pfSense - Enable ssh (port 22) access through the WAN using terminal/console/shell
-
@eduardolucioac It depends on your OS. Use whatever tool/utility you can get and take a screen. On Windows you can do a shift-PrtScn and then paste it into Paint or whatever. To post it, use the icon that's second from the far right (Upload Image).
Also, is your WAN using a private (RFC1918) IP address? Are you trying to access it from the Internet or another LAN? What is the description of the block in the log, eg. Default deny rule IPv4 (1000000103)?
-
Also, is your WAN using a private (RFC1918) IP address?
Yes.
Are you trying to access it from the Internet or another LAN?
From another LAN.
For...
It depends on your OS. Use whatever tool/utility you can get and take a screen.[...]
... and...
What is the description of the block in the log, eg. Default deny rule IPv4 (1000000103)?
... here is a complete set of informations...
- PF RULESET
- Generated Rules
cat /tmp/rules.debugcat /etc/inc/filter.inc- Interpreted Rules
. Show firewall rules...
pfctl -sr. NAT rules
pfctl -sn. All rules
pfctl -sa. More verbose output including rule counters, ID numbers, and so on...
pfctl -vvsr. Additional rules in anchors from packages or features such as UPnP...
pfSsh.php playback pfanchordrillpfSsh_php_playback_pfanchordrill.txt
- FIREWALL LOG
- Parsed log...
cat /var/log/filter.log | filterparser.phpcat_var_log_filter_log_x_filterparser_php.txt
- Raw log...
cat /var/log/filter.logThanks! =D
[Ref(s).: Viewing the pf ruleset , Viewing the Firewall Log ]
-
[...] I just went back to factory defaults and configured it again and again it works for me.[...]
What version of pfSense are you using? I am using 2.5.1.
-
@eduardolucioac 21.05
If your WAN is private, did you set the interface to not automatically block all rfc1918 traffic (Interfaces - WAN - Reserved Networks)?
-
If your WAN is private, did you set the interface to not automatically block all rfc1918 traffic (Interfaces - WAN - Reserved Networks)?
I believe it is not blocking. But how can I confirm this?
-
@eduardolucioac I told you already. Go to Interfaces - WAN. Scroll down to Reserved Networks at the bottom. Uncheck Block private networks and loopback addresses. You want this checked if your WAN is public, unchecked if WAN is private and you want to allow inbound connections from other LANs.
-
I told you already. Go to Interfaces - WAN. Scroll down to Reserved Networks at the bottom. Uncheck Block private networks and loopback addresses. You want this checked if your WAN is public, unchecked if WAN is private and you want to allow inbound connections from other LANs.
It is true. You already said that. I didn't understand. Sorry!
This is the option noted in this post Block private networks and loopback addresses .
However I have a question... How can I do this using pfSense's terminal/console/shell?
Thanks!
-
@eduardolucioac Duh, sorry I forgot you were limited to console only.
Try:
$config['interfaces']['wan']['blockpriv'] = "";I'm not sure how to set this though. "" may work, or there may be some other way to null the value. If you uncheck from GUI, save then check the config file, the <blockpriv>on</blockpriv> line is missing entirely. I don't know how to delete a line from config.
-
@kom said in pfSense - Enable ssh (port 22) access through the WAN using terminal/console/shell:
I'm not sure how to set this though. "" may work, or there may be some other way to null the value. If you uncheck from GUI, save then check the config file, the <blockpriv>on</blockpriv> line is missing entirely. I don't know how to delete a line from config.
unset($config['interfaces']['wan']['blockpriv']); -
Below is the complete process to enable access to the pfSense's server sshd (ssh, port 22) from a private network...
Using option 8 ("8) Shell") turning off the firewall with the command...
pfctl -d... and access pfSense server through the ssh (port 22)...
ssh root@<PFSENSE_SRV_IP>... using the initial password "pfsense".
TIP: We recommend changing the initial password.
Using option 12 ("12) PHP shell + pfSense tools") perform the commands...
unset($config['interfaces']['wan']['blockpriv']); write_config(); exec;... and exit...
exitUsing option 8 ("8) Shell") again, add a rule to allow access through port 22 on the wan interface...
easyrule pass wan tcp any any 22TIP: The "any any" parameters allow you to restrict the source IP and destination IP respectively.
NOTE: The above command will turn on the firewall (same as
pfctl -e) and this will drop the ssh connection (port 22), but the ssh connection will be allowed.PLUS: For more explanations about why private networks and loopback addresses are blocked by default on WAN here Block private networks - What does that do, what is it used for ? and here Address Allocation for Private Internets.
