Cannot SSH in from external network
I am fairly new to PFSense and I have it setup the way I want for the most part but I cannot get this one last thing working. I am running an SSH server on the internal network. I am able to SSH to it fine from any box within the network. However, when I attempt to SSH into it from outside, it doesn't even seem to try. There is nothing showing up in the logs and the SSH attempt simply times out. Just as a test, I connected my SSH server to the ISP router and I can SSH in fine if connected to that (which is what I had setup before adding PFSense) so I know I am missing a configuration inside PFSense.
- I am running the SG-2220 with the wireless functionality and all my clients are connected to the wifi bridge.
- The SSH server does have PFSense as the gateway
- The SG-2220 is connected to the ISP modem
- I have assigned a static IP to the SSH server
- I have tried connecting to the SSH from an external wireless network (I have a karma wifi device) as well as mobile 4G
- I have this rule setup on the WAN (first I setup the NAT and then it setup this rule automatically)
Protocol Source Port Destination Port Gateway Description
IPv4 TCP * * 192.168.10.16 22 (SSH) * NAT Forward to SSH Server
I am sure this is just a stupid newbie mistake on my part but I cannot for the life of me figure out where my error is. Any help would be appreciated and thank you in advance.
Do you have the SSH Server on pfSense enabled?
Check under System -> Advanced -> Admin Access at the bottom. If you have SSH Server on pfSense running on port 22 to as well there might be a conflict.
Also another suggestion is try to enable protocol TCP/UDP (both). I know shouldn't need to but test if any changes.
Thank you for the reply.
I tried your suggestion for disabling SSH on PFSense gateway and no luck. I also tried updating the rule to TCP/UDP and same problem.
Is your pfSense box connected to the ISP router in "Bridge" mode?
Check the WAN address on your pfSense box, if it's getting a 192.168.x.x address then you're double natting and wont be able to SSH in with your current setup.
Get a Bridge mode connection so your pfSense WAN gets and external address or you'll have to try a double port forward setup.
My Bridge has the following member interfaces:
The assignments are:
WAN is igb0 (The WAN port)
LAN is igb1 (The LAN port)
WIFI is ath0
BRIDGE is BRIDGE0 (the aforementioned LAN/WIFI bridge)
When I check the interface status, I do indeed see that WAN has a 192.168.0.X IP (which is the ISP network). If I understand how wifi works in PFSense, I need the bridge in order to have the wireless network work. So how would I modify this configuration to allow the wifi access point and correct this setup?
I used the following guide: https://www.servethehome.com/how-to-setup-wi-fi-with-pfsense/. I know in his guide that he has WAN as igb1 but when I looked at the documentation for this device (https://www.netgate.com/docs/sg-2220/io-ports.html) it stated it was igb0. Also when I tried igb1 for WAN I had no connectivity.
Thank you again!
0/ 192.168.0.X is an RFC1918 space. You won't be able to reach anything from Internet there. (Are you double-NATed?)
1/ You shouldn't bridge this in the first place.
2/ Set the proper tunables so that you filter the bridge and not the individual interfaces. https://doc.pfsense.org/index.php/Interface_Bridges
I am an idiot. I didn't catch what you guys meant by Double NAT until I actually sat down and thought about it. Logged into ISP router and fixed the forwarding and now it works.
Thanks again all!