Cannot SSH in from external network



  • Hello,

    I am fairly new to PFSense and I have it setup the way I want for the most part but I cannot get this one last thing working. I am running an SSH server on the internal network. I am able to SSH to it fine from any box within the network. However, when I attempt to SSH into it from outside, it doesn't even seem to try. There is nothing showing up in the logs and the SSH attempt simply times out. Just as a test, I connected my SSH server to the ISP router and I can SSH in fine if connected to that (which is what I had setup before adding PFSense) so I know I am missing a configuration inside PFSense.

    Some notes:

    • I am running the SG-2220 with the wireless functionality and all my clients are connected to the wifi bridge.
    • The SSH server does have PFSense as the gateway
    • The SG-2220 is connected to the ISP modem
    • I have assigned a static IP to the SSH server
    • I have tried connecting to the SSH from an external wireless network (I have a karma wifi device) as well as mobile 4G
    • I have this rule setup on the WAN (first I setup the NAT and then it setup this rule automatically)

    Protocol Source         Port     Destination         Port         Gateway Description
    IPv4 TCP *                 *       192.168.10.16   22 (SSH) *               NAT Forward to SSH Server

    I am sure this is just a stupid newbie mistake on my part but I cannot for the life of me figure out where my error is. Any help would be appreciated and thank you in advance.



  • Do you have the SSH Server on pfSense enabled?

    Check under System -> Advanced -> Admin Access at the bottom. If you have SSH Server on pfSense running on port 22 to as well there might be a conflict.

    Also another suggestion is try to enable protocol TCP/UDP (both). I know shouldn't need to but test if any changes.



  • Thank you for the reply.

    I tried your suggestion for disabling SSH on PFSense gateway and no luck. I also tried updating the rule to TCP/UDP and same problem.



  • Is your pfSense box connected to the ISP router in "Bridge" mode?

    Check the WAN address on your pfSense box, if it's getting a 192.168.x.x address then you're double natting and wont be able to SSH in with your current setup.
    Get a Bridge mode connection so your pfSense WAN gets and external address or you'll have to try a double port forward setup.



  • My Bridge has the following member interfaces:

    • LAN
    • WIFI

    The assignments are:

    WAN is igb0 (The WAN port)
    LAN is igb1 (The LAN port)
    WIFI is ath0
    BRIDGE is BRIDGE0 (the aforementioned LAN/WIFI bridge)

    When I check the interface status, I do indeed see that WAN has a 192.168.0.X IP (which is the ISP network). If I understand how wifi works in PFSense, I need the bridge in order to have the wireless network work. So how would I modify this configuration to allow the wifi access point and correct this setup?

    I used the following guide: https://www.servethehome.com/how-to-setup-wi-fi-with-pfsense/. I know in his guide that he has WAN as igb1 but when I looked at the documentation for this device (https://www.netgate.com/docs/sg-2220/io-ports.html) it stated it was igb0. Also when I tried igb1 for WAN I had no connectivity.

    Thank you again!


  • Banned

    0/ 192.168.0.X is an RFC1918 space. You won't be able to reach anything from Internet there. (Are you double-NATed?)
    1/ You shouldn't bridge this in the first place.
    2/ Set the proper tunables so that you filter the bridge and not the individual interfaces. https://doc.pfsense.org/index.php/Interface_Bridges



  • I am an idiot. I didn't catch what you guys meant by Double NAT until I actually sat down and thought about it. Logged into ISP router and fixed the forwarding and now it works.

    Thanks again all!


Log in to reply