• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Port forwarding SSH

Scheduled Pinned Locked Moved Firewalling
7 Posts 2 Posters 1.8k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • K
    Kassebasse
    last edited by Oct 19, 2017, 2:38 PM

    Hey. I have tried to portforward my SSH-server, but without luck.
    When I scan the port with nmap, it shows that it is open and then when I scan again it is filtered.
    Let me know what information that you need. I can also allow you to use Teamviewer to help me out.
    I can ping the server no problem.
    10.png
    10.png_thumb

    1 Reply Last reply Reply Quote 0
    • J
      johnpoz LAYER 8 Global Moderator
      last edited by Oct 19, 2017, 2:49 PM

      Those rules make no sense..  What is your opt1 network?  Port forwards are normally on your wan.. Is your opt1 another wan interface?

      You would not forward to a network.. you have opt1 net as a dest.

      This firewall is an alias for ALL IPs on the firewall, etc.  Not just the opt1 network… Where is the traffic coming from when your hitting whatever this IP is on opt1.. Is a rfc1918 address?

      Please go over troubleshooting port forwarding.

      https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

      Do you have ssh enabled on pfsense?  If so it would listen on 22 by default.. You should prob change either pfsense or your ssh server so you don't use the same port if your trying to listen on and port forward the same port.

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

      1 Reply Last reply Reply Quote 0
      • K
        Kassebasse
        last edited by Oct 19, 2017, 2:50 PM

        OPT1 is my VPN-interface.

        1 Reply Last reply Reply Quote 0
        • J
          johnpoz LAYER 8 Global Moderator
          last edited by Oct 19, 2017, 2:54 PM

          Well how is that going to work.. Does your VPN port forward 22 down your tunnel?

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

          1 Reply Last reply Reply Quote 0
          • K
            Kassebasse
            last edited by Oct 19, 2017, 2:55 PM

            Yhea, that is what I am thinking. My vpn has a static ip adress and have all ports open by default.

            1 Reply Last reply Reply Quote 0
            • K
              Kassebasse
              last edited by Oct 19, 2017, 3:13 PM

              What I get from Packet Capture

              15:08:51.401655 AF IPv4 (2), length 56: (tos 0x20, ttl 118, id 11039, offset 0, flags [DF], proto TCP (6), length 52)
                  IncomingIP.2589 > OPT1Interface.22: Flags , cksum 0xb613 (correct), seq 631284661, win 17520, options [mss 1357,nop,wscale 8,nop,nop,sackOK], length 0
              15:08:51.418530 AF IPv4 (2), length 44: (tos 0x20, ttl 118, id 11040, offset 0, flags [DF], proto TCP (6), length 40)
                  IncomingIP.2589 > OPT1Interface.22: Flags [.], cksum 0xb731 (correct), seq 631284662, ack 3484332987, win 68, length 0
              15:08:51.419039 AF IPv4 (2), length 72: (tos 0x20, ttl 118, id 11041, offset 0, flags [DF], proto TCP (6), length 68)
                  IncomingIP.2589 > OPT1Interface.22: Flags [P.], cksum 0xc102 (correct), seq 0:28, ack 1, win 68, length 28
              15:08:51.648740 AF IPv4 (2), length 72: (tos 0x20, ttl 118, id 11042, offset 0, flags [DF], proto TCP (6), length 68)
                  IncomingIP.2589 > OPT1Interface.22: Flags [P.], cksum 0xc102 (correct), seq 0:28, ack 1, win 68, length 28
              15:08:51.964852 AF IPv4 (2), length 72: (tos 0x20, ttl 118, id 11043, offset 0, flags [DF], proto TCP (6), length 68)
                  IncomingIP.2589 > OPT1Interface.22: Flags [P.], cksum 0xc102 (correct), seq 0:28, ack 1, win 68, length 28
              15:08:52.576616 AF IPv4 (2), length 72: (tos 0x20, ttl 118, id 11044, offset 0, flags [DF], proto TCP (6), length 68)
                  IncomingIP.2589 > OPT1Interface.22: Flags [P.], cksum 0xc102 (correct), seq 0:28, ack 1, win 68, length 28
              15:08:53.773465 AF IPv4 (2), length 72: (tos 0x20, ttl 118, id 11045, offset 0, flags [DF], proto TCP (6), length 68)
                  IncomingIP.2589 > OPT1Interface.22: Flags [P.], cksum 0xc102 (correct), seq 0:28, ack 1, win 68, length 28
              15:08:56.180614 AF IPv4 (2), length 72: (tos 0x20, ttl 118, id 11046, offset 0, flags [DF], proto TCP (6), length 68)
                  IncomingIP.2589 > OPT1Interface.22: Flags [P.], cksum 0xc102 (correct), seq 0:28, ack 1, win 68, length 28
              15:09:00.996269 AF IPv4 (2), length 72: (tos 0x20, ttl 118, id 11047, offset 0, flags [DF], proto TCP (6), length 68)
                  IncomingIP.2589 > OPT1Interface.22: Flags [P.], cksum 0xc102 (correct), seq 0:28, ack 1, win 68, length 28

              1 Reply Last reply Reply Quote 0
              • J
                johnpoz LAYER 8 Global Moderator
                last edited by Oct 19, 2017, 3:43 PM

                If they are sending it down the tunnel… Then just correct your forwards..

                Your flags are P not SYN... So that would not be allowed in anyway..  I don't see a SYN packet there..  ~~or [SE] or [SEW] depending on what other options might be set like ECN or CWR, etc.  Maybe it got scratched out with how you posted it?

                It's so much easier if you just downloaded the capture and viewed in wireshark or something.. post up the pcap..

                But again your forwards are wrong… Your dest should be your opt1 address.. And what firewall rules do you have on the opt1 interface?  Are you blocking rfc1918.. I would assume your tunnel would be rfc1918..

                The doc really goes overthing you need to do to troubleshoot... If your seeing the traffic on the interface and your saying icmp is being forwarded through.. Which more likely or not its just the vpn public IP answering vs pushing that down the tunnel.

                Then sniff on your interface your sending it to - is pfsense sending it on?  Maybe the host is not answering.  Firewal - ssh not running on the host.. Wrong IP of the host..  It is all in the troubleshooting doc.~~

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                1 Reply Last reply Reply Quote 0
                1 out of 7
                • First post
                  1/7
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                  This community forum collects and processes your personal information.
                  consent.not_received