Accessing linux box the pfsense

Bugs78 · May 25, 2016, 9:09 PM

Hi all,

I'm working on a project with a virtual hosting company. I have a virtual network with a pfsense firewall which everything uses to access the internet. I have a Windows 2012 server and 2 Centos boxes

I would like to be able to access the 2 linux boxes from outside the firewall using SSH keys I have created the keys which work fine from inside the network however, I can't get it working externally. I'm assuming pfsense needs to forward on the traffic from the WAN (the outside world) to my linux box but I can't get it working. Has anyone done this before or know of a help document which may point me in right direction.

Thanks in advance

Craig

johnpoz · May 25, 2016, 9:13 PM

https://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense

Yes I would say the vast majority of users of pfsense have a port or two forwarded, so yeah like everyone has done it.

It really is click click. Firewall, Nat port forward. For your ssh forward its like 3 clicks.. Select ssh as dest, put in your IP address you want to forward to. Save. It defaults to wan and tcp.. So this is really like 1.3 seconds and done.

Bugs78 · May 26, 2016, 6:13 AM

Hi I have been playing around with it and can't seem to get get it to work correctly. In the source I have tried both any and the network up of my machine, destination I have both the network public up and the local ip of the machine and finally the redirect up I have as the local ip of the machine but I can't get it to work I'm sure it's something daft but, I can't see it

johnpoz · May 26, 2016, 10:32 AM

Why would you be touching anything but the dest port and IP? See attached.

Put in your machine IP where I have 192.168.1.100, your pfsense has a wan IP that is public right? And your machines behind pfsense have private IPs rfc1918 right? Then this is how you would forward ssh to one of those machines. You don't have to mess with source.. You only have to set the dest, and the IP. The defaults are fine for everything else, wan and tcp.

If your having problems https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

Bugs78 · May 26, 2016, 1:46 PM

I have been playing round with it and still not had any success I have set the following so not sure why its not working.

I have attached a screen shot of my port and IP settings, I have also tried changing the default destination from WAN address to network, Alias, Any

Thanks

muswellhillbilly · May 26, 2016, 2:42 PM

Have you set the default gateway on the Linux boxes to point to your pfSense? They need to route back out through the same direction as the inbound traffic.

johnpoz · May 26, 2016, 3:17 PM

dude give me access to your pfsense and will take a look.. PM the info.. Should only take a few minutes to figure out what your doing wrong.

Bugs78 · May 27, 2016, 10:54 AM

@muswelhillbilly: Yes I hadnt at the time of my first post but, I have since and it still doesn't work when i`m trying to connect the connection just times out.

@johnpoz: Unfortunately I can't get you access this is my employers network, besides its turned into a mission now and I need to find out what's wrong with it.

johnpoz · May 27, 2016, 11:46 AM

What is wrong is PEBKAC plain and simple sorry dude… This is not rocket science, and that you tried using your public IP as the redirect.. ??? How/Why are you working on such a thing for your company?

Lets break it down so we are all on the same page. See attached.. Is this your setup in a nutshell? Pfsense wan has public IP, your servers behind pfsense are on rfc1918 pointing to pfsense as gateway. Can these servers behind pfsense get to the internet through pfsense.

Where exactly are you having issues when you go through the troubleshooting doc? Did you validate that your ssh traffic is being seen on pfsense wan, did you validate that pfsense sends it to your server? Troubleshooting this is really like 2 minutes. Simple sniff on couple interfaces gives you the whole story..

Bugs78 · Jun 2, 2016, 1:40 PM

Hi All,

Just like to apologise for my dumbassery! As you said @johnpoz it was very straight forward I noticed I could add logging on the firewall rules which I did then found I needed to add a 'Floating rule' to allow traffic, discovering how to enable the logs on the rules though is what really sorted it for me.

@johnpoz: I have just started a new role in a cloud hosting company and they have set us tasks to do to learn the systems they use and how they are implemented and this was one of the tasks.

I also have to do a project to complete my probation and im looking into deploying a PFsense cluster using CARP depending on complexity (I dont want to bite off more than I can chew)