using ssh to connect to netgate?

ctmoore

I have an XG-7100-1U here. I've set it up with a Mac, though there's still a few issues. But I wanted to look into how to connect to this remotely via ssh since I really really really loathe going down into the machine room to manually stick a laptop onto this thing in order to connect/configure it. Is there a good way to do this? I can accept having to set up the dhcp config initially (or in emergencies) but afterwards? I've been browsing and searching thru documents but not finding good info on ssh offhand. Thanks for any pointers!

KOM

System - Advanced - Admin Access - Secure Shell - Secure Shell Server - Enable Secure Shell

pfSense is meant to be configured via WebGUI. Shell access will give you a menu after you connect, and from there you can get to the real shell. Console Options down below allows you to secure the shell with a login.

akuma1x

Are you in fact on a different network (over the internet as an example) than this XG-7100 box, or are you on the same LAN? I'm asking because you said "really loathe going down into the machine room".

If you're out on the internet, trying to connect, you can simply open a port forward. However, you should secure it by at least adding a source IP address (where on the internet you are coming from) of where the traffic comes from. Or, you can do better than that and VPN into the box itself.

If you're on the same internal LAN network, or another internal network, you can make firewall rules, and/or turn on SSH connections on the XG-7100 itself.

https://docs.netgate.com/pfsense/en/latest/usermanager/granting-users-access-to-ssh.html

Jeff

JKnott

@KOM

I often connect to pfSense with ssh. Works well. However, this is from my local LAN. If needed, I can ssh to my desktop system and from their to pfSense. Ssh after connecting via VPN also works.

ctmoore

Awesome, thanks for all the replies. Sorry, I see that section of the docs now... it wasn't coming up on the initial set of searches I tried.

So, once I set up users on the WebGUI/User Management portion, those people should be able to ssh in?

KOM

Yes, but you have to give them the System: Shell account access user privilege. Once you have created a user, go back and edit him and there is an Effective Privileges section near the bottom. Once they login, they get a proper shell. The 'admin' user gets the action menu with an option for shell.

Note that this gives that user administrator-level access, as per the warning on the screen.

Gertjan

@ctmoore said in using ssh to connect to netgate?:

those people should be able to ssh in?

pfSense is a router.
It's not comparable to something known as a server.

IMHO : one or some people that trust each other and know what they are doing can all share the same admin login : no real need to create several users to 'manage' the router.

Normally, ones set up, the console or SSH isn't needed. On the vast majority of the pfSense installs these (console or SSH afterwards) are never used again.

The SSH access - or console, in certain ways, is even more important as the GUI access. It should be set up, especially if your pfSense router isn't in front of you on your desk.
The SSH access - or console access, is important when things go bad because one of the first things that can go down is the GUI.

JKnott

@Gertjan said in using ssh to connect to netgate?:

The SSH access - or console, in certain ways, is even more important as the GUI access. It should be set up, especially if your pfSense router isn't in front of you on your desk.

And for that reason, many routers also have serial ports that can be connected to a modem, for access when there's a problem blocking access via the Internet.

ctmoore

Thanks everyone for these replies. To give a bit of background, this pfsense appliance is being used for research, so the students who are setting things up need remote access for the various configurations they are going to try out. I have set up accounts for them, and have turned on ssh for each of their accounts. I also set up the wan port on the appliance to our network, and arpwatch confirmed a dhcp assignment. The webgui shows the wan as active, etc.

My current issue is that I still don't seem to be able to ssh into the appliance for remote management and config (yes I know it is not a server; I am thinking in terms of other switches I can manage remotely through ssh and their own cli). ssh to admin@<dhcp assigned IP address> isn't working, it doesn't show on ping or anything (tho as a firewall maybe it's laying low?). But how on earth do I ssh into this thing with an ssh-enabled (as noted above) account? I haven't even gotten to the console issue yet, since this puppy has a mini usb port (?!) for console access instead of an rj45 port....

Apologies for the length of time in replying, I have been traveling but can now sit down and hash this thing out.

KOM

I'm assuming you're trying to get in from the WAN side? WAN allows no inbound access by default. If you want to ssh in from WAN side, you need to add a firewall rule to the WAN rules to allow it.

JKnott

@ctmoore said in using ssh to connect to netgate?:

since this puppy has a mini usb port (?!) for console access instead of an rj45 port....

That's common these days. There should be a USB - serial port adapter connected to that USB port. Just plug in the cable and use a serial terminal app to use it.

JKnott

@KOM said in using ssh to connect to netgate?:

I'm assuming you're trying to get in from the WAN side? WAN allows no inbound access by default. If you want to ssh in from WAN side, you need to add a firewall rule to the WAN rules to allow it.

What I have often done is ssh to a computer behind the firewall and ssh from there. Of course, you should be able to ssh directly to the LAN side interface. This is assuming you have public addresses on the LAN.

ctmoore

@KOM Well the WAN must be allowing DHCP replies in?

@JKnott the lan side is a private testing area, such that whatever they do in there is contained within the lan by the pfsense appliance. Besides, if y ou were using ssh to get into a LAN-side server, wouldn't you have to go through the firewall to get to it? Maybe my mental map of this is all wrong. I see this as my normal, functional network having one appliance (the netgate) newly added to it. Behind the netgate is some whizbang experimental cluster I personally care nothing at all about other than that it stays behind the netgate. The students on the WAN side that are playing with it do not have physical access to the cluster (or the netgate).

So I'd need to set up the firewall for ssh access to the netgate as well as through it to get to any of the servers on the other side of it...

JKnott

@ctmoore

I thought you were trying to get in from the WAN side. Yes, you would have to go through the firewall and configure the rules accordingly. So, if you were to allow any address on the LAN, so that the students can reach their systems, then you should be able to access the LAN side address, without opening access to the WAN side address.

ctmoore

@JKnott I am confused :)

I see this as follows:

WAN                                netgate                             LAN
(my established network,             <magic>          <mysterious black box cluster of stuff>
in which I control DHCP,
etc)
Has outside/internet contact, etc

Everyone is on the WAN. I want to give a specific set of students, whose project is in the LAN side and quarantined behind the netgate, acces sto the netgate so they can configure their research cluster however they want, as far as I am concerned, so long as their network and traffic is otherwise quarantined on their side of the netgate. But their access comes from my side of the network.

Is that how I should look at it? I did double check whether I could access the netgate by an URL on the WAN ip address (eg maybe I'm fixating on ssh for no good reason) but that doesn't respond.

Is this an appropriate starting point?
https://docs.netgate.com/pfsense/en/latest/firewall/remote-firewall-administration.html

ctmoore

This post is deleted!

JKnott

@ctmoore said in using ssh to connect to netgate?:

Is that how I should look at it? I did double check whether I could access the netgate by an URL on the WAN ip address (eg maybe I'm fixating on ssh for no good reason)

I have already told you, if you have the firewall configured to allow access to the LAN, then the LAN side address should be reachable. As someone else mentioned, if you want WAN side access, then it has to be enabled. Then there is also a serial port connection, using a USB cable and serial terminal app. Those are your 3 choices, take your pick.

ctmoore

All I have managed to do is put a laptop onto the LAN directly (eth2) for the default 169 webgui and no other config besides setting the WAN and a couple of users. So if I config the firewall with that laptop to allow WAN incoming for http/s, then in theory they would get this same webgui interface when navigating to the wan-side dhcp assigned address?

Sorry, I deal much more with the likes of arista and mellanox switches rather than this kind of box and that's all straight up terminal, cli and good old fashioned rj45 serial ports hooked up to a CAS for when network goes bupkus.

JKnott

@ctmoore

What's a 169 webgui? Are you using addresses in the 169.254 range???

As I mentioned, that USB connected serial port should work fine. Have you tried it?

KOM

You're probably going to have to post up some screens of your config so we can see what's going on. We're just guessing at this point, and that isn't an effective way of solving your problem.