Cannot SSH in from external network

jsmith020 · Apr 29, 2017, 6:25 PM

Hello,

I am fairly new to PFSense and I have it setup the way I want for the most part but I cannot get this one last thing working. I am running an SSH server on the internal network. I am able to SSH to it fine from any box within the network. However, when I attempt to SSH into it from outside, it doesn't even seem to try. There is nothing showing up in the logs and the SSH attempt simply times out. Just as a test, I connected my SSH server to the ISP router and I can SSH in fine if connected to that (which is what I had setup before adding PFSense) so I know I am missing a configuration inside PFSense.

Some notes:

I am running the SG-2220 with the wireless functionality and all my clients are connected to the wifi bridge.
The SSH server does have PFSense as the gateway
The SG-2220 is connected to the ISP modem
I have assigned a static IP to the SSH server
I have tried connecting to the SSH from an external wireless network (I have a karma wifi device) as well as mobile 4G
I have this rule setup on the WAN (first I setup the NAT and then it setup this rule automatically)

Protocol Source Port Destination Port Gateway Description
IPv4 TCP * * 192.168.10.16 22 (SSH) * NAT Forward to SSH Server

I am sure this is just a stupid newbie mistake on my part but I cannot for the life of me figure out where my error is. Any help would be appreciated and thank you in advance.

andyschmid · Apr 30, 2017, 3:26 AM

Do you have the SSH Server on pfSense enabled?

Check under System -> Advanced -> Admin Access at the bottom. If you have SSH Server on pfSense running on port 22 to as well there might be a conflict.

Also another suggestion is try to enable protocol TCP/UDP (both). I know shouldn't need to but test if any changes.

jsmith020 · Apr 30, 2017, 3:04 PM

Thank you for the reply.

I tried your suggestion for disabling SSH on PFSense gateway and no luck. I also tried updating the rule to TCP/UDP and same problem.

divsys · May 1, 2017, 5:45 AM

Is your pfSense box connected to the ISP router in "Bridge" mode?

Check the WAN address on your pfSense box, if it's getting a 192.168.x.x address then you're double natting and wont be able to SSH in with your current setup.
Get a Bridge mode connection so your pfSense WAN gets and external address or you'll have to try a double port forward setup.

jsmith020 · May 2, 2017, 9:43 PM

My Bridge has the following member interfaces:

LAN
WIFI

The assignments are:

WAN is igb0 (The WAN port)
LAN is igb1 (The LAN port)
WIFI is ath0
BRIDGE is BRIDGE0 (the aforementioned LAN/WIFI bridge)

When I check the interface status, I do indeed see that WAN has a 192.168.0.X IP (which is the ISP network). If I understand how wifi works in PFSense, I need the bridge in order to have the wireless network work. So how would I modify this configuration to allow the wifi access point and correct this setup?

I used the following guide: https://www.servethehome.com/how-to-setup-wi-fi-with-pfsense/. I know in his guide that he has WAN as igb1 but when I looked at the documentation for this device (https://www.netgate.com/docs/sg-2220/io-ports.html) it stated it was igb0. Also when I tried igb1 for WAN I had no connectivity.

Thank you again!

doktornotor · May 3, 2017, 6:12 PM

0/ 192.168.0.X is an RFC1918 space. You won't be able to reach anything from Internet there. (Are you double-NATed?)
1/ You shouldn't bridge this in the first place.
2/ Set the proper tunables so that you filter the bridge and not the individual interfaces. https://doc.pfsense.org/index.php/Interface_Bridges

jsmith020 · May 6, 2017, 1:50 PM

I am an idiot. I didn't catch what you guys meant by Double NAT until I actually sat down and thought about it. Logged into ISP router and fixed the forwarding and now it works.

Thanks again all!