Cannot SSH to VM in LAN via Internet



  • Currently I am having an issue where I cannot SSH to a machine in my LAN/VLAN network. Though if I enable SSH on PFsense I can perfectly connect to it.
    For testing I have rules set on any any but still no luck. I am doing this based on IPv6.

    here is a screenshot about the status:
    b7e88ddd-160b-4c56-9058-37315aaa9b53-afbeelding.png

    I have followed these docs, but without any results...

    https://docs.netgate.com/pfsense/en/latest/firewall/troubleshooting-blocked-log-entries-due-to-asymmetric-routing.html


  • Netgate Administrator

    You are testing from somewhere external? Coming in through the WAN?

    Those logs imply there is no open state on LAN for that connection. Either that traffic is not coming out of the LAN initially or it is not opening a state when it does. The latter would require special rules to make it happen though so it's unlikely.

    Steve



  • Hello,

    Thanks for your reply, I have removed the PFsense VM now and all works fine. I think doing firewall via Linux is the best possible way, as I think it will always be.


  • Netgate Administrator

    Ok, well, assuming the rules are all in the correct place etc, either you are hitting some obscure IPv6 bug or the routing is asymmetric in which case any firewall worth having should block it.
    If it's a bug we'd love to know about it if you can provide details.

    Steve



  • Well I removed the PFsense VM and then connected the VM directly via a bridged interface to ProxMox, and all works very well.

    I did the samen as with the PFsense VM, I had this construction

    Proxmox(Bridged interface without physical interface) -> PFsense(WAN) PFsense(LAN, also a bridged interface without physical interface) and connected a VM to that interface which gave me this error unfortunately... Very strange as Asymmetrical routing would not be applicable here, as there was only one way in and out.


  • Netgate Administrator

    Hmm, are you able to retest it?

    I would first run a packet capture on the LAN for port 22 to verify the traffic really leaving that way and replies are coming back.

    Then check the state table for that connection. Make sire the connection opens states on WAN and LAN.

    Steve



  • Well currently I have everything up and running in my current setup. It is strange though as the VM's itself do have webaccess and have no problems with it.
    It is just when connecting via SSH to the server from the outside of the network that is blocking it, as I had my head on it the whole day yesterday I was pretty annoyed by it.


  • Netgate Administrator

    I feel that pain! 😉

    If you are able to retest it at any point that would be helpful.


Log in to reply