Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    All external attempts to SSH or SFTP yield "connection refused"

    NAT
    3
    6
    385
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      profse
      last edited by

      This used to work. My modem is set to be passthrough. I've read the troubleshooting guide and the manual.

      I can internally ssh to this box, but when I attempt to connect externally, i get "connection refused". External traffic is not hitting this box as I've checked the ssh logs, so my only guess is that my NetGate device(I just updated to the latest version of PFSense) is blocking.

      Is there an option in some other menu I'm missing?nat.jpg

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        You are setting up a NAT rule here. You must not set the destination to "any" in a NAT rule, that won't work.
        Select "WAN address" or one of your virtual WAN addresses if applicable.

        1 Reply Last reply Reply Quote 1
        • P
          profse
          last edited by profse

          Thank you for the response, I appreciate your time. On the PFSense Main Screen, my WAN address is 172.16.1.39, not my external IP, even though my modem is set to passthrough.

          I made the change you suggested, but nothing changed externally, my connection is still refused.

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @profse
            last edited by

            @profse said in All external attempts to SSH or SFTP yield "connection refused":

            On the PFSense Main Screen, my WAN address is 172.16.1.39, not my external IP, even though my modem is set to passthrough.

            Passthrough?
            You have to forward the traffic explicitly to the pfSense WAN address.

            To investigate if SSH packets arrive at pfSens WAN interface, use Diagnostic > Packet Capture.

            1 Reply Last reply Reply Quote 1
            • RicoR
              Rico LAYER 8 Rebel Alliance
              last edited by

              You need to disable Block private networks and loopback addresses (Interfaces > WAN) if your WAN IP is RFC1918.

              -Rico

              1 Reply Last reply Reply Quote 1
              • P
                profse
                last edited by

                First, thanks for the reads and comments. It seems that, upon seeing my WAN Address as 172 and not my IP that something was fishy with the modem. Either ATT or a power cycle reset the modem to block traffic and not pass it all to PFSense. I changed that setting, and we are back in action.

                I'm sorry to have wasted your time on this, as I assumed my settings on the modem were unchanged.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.