Access to internal sftp

  • I have a local file server on my lan which I can also sftp to. I wanted to access this server over the internet, to sftp stuff from by my friends. Just a note my pfsense box is behind a dsl modem, router and get an ip from the dsl router.

    In achieving this, I configured port forwarding in firewall - nat - port forward, where from the wan interface, any ip, ssh as protocol to the internal lan server protocol ssh, and I checked generate the firewall rule.On the dsl modem, I also entered a forward to the pfsense box.

    Subsequently sftp from the internet proved unsuccessful. In an effort to fully understand what the problem was and eliminating the appropriate device, I put a switch between the dsl modem and pfsense wan interface and connected another computer to the switch. This was done to connect using sftp directly to the wan interface ip, hoping the request would have been forwarded internally to the lan. This proved to be unsuccesful.

    I could truly do with some guidance as I am new to these aspects and reading the monowall manual, which has inbound natting not port forwarding - though the instructions seem similar, has not solved my little problem.

    I am on release 1.2.1-RC1 built on Wed Aug 13 04:23:51 EDT 2008

  • You have to disable FTP Helper everywhere in pfSense … sftp is encrypted FTP command and data so the FTP Helper can't listen to the command flow and adjust the connection track and firewall rules so it breaks everything ... You'll have to configure manually everything and also use passive mode.

  • I have disabled ftp helper, manually entered the port forward rule and firewall rule shown below
    Port forward
    WAN  TCP  22 (SSH) any) 22 (SSH) sftp access

    Firewall rule
    TCP  *  22 (SSH)  22 (SSH)  *      sftp access

    Tried from a machine in the same subnet and ip range as the wan address, and was unable to connect to the internal server. I tried to ssh and also sftp, neither were successful.

    Just to clarify my logic here, the wan address is while the other machine is, entering ssh/sftp from to, should get me connected to the forwarded server.

  • On the nat rule you should have the interface address as the external address, not any. Also uncheck block private networks in the options of interfaces->WAN.
    Also change the source port in the firewall rule to any. on LAN? That's not a proper RFC1918 private network address

    Edit: ftp helper does not have any effect in this case since this is ssh, not ftp with ssl or tls encryption

  • Hi All,

    Ok I opened up vmware and rec.reated the whole system, and new install of pfsense, with its internal ip being and external being, which was from my existing lan network. I unchecked in this new test environment, the block for private networks.

    I then proceeded to set up the port forward rules and firewall rules. I noted for the wan interface there is only interface address and any, which subsequently led me to choose the interface address.

    These are my rules:

    Nat port forward

    WAN  TCP  22 (SSH) (ext.:  22 (SSH)

    Firewall rule

    TCP  WAN address  22 (SSH)  22 (SSH)  *

    I then tried and ssh connection to the wan address from another machine which ip is, which was unsuccessful, the tcpdump output is shown below, from initiating the request to when the ssh connection timed out. I used tcpdump -i le0 - wan interface

    11:11:06.462964 IP > S 2639032271:2639032271(0) win 8192 <mss 1260,nop,wscale="" 2,nop,nop,sackok="">11:11:09.471189 IP > S 2639032271:2639032271(0) win 8192</mss>
    11:11:10.704885 IP > ICMP echo request, id 61457, seq 0, length 64
    11:11:10.706240 IP > ICMP echo reply, id 61457, seq 0, length 64
    11:11:11.176800 arp who-has (00:1b:77:d9:21:9d (oui Unknown)) tell
    11:11:11.715546 IP > ICMP echo request, id 61457, seq 1, length 64
    11:11:11.716687 IP > ICMP echo reply, id 61457, seq 1, length 64
    11:11:12.164858 arp who-has (00:1b:77:d9:21:9d (oui Unknown)) tell
    11:11:12.726106 IP > ICMP echo request, id 61457, seq 2, length 64
    11:11:12.727148 IP > ICMP echo reply, id 61457, seq 2, length 64
    11:11:13.206422 arp who-has (00:1b:77:d9:21:9d (oui Unknown)) tell
    11:11:13.736111 IP > ICMP echo request, id 61457, seq 3, length 64
    11:11:13.737318 IP > ICMP echo reply, id 61457, seq 3, length 64
    11:11:14.746119 IP > ICMP echo request, id 61457, seq 4, length 64
    11:11:14.747211 IP > ICMP echo reply, id 61457, seq 4, length 64
    11:11:15.457102 arp who-has tell
    11:11:15.457129 arp reply is-at 00:0c:29:16:23:34 (oui Unknown)
    11:11:15.457226 IP > S 2639032271:2639032271(0) win 8192 I

    The ip I ssh from is to to get to

    I posted the output from start to error without removing the other request between, in order to show what is happening for me.


  • In an effort to obtain a solution.

    I have changed the firewall rule in the mentioned test environment to

    **TCP  *  22 (SSH)  ***

    and can now ssh and sftp to the internal server.

    My question, does this leave me unsecure because I am saying in essence, from the ip on any port accept to port 22?

    In my real environment would be the dsl router internal ip

  • You leave the source address to any unless you know in advance where the incoming connection originates and you want to limit the connections to just that address.
    Now your rule allows the connection only from ip, nowhere else.

  • I am a still a little confused as to why, the port had to be set to any, as apposed to specifying port 22 externally for the connection to be made? Is this a issue with the windows sftp client, maybe not using the standard ssh port to initiate the connection.

  • The source port is a random port chosen by the operating system in range 1024-65536 unless specified by the client.

Log in to reply