Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Mysterious block: Can’t connect to LAN ssh host from WAN

    Scheduled Pinned Locked Moved Firewalling
    15 Posts 4 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      DominikHoffmann
      last edited by DominikHoffmann

      I set up a NAT rule like so:

      Screen Shot 2020-11-15 at 6.45.13 PM.png

      It has a corresponding Firewall rule:

      Screen Shot 2020-11-15 at 6.48.29 PM.png

      When I am on the LAN I can telnet into that host (on Port 22) like so:

      Screen Shot 2020-11-15 at 6.56.45 PM copy.png

      However, when I am outside of my home, I cannot get in:

      Screen Shot 2020-11-15 at 7.28.07 PM.png

      Crickets!

      Where else might there be a block? My ISP is not blocking anything, which I verified today.

      1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan
        last edited by Gertjan

        Hi,

        Your mentionned a ssh acces, but are using telnet.
        What happens when you use 'ssh' ?

        Why do you hide LAN IP addresses ?

        Your firewall rule is on WAN ?
        Then this :

        2b2c38ed-d9ba-4c60-aba4-f8723d1202bf-image.png

        says a lot : nothing comes into the pfSense WAN port.
        This means : traffic is blocked up stream. Most typically your upstream ISP router. That one has to be natted to.

        edit : the pfSense manual contains a complete run down on how to look for NAT and port forward issues.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        GertjanG 1 Reply Last reply Reply Quote 0
        • kiokomanK
          kiokoman LAYER 8
          last edited by kiokoman

          state is 0/0 so that rule never match
          check the order of your rules on WAN interface, maybe you have a block before the NAT rule

          Rulesets on the Interface tabs are evaluated on a first match basis by pfSense. This means that reading the ruleset for an interface from top to bottom, the first rule that matches will be the one used by the firewall. Evaluation stops after reaching this match and then the firewall takes the action specified by that rule.

          ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
          Please do not use chat/PM to ask for help
          we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
          Don't forget to Upvote with the 👍 button for any post you find to be helpful.

          1 Reply Last reply Reply Quote 0
          • D
            DominikHoffmann
            last edited by DominikHoffmann

            These are the only preceding firewall rules:

            Screen Shot 2020-11-16 at 12.22.59 PM.png

            I will get back in touch with my ISP. My ISP doesn’t provide its own router. Their hand-off is the Ethernet port of their ONT (optical network terminal).

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by johnpoz

              And those rules are seeing quite a few hits.. 585MB to bogon??? WTF??

              I am also curious why your using telnet client to test ssh access ;)

              But in general just like when testing any port forwarding. I don't care what the isp says they don't block or do or whatever. Validate the traffic your trying to forward actually hits your wan..

              Simple 10 second sniff on your wan interface will give you proof if the traffic got there or not.

              Now sniff on the lan side interface - do you see pfsense send the traffic on?

              Its quite possible your client your sshing to locally has a firewall that does not allow access from source other than its local network. Does this ssh host your trying to hit even use pfsense as its gateway? etc..

              https://docs.netgate.com/pfsense/en/latest/troubleshooting/nat.html

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • D
                DominikHoffmann
                last edited by

                I was at the headquarters of my ISP today. They have a Gigabit guest WiFi network at their facility. One of their tech people confirmed for me that there is no outbound port blocking there. Still I could not ssh into my home server.

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by johnpoz

                  And did you do the 10 second test of just sniffing on your wan while your trying to connect? Who says your isp is blocking, could be blocked from where you trying to test from - or anywhere between, etc. etc..

                  You can not troubleshoot port forwarding until you actually verify pfsense even sees the traffic.. It can not forward what it never sees.

                  that there is no outbound port blocking there.

                  What about inbound? Which what your trying to do right.. Not outbound..

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  D 2 Replies Last reply Reply Quote 0
                  • D
                    DominikHoffmann @johnpoz
                    last edited by DominikHoffmann

                    @johnpoz: How do I do that? I haven’t, actually. What tool would I use? Should I do a Diagnostics→Packet Capture?

                    I did. Nothing shows up on the WAN interface that would have the port number 3210 or the WAN IP address of my router or the WAN IP of the network from where I made the ssh attempt. The LAN packet capture successfully showed the connections that were made from the LAN on Port 22.

                    johnpozJ 1 Reply Last reply Reply Quote 0
                    • D
                      DominikHoffmann @johnpoz
                      last edited by

                      @johnpoz I meant to say that I tested trying to connect to my home server from a network that I know has no outbound port blocking of its own. I had to have their tech verify that on their network outbound traffic on Port 3210 was permitted.

                      1 Reply Last reply Reply Quote 0
                      • GertjanG
                        Gertjan @Gertjan
                        last edited by

                        So back to this one :

                        Between your pfSense, the pfSense WAN NIC, and your ISP, are some other 'boxes'. One of them is probably your ISP-box at your place.
                        Is this a modem ? A router ?
                        If it's a router, you natted port TCP 3210 from it's 'WAN' to it's LAN, to the WAN IP, port 3210 of your pfSense ?
                        Your WAN IP is RF 1918 = 10/8, 172.16/12, 192.168/16 ?
                        What happens if you take pfSense out of the netork, and hook up your home server directly ?
                        @Gertjan said in Mysterious block: Can’t connect to LAN ssh host from WAN:

                        Most typically your upstream ISP router. That one has to be natted to.

                        No "help me" PM's please. Use the forum, the community will thank you.
                        Edit : and where are the logs ??

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator @DominikHoffmann
                          last edited by

                          @DominikHoffmann said in Mysterious block: Can’t connect to LAN ssh host from WAN:

                          The LAN packet capture successfully showed the connections that were made from the LAN on Port 22.

                          And how was that? You connected from pfsense to this server? 2 devices on your lan, talking to each other would not show up on pfsense lan packet capture.

                          Per what @Gertjan is saying.. Is there something in front of pfsense? Another router, an isp device? Does pfsense have a public IP on its wan or a rfc1918 address? Ie the address ranges given above.

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          1 Reply Last reply Reply Quote 0
                          • D
                            DominikHoffmann
                            last edited by

                            I just spoke with the CTO of my ISP. The support people I have talked to may not have been aware of this, but he zeroed in on the issue right away. My ISP uses NAT to dole out IPs to customers’ routers. So, my LAN address space was essentially double-NATted, and connections to my network originating from the WAN were not routed to my router, because I have no control over that part of the ISP’s infrastructure.

                            1 Reply Last reply Reply Quote 0
                            • johnpozJ
                              johnpoz LAYER 8 Global Moderator
                              last edited by

                              Which you wouldn't had to have asked anyone - just looked on your router what your wan address was.

                              And if you would of been very obvious when you sniffed as well that no packets were getting to your wan..

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.8, 24.11

                              D 1 Reply Last reply Reply Quote 0
                              • D
                                DominikHoffmann @johnpoz
                                last edited by DominikHoffmann

                                @johnpoz: I guess, I was not familiar with did not fully understand exactly what everything on the pfSense dashboard meant.

                                Screen Shot 2020-11-18 at 5.31.45 PM.png

                                If I had understood, I would have noticed that the IP on the Internet (obscured, green) was not identical to the WAN_DHCP address (circled in red).

                                My ISP has given me a static IP address, and everything works now, including my OpenVPN setup about which I had posted earlier. I am still trying to ascertain, why it worked in the first place.

                                Thanks very much for all of you who helped shed light on the issue.

                                1 Reply Last reply Reply Quote 0
                                • johnpozJ
                                  johnpoz LAYER 8 Global Moderator
                                  last edited by

                                  Or just that 100.68 is a Carrier grade nat IP.. 10.64/10

                                  Well how it worked in the first place, is when it was working you were not on a CGNat IP..

                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                  If you get confused: Listen to the Music Play
                                  Please don't Chat/PM me for help, unless mod related
                                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.