SSH Port Forwarding from custom ports to port 22 does not work!



  • Hello folks,

    I try to config a internet access to some linux servers. My idea is from internet to port 223 forward to internal port 22.

    ssh user@<public IP> -p 223 -> this connect to <internal ip> port 22

    I know this works because I have this config in this environment with another FW (IPFire) working fine. Now I replace this fw with a pfsense and I'm not able to config this connection.

    My actual config:
    I have a new installation of a pfsense 4.4.0. I create a NAT / Port Forward Rule as the next screenshot: 0_1546445601698_Captura de pantalla 2019-01-02 a las 17.12.26.png

    I create a asociated firewall rule for this connection (attached in the next screenshot):
    0_1546445794535_Captura de pantalla 2019-01-02 a las 17.16.23.png

    I see traffic on this rule:
    0_1546447366788_Captura de pantalla 2019-01-02 a las 17.40.30.png

    In the remote Linux box i see this(sorry for the bad quality): 0_1546447397805_Captura de pantalla 2019-01-02 a las 17.39.58.png

    In my laptop i see one of this two out puts:
    0_1546447682562_Captura de pantalla 2019-01-02 a las 17.46.17.png
    or
    0_1546447690952_Captura de pantalla 2019-01-02 a las 17.47.34.png

    I setup a Wireshark in my Laptop and I see always this error (it's a diferent public IP because I try from a VPN provider with the same results):
    0_1546447782786_Captura de pantalla 2019-01-02 a las 17.49.28.png

    It seems that the FW connection (NAT and Firewall rule works) but the ssh connections fails every time with Time out.

    Can someone help me with this issue?


  • Rebel Alliance Developer Netgate

    That sort of setup works fine for me. You have some sort of other problem afoot. Are you sure the ACK is leaving the expected WAN and making it back to the client?

    It looks like the reply from the server never gets back to the client, so probably the packet is being misrouted on the way back out. The easiest way that can happen is if your WAN is not properly setup. For example, with a static IP address on WAN, if you do not have a gateway set on Interfaces > WAN, then it might not reply back properly if you have more than one WAN or a problem with your default gateway settings.



  • Thanks for your response. I have double check all the config and the problem was that this network do not have full internet connectivity. Only ICMP and DNS works. The solution turned out to be to disable hardware checksum offloads.

    Now all works fine. We can close this case.