Access to internal sftp
I have a local file server on my lan which I can also sftp to. I wanted to access this server over the internet, to sftp stuff from by my friends. Just a note my pfsense box is behind a dsl modem, router and get an ip from the dsl router.
In achieving this, I configured port forwarding in firewall - nat - port forward, where from the wan interface, any ip, ssh as protocol to the internal lan server 188.8.131.52 protocol ssh, and I checked generate the firewall rule.On the dsl modem, I also entered a forward to the pfsense box.
Subsequently sftp from the internet proved unsuccessful. In an effort to fully understand what the problem was and eliminating the appropriate device, I put a switch between the dsl modem and pfsense wan interface and connected another computer to the switch. This was done to connect using sftp directly to the wan interface ip, hoping the request would have been forwarded internally to the lan. This proved to be unsuccesful.
I could truly do with some guidance as I am new to these aspects and reading the monowall manual, which has inbound natting not port forwarding - though the instructions seem similar, has not solved my little problem.
I am on release 1.2.1-RC1 built on Wed Aug 13 04:23:51 EDT 2008
You have to disable FTP Helper everywhere in pfSense … sftp is encrypted FTP command and data so the FTP Helper can't listen to the command flow and adjust the connection track and firewall rules so it breaks everything ... You'll have to configure manually everything and also use passive mode.
I have disabled ftp helper, manually entered the port forward rule and firewall rule shown below
WAN TCP 22 (SSH) 184.108.40.206(ext.: any) 22 (SSH) sftp access
TCP * 22 (SSH) 220.127.116.11 22 (SSH) * sftp access
Tried from a machine in the same subnet and ip range as the wan address, and was unable to connect to the internal server. I tried to ssh and also sftp, neither were successful.
Just to clarify my logic here, the wan address is 192.168.1.3/24 while the other machine is 192.168.1.5, entering ssh/sftp from 192.168.1.5 to 192.168.1.3, should get me connected to the forwarded server.
On the nat rule you should have the interface address as the external address, not any. Also uncheck block private networks in the options of interfaces->WAN.
Also change the source port in the firewall rule to any.
18.104.22.168 on LAN? That's not a proper RFC1918 private network address
Edit: ftp helper does not have any effect in this case since this is ssh, not ftp with ssl or tls encryption
Ok I opened up vmware and rec.reated the whole system, and new install of pfsense, with its internal ip being 10.4.1.1 and external being 22.214.171.124, which was from my existing lan network. I unchecked in this new test environment, the block for private networks.
I then proceeded to set up the port forward rules and firewall rules. I noted for the wan interface there is only interface address and any, which subsequently led me to choose the interface address.
These are my rules:
Nat port forward
WAN TCP 22 (SSH) 10.4.1.245 (ext.: 126.96.36.199) 22 (SSH)
TCP WAN address 22 (SSH) 10.4.1.245 22 (SSH) *
I then tried and ssh connection to the wan address from another machine which ip is 188.8.131.52, which was unsuccessful, the tcpdump output is shown below, from initiating the request to when the ssh connection timed out. I used tcpdump -i le0 - wan interface
11:11:06.462964 IP 184.108.40.206.49646 > 220.127.116.11.ssh: S 2639032271:2639032271(0) win 8192 <mss 1260,nop,wscale="" 2,nop,nop,sackok="">11:11:09.471189 IP 18.104.22.168.49646 > 22.214.171.124.ssh: S 2639032271:2639032271(0) win 8192</mss>
11:11:10.704885 IP 126.96.36.199 > bar.klan.com: ICMP echo request, id 61457, seq 0, length 64
11:11:10.706240 IP bar.klan.com > 188.8.131.52: ICMP echo reply, id 61457, seq 0, length 64
11:11:11.176800 arp who-has 184.108.40.206 (00:1b:77:d9:21:9d (oui Unknown)) tell 220.127.116.11
11:11:11.715546 IP 18.104.22.168 > bar.klan.com: ICMP echo request, id 61457, seq 1, length 64
11:11:11.716687 IP bar.klan.com > 22.214.171.124: ICMP echo reply, id 61457, seq 1, length 64
11:11:12.164858 arp who-has 126.96.36.199 (00:1b:77:d9:21:9d (oui Unknown)) tell 188.8.131.52
11:11:12.726106 IP 184.108.40.206 > bar.klan.com: ICMP echo request, id 61457, seq 2, length 64
11:11:12.727148 IP bar.klan.com > 220.127.116.11: ICMP echo reply, id 61457, seq 2, length 64
11:11:13.206422 arp who-has 18.104.22.168 (00:1b:77:d9:21:9d (oui Unknown)) tell 22.214.171.124
11:11:13.736111 IP 126.96.36.199 > bar.klan.com: ICMP echo request, id 61457, seq 3, length 64
11:11:13.737318 IP bar.klan.com > 188.8.131.52: ICMP echo reply, id 61457, seq 3, length 64
11:11:14.746119 IP 184.108.40.206 > bar.klan.com: ICMP echo request, id 61457, seq 4, length 64
11:11:14.747211 IP bar.klan.com > 220.127.116.11: ICMP echo reply, id 61457, seq 4, length 64
11:11:15.457102 arp who-has 18.104.22.168 tell 22.214.171.124
11:11:15.457129 arp reply 126.96.36.199 is-at 00:0c:29:16:23:34 (oui Unknown)
11:11:15.457226 IP 188.8.131.52.49646 > 184.108.40.206.ssh: S 2639032271:2639032271(0) win 8192 I
The ip I ssh from is 220.127.116.11 to 18.104.22.168 to get to 10.4.1.245
I posted the output from start to error without removing the other request between, in order to show what is happening for me.
In an effort to obtain a solution.
I have changed the firewall rule in the mentioned test environment to
**TCP 22.214.171.124 * 10.4.1.245 22 (SSH) ***
and can now ssh and sftp to the internal server.
My question, does this leave me unsecure because I am saying in essence, from the ip 126.96.36.199 on any port accept to 10.4.1.245 port 22?
In my real environment 188.8.131.52 would be the dsl router internal ip
You leave the source address to any unless you know in advance where the incoming connection originates and you want to limit the connections to just that address.
Now your rule allows the connection only from ip 184.108.40.206, nowhere else.
I am a still a little confused as to why, the port had to be set to any, as apposed to specifying port 22 externally for the connection to be made? Is this a issue with the windows sftp client, maybe not using the standard ssh port to initiate the connection.
The source port is a random port chosen by the operating system in range 1024-65536 unless specified by the client.