• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

SSH works of pfSense but fail Linux server.

Scheduled Pinned Locked Moved General pfSense Questions
14 Posts 4 Posters 1.3k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • F
    F1Fish
    last edited by Sep 3, 2020, 3:18 AM

    The problem is that I can’t login Linux game server via ssh or the game.
    I can login to pfSense through the web or ssh.

    Here is my network config:

    pfSense is setup as firewall only 192.168.0.1\24
    Game server is a vm 192.168.0.30\24
    The rest of my network resides behind cisco sg500 192.168.0.5\24
    The cisco handles all routing on 10.0.0.0\17 network

    I have gateway route setup for lan to the cisco switch
    Static routes setup for all vlans on the cisco switch.
    There are firewall rules to support the static routes.

    Here’s what works.
    I have full access to pfSense through web or ssh via client behind the cisco switch. pfSense can check for updates and set the time from ntp server on a cisco routed vlan. My pc clients can reach the internet and inter-vlan works as it should. I can ping the game server. From an ESXI console window I can ping google.com and update the Linux server. The cisco switch is reachable though the 192.168.0.5 and its address on the 10.0.0.0 network.

    What does not work is game server though 192.168.0.30

    1 Reply Last reply Reply Quote 0
    • S
      stephenw10 Netgate Administrator
      last edited by Sep 3, 2020, 9:32 PM

      Where are you trying to connect to it from?

      Sounds like it might be an asymmetric routing issue.
      You see TCP flagged traffic blocked?

      Steve

      1 Reply Last reply Reply Quote 0
      • B
        bingo600
        last edited by bingo600 Sep 6, 2020, 7:16 AM Sep 6, 2020, 7:14 AM

        @F1Fish said in SSH works of pfSense but fail Linux server.:

        192.168.0.1

        Not optimal description.
        I assume the pfSense is your def-gw to the internet.

        Have you routed the 10.0.0.0/17 network on the game machine to 192.168.0.5 , in order to enable return packets.

        From your description , the ssh packages does not even pass the pfSense fw , in a functional setup.

        If you find my answer useful - Please give the post a 👍 - "thumbs up"

        pfSense+ 23.05.1 (ZFS)

        QOTOM-Q355G4 Quad Lan.
        CPU  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
        LAN  : 4 x Intel 211, Disk  : 240G SAMSUNG MZ7L3240HCHQ SSD

        F 2 Replies Last reply Sep 7, 2020, 9:29 PM Reply Quote 0
        • F
          F1Fish @bingo600
          last edited by Sep 7, 2020, 9:29 PM

          I assume the pfSense is your def-gw to the internet.

          You are right.

          Have you routed the 10.0.0.0/17 network on the game machine to 192.168.0.5 , in order to enable return packets.

          This statement I having a hard time achieving.
          I've followd this artical to add the firewall to my network.
          https://engineerworkshop.com/blog/how-to-set-up-vlans-on-an-l3-switch-hp-1910-with-pfsense/

          1 Reply Last reply Reply Quote 0
          • S
            stephenw10 Netgate Administrator
            last edited by Sep 7, 2020, 11:01 PM

            Can we get a basic diagram of how these systems are connected?

            1 Reply Last reply Reply Quote 0
            • F
              F1Fish
              last edited by Sep 7, 2020, 11:32 PM

              network diagram.png

              1 Reply Last reply Reply Quote 0
              • F
                F1Fish @bingo600
                last edited by Sep 10, 2020, 3:27 AM

                Have you routed the 10.0.0.0/17 network on the game machine to 192.168.0.5 , in order to enable return packets.

                If I'm understanding this correctly. A static routeon the game server will only give me Lan accses and no wan accses

                From your description , the ssh packages does not even pass the pfSense fw , in a functional setup.

                I can't ssh the game server. I see nothing in firewall log file for a failed attempt. But I can login to pfSense using ssh.

                1 Reply Last reply Reply Quote 0
                • J
                  johnpoz LAYER 8 Global Moderator
                  last edited by johnpoz Sep 10, 2020, 5:13 AM Sep 10, 2020, 5:09 AM

                  So your transit network is is this 192.168.0/24 ? You do not put hosts on a transit network.. This comes up like every day it seems..

                  And your trying to access the game server from some downstream network..

                  This is asymmetrical.. So no its not going to work without routes on the game server.

                  asymettrical.png

                  And take you don't even have default route on this game server, so it can not even send the syn,ack back??? Even with default route to 192.168.0.1 - pfsense would not allow it because it would be out of state.

                  You need a route on the gameserver saying hey to get to 10.0/17 talk to 192.168.0.5

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  F 1 Reply Last reply Sep 17, 2020, 1:24 PM Reply Quote 0
                  • F
                    F1Fish @johnpoz
                    last edited by Sep 17, 2020, 1:24 PM

                    johnpoz thank you for your help

                    The solution I used on game server was.
                    up /sbin/route add -net 10.0.0.0 netmask 255.255.128.0 gw 192.168.0.5
                    down /sbin/route del -net 10.0.0.0 netmask 255.255.128.0
                    Added to /etc/network/interfaces file.

                    The DSL router (CenturyLink C1900A) I use did this automatically.
                    So I’m still looking for a solution I can implement on the firewall.

                    1 Reply Last reply Reply Quote 0
                    • S
                      stephenw10 Netgate Administrator
                      last edited by Sep 17, 2020, 1:38 PM

                      If it was setup exactly like that then it probably did it 'automatically' by being a bad stateful firewall. 😉

                      If it did not track TCP states for example that traffic would be allowed.

                      You can try setting Bypass firewall rules for traffic on the same interface in System > Adv > Firewall&NAT. Or you can force the traffic to be passed by allowing out of state TCP traffic.
                      https://docs.netgate.com/pfsense/en/latest/firewall/troubleshooting-blocked-log-entries-due-to-asymmetric-routing.html#manual-fix

                      Steve

                      1 Reply Last reply Reply Quote 0
                      • J
                        johnpoz LAYER 8 Global Moderator
                        last edited by Sep 17, 2020, 2:25 PM

                        Or the actual correct solution which would be to remove asymmetrical traffic flow! ;)

                        While allowing out of state traffic can be a life saver in say an enterprise where something broken, and we can get it working like this - until proper fix/redesign can be done.

                        The correct solution is to not setup asymmetrical networks.. Just no point to it, other than lack of basic networking skills.

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        F 1 Reply Last reply Sep 17, 2020, 6:05 PM Reply Quote 1
                        • S
                          stephenw10 Netgate Administrator
                          last edited by Sep 17, 2020, 3:52 PM

                          Yup. That.

                          If you add workarounds to allow the traffic it will probably come back to bite you at some point.

                          1 Reply Last reply Reply Quote 0
                          • F
                            F1Fish @johnpoz
                            last edited by Sep 17, 2020, 6:05 PM

                            @johnpoz

                            So your saying I should go with a router on a stick. Or move the game server tto a vlan routed by the switch. To clear up the asymmetrical network.

                            1 Reply Last reply Reply Quote 0
                            • J
                              johnpoz LAYER 8 Global Moderator
                              last edited by Sep 17, 2020, 6:14 PM

                              You need to take your server off the transit network... Be it you want it to be a vlan hanging off your downstream router, or a vlan off of your edge router (pfsense)..

                              But currently that network is transit (a network between 2 routers) putting hosts on it that need to talk or get talked too from network via one of the routers lead to asymmetrical traffic flow.

                              Throw another vlan on your pfsense and put your game server there, now you can actually firewall between your downstream networks and the server..

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.8, 24.11

                              1 Reply Last reply Reply Quote 1
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                This community forum collects and processes your personal information.
                                consent.not_received