• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Cannot SSH to VM in LAN via Internet

Scheduled Pinned Locked Moved Firewalling
8 Posts 2 Posters 308 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • A
    appollonius333
    last edited by appollonius333 Feb 22, 2020, 6:44 PM Feb 22, 2020, 6:43 PM

    Currently I am having an issue where I cannot SSH to a machine in my LAN/VLAN network. Though if I enable SSH on PFsense I can perfectly connect to it.
    For testing I have rules set on any any but still no luck. I am doing this based on IPv6.

    here is a screenshot about the status:
    b7e88ddd-160b-4c56-9058-37315aaa9b53-afbeelding.png

    I have followed these docs, but without any results...

    https://docs.netgate.com/pfsense/en/latest/firewall/troubleshooting-blocked-log-entries-due-to-asymmetric-routing.html

    1 Reply Last reply Reply Quote 0
    • S
      stephenw10 Netgate Administrator
      last edited by Feb 23, 2020, 5:52 PM

      You are testing from somewhere external? Coming in through the WAN?

      Those logs imply there is no open state on LAN for that connection. Either that traffic is not coming out of the LAN initially or it is not opening a state when it does. The latter would require special rules to make it happen though so it's unlikely.

      Steve

      1 Reply Last reply Reply Quote 0
      • A
        appollonius333
        last edited by Feb 23, 2020, 5:58 PM

        Hello,

        Thanks for your reply, I have removed the PFsense VM now and all works fine. I think doing firewall via Linux is the best possible way, as I think it will always be.

        1 Reply Last reply Reply Quote 0
        • S
          stephenw10 Netgate Administrator
          last edited by Feb 23, 2020, 6:12 PM

          Ok, well, assuming the rules are all in the correct place etc, either you are hitting some obscure IPv6 bug or the routing is asymmetric in which case any firewall worth having should block it.
          If it's a bug we'd love to know about it if you can provide details.

          Steve

          1 Reply Last reply Reply Quote 0
          • A
            appollonius333
            last edited by Feb 23, 2020, 6:16 PM

            Well I removed the PFsense VM and then connected the VM directly via a bridged interface to ProxMox, and all works very well.

            I did the samen as with the PFsense VM, I had this construction

            Proxmox(Bridged interface without physical interface) -> PFsense(WAN) PFsense(LAN, also a bridged interface without physical interface) and connected a VM to that interface which gave me this error unfortunately... Very strange as Asymmetrical routing would not be applicable here, as there was only one way in and out.

            1 Reply Last reply Reply Quote 0
            • S
              stephenw10 Netgate Administrator
              last edited by Feb 23, 2020, 6:20 PM

              Hmm, are you able to retest it?

              I would first run a packet capture on the LAN for port 22 to verify the traffic really leaving that way and replies are coming back.

              Then check the state table for that connection. Make sire the connection opens states on WAN and LAN.

              Steve

              1 Reply Last reply Reply Quote 0
              • A
                appollonius333
                last edited by Feb 23, 2020, 6:23 PM

                Well currently I have everything up and running in my current setup. It is strange though as the VM's itself do have webaccess and have no problems with it.
                It is just when connecting via SSH to the server from the outside of the network that is blocking it, as I had my head on it the whole day yesterday I was pretty annoyed by it.

                1 Reply Last reply Reply Quote 0
                • S
                  stephenw10 Netgate Administrator
                  last edited by Feb 23, 2020, 7:15 PM

                  I feel that pain! 😉

                  If you are able to retest it at any point that would be helpful.

                  1 Reply Last reply Reply Quote 0
                  8 out of 8
                  • First post
                    8/8
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                    This community forum collects and processes your personal information.
                    consent.not_received