Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Port forwarding SSH

    Firewalling
    2
    7
    1432
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      Kassebasse last edited by

      Hey. I have tried to portforward my SSH-server, but without luck.
      When I scan the port with nmap, it shows that it is open and then when I scan again it is filtered.
      Let me know what information that you need. I can also allow you to use Teamviewer to help me out.
      I can ping the server no problem.

      1 Reply Last reply Reply Quote 0
      • johnpoz
        johnpoz LAYER 8 Global Moderator last edited by

        Those rules make no sense..  What is your opt1 network?  Port forwards are normally on your wan.. Is your opt1 another wan interface?

        You would not forward to a network.. you have opt1 net as a dest.

        This firewall is an alias for ALL IPs on the firewall, etc.  Not just the opt1 network… Where is the traffic coming from when your hitting whatever this IP is on opt1.. Is a rfc1918 address?

        Please go over troubleshooting port forwarding.

        https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

        Do you have ssh enabled on pfsense?  If so it would listen on 22 by default.. You should prob change either pfsense or your ssh server so you don't use the same port if your trying to listen on and port forward the same port.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 23.01 | Lab VMs CE 2.6, 2.7

        1 Reply Last reply Reply Quote 0
        • K
          Kassebasse last edited by

          OPT1 is my VPN-interface.

          1 Reply Last reply Reply Quote 0
          • johnpoz
            johnpoz LAYER 8 Global Moderator last edited by

            Well how is that going to work.. Does your VPN port forward 22 down your tunnel?

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 23.01 | Lab VMs CE 2.6, 2.7

            1 Reply Last reply Reply Quote 0
            • K
              Kassebasse last edited by

              Yhea, that is what I am thinking. My vpn has a static ip adress and have all ports open by default.

              1 Reply Last reply Reply Quote 0
              • K
                Kassebasse last edited by

                What I get from Packet Capture

                15:08:51.401655 AF IPv4 (2), length 56: (tos 0x20, ttl 118, id 11039, offset 0, flags [DF], proto TCP (6), length 52)
                    IncomingIP.2589 > OPT1Interface.22: Flags , cksum 0xb613 (correct), seq 631284661, win 17520, options [mss 1357,nop,wscale 8,nop,nop,sackOK], length 0
                15:08:51.418530 AF IPv4 (2), length 44: (tos 0x20, ttl 118, id 11040, offset 0, flags [DF], proto TCP (6), length 40)
                    IncomingIP.2589 > OPT1Interface.22: Flags [.], cksum 0xb731 (correct), seq 631284662, ack 3484332987, win 68, length 0
                15:08:51.419039 AF IPv4 (2), length 72: (tos 0x20, ttl 118, id 11041, offset 0, flags [DF], proto TCP (6), length 68)
                    IncomingIP.2589 > OPT1Interface.22: Flags [P.], cksum 0xc102 (correct), seq 0:28, ack 1, win 68, length 28
                15:08:51.648740 AF IPv4 (2), length 72: (tos 0x20, ttl 118, id 11042, offset 0, flags [DF], proto TCP (6), length 68)
                    IncomingIP.2589 > OPT1Interface.22: Flags [P.], cksum 0xc102 (correct), seq 0:28, ack 1, win 68, length 28
                15:08:51.964852 AF IPv4 (2), length 72: (tos 0x20, ttl 118, id 11043, offset 0, flags [DF], proto TCP (6), length 68)
                    IncomingIP.2589 > OPT1Interface.22: Flags [P.], cksum 0xc102 (correct), seq 0:28, ack 1, win 68, length 28
                15:08:52.576616 AF IPv4 (2), length 72: (tos 0x20, ttl 118, id 11044, offset 0, flags [DF], proto TCP (6), length 68)
                    IncomingIP.2589 > OPT1Interface.22: Flags [P.], cksum 0xc102 (correct), seq 0:28, ack 1, win 68, length 28
                15:08:53.773465 AF IPv4 (2), length 72: (tos 0x20, ttl 118, id 11045, offset 0, flags [DF], proto TCP (6), length 68)
                    IncomingIP.2589 > OPT1Interface.22: Flags [P.], cksum 0xc102 (correct), seq 0:28, ack 1, win 68, length 28
                15:08:56.180614 AF IPv4 (2), length 72: (tos 0x20, ttl 118, id 11046, offset 0, flags [DF], proto TCP (6), length 68)
                    IncomingIP.2589 > OPT1Interface.22: Flags [P.], cksum 0xc102 (correct), seq 0:28, ack 1, win 68, length 28
                15:09:00.996269 AF IPv4 (2), length 72: (tos 0x20, ttl 118, id 11047, offset 0, flags [DF], proto TCP (6), length 68)
                    IncomingIP.2589 > OPT1Interface.22: Flags [P.], cksum 0xc102 (correct), seq 0:28, ack 1, win 68, length 28

                1 Reply Last reply Reply Quote 0
                • johnpoz
                  johnpoz LAYER 8 Global Moderator last edited by

                  If they are sending it down the tunnel… Then just correct your forwards..

                  Your flags are P not SYN... So that would not be allowed in anyway..  I don't see a SYN packet there..  ~~or [SE] or [SEW] depending on what other options might be set like ECN or CWR, etc.  Maybe it got scratched out with how you posted it?

                  It's so much easier if you just downloaded the capture and viewed in wireshark or something.. post up the pcap..

                  But again your forwards are wrong… Your dest should be your opt1 address.. And what firewall rules do you have on the opt1 interface?  Are you blocking rfc1918.. I would assume your tunnel would be rfc1918..

                  The doc really goes overthing you need to do to troubleshoot... If your seeing the traffic on the interface and your saying icmp is being forwarded through.. Which more likely or not its just the vpn public IP answering vs pushing that down the tunnel.

                  Then sniff on your interface your sending it to - is pfsense sending it on?  Maybe the host is not answering.  Firewal - ssh not running on the host.. Wrong IP of the host..  It is all in the troubleshooting doc.~~

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 23.01 | Lab VMs CE 2.6, 2.7

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post