netgate box), and "wan" is the name of the domain I administer and which gives the netgate its dhcp address ( that part has worked ).
OK, now I just tried it again and I get the menu. WIthout having changed a thing from my last post. (Argh.) Maybe it needed time to become effective??
Thanks for all your help everyone!
-
Hmm, well glad you got connected. It certainly shouldn't take any time.
The console output looks like it was just refusing the login for the mgr user. Perhaps the user had been edited and chnages not applied? They would then be applied when you made some other change which can look like this.
Steve