Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Mysterious block: Can’t connect to LAN ssh host from WAN

    Scheduled Pinned Locked Moved Firewalling
    15 Posts 4 Posters 1.6k Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D Offline
      DominikHoffmann
      last edited by

      I was at the headquarters of my ISP today. They have a Gigabit guest WiFi network at their facility. One of their tech people confirmed for me that there is no outbound port blocking there. Still I could not ssh into my home server.

      1 Reply Last reply Reply Quote 0
      • johnpozJ Offline
        johnpoz LAYER 8 Global Moderator
        last edited by johnpoz

        And did you do the 10 second test of just sniffing on your wan while your trying to connect? Who says your isp is blocking, could be blocked from where you trying to test from - or anywhere between, etc. etc..

        You can not troubleshoot port forwarding until you actually verify pfsense even sees the traffic.. It can not forward what it never sees.

        that there is no outbound port blocking there.

        What about inbound? Which what your trying to do right.. Not outbound..

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

        D 2 Replies Last reply Reply Quote 0
        • D Offline
          DominikHoffmann @johnpoz
          last edited by DominikHoffmann

          @johnpoz: How do I do that? I haven’t, actually. What tool would I use? Should I do a Diagnostics→Packet Capture?

          I did. Nothing shows up on the WAN interface that would have the port number 3210 or the WAN IP address of my router or the WAN IP of the network from where I made the ssh attempt. The LAN packet capture successfully showed the connections that were made from the LAN on Port 22.

          johnpozJ 1 Reply Last reply Reply Quote 0
          • D Offline
            DominikHoffmann @johnpoz
            last edited by

            @johnpoz I meant to say that I tested trying to connect to my home server from a network that I know has no outbound port blocking of its own. I had to have their tech verify that on their network outbound traffic on Port 3210 was permitted.

            1 Reply Last reply Reply Quote 0
            • GertjanG Offline
              Gertjan @Gertjan
              last edited by

              So back to this one :

              Between your pfSense, the pfSense WAN NIC, and your ISP, are some other 'boxes'. One of them is probably your ISP-box at your place.
              Is this a modem ? A router ?
              If it's a router, you natted port TCP 3210 from it's 'WAN' to it's LAN, to the WAN IP, port 3210 of your pfSense ?
              Your WAN IP is RF 1918 = 10/8, 172.16/12, 192.168/16 ?
              What happens if you take pfSense out of the netork, and hook up your home server directly ?
              @Gertjan said in Mysterious block: Can’t connect to LAN ssh host from WAN:

              Most typically your upstream ISP router. That one has to be natted to.

              No "help me" PM's please. Use the forum, the community will thank you.
              Edit : and where are the logs ??

              1 Reply Last reply Reply Quote 0
              • johnpozJ Offline
                johnpoz LAYER 8 Global Moderator @DominikHoffmann
                last edited by

                @DominikHoffmann said in Mysterious block: Can’t connect to LAN ssh host from WAN:

                The LAN packet capture successfully showed the connections that were made from the LAN on Port 22.

                And how was that? You connected from pfsense to this server? 2 devices on your lan, talking to each other would not show up on pfsense lan packet capture.

                Per what @Gertjan is saying.. Is there something in front of pfsense? Another router, an isp device? Does pfsense have a public IP on its wan or a rfc1918 address? Ie the address ranges given above.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                1 Reply Last reply Reply Quote 0
                • D Offline
                  DominikHoffmann
                  last edited by

                  I just spoke with the CTO of my ISP. The support people I have talked to may not have been aware of this, but he zeroed in on the issue right away. My ISP uses NAT to dole out IPs to customers’ routers. So, my LAN address space was essentially double-NATted, and connections to my network originating from the WAN were not routed to my router, because I have no control over that part of the ISP’s infrastructure.

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ Offline
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    Which you wouldn't had to have asked anyone - just looked on your router what your wan address was.

                    And if you would of been very obvious when you sniffed as well that no packets were getting to your wan..

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                    D 1 Reply Last reply Reply Quote 0
                    • D Offline
                      DominikHoffmann @johnpoz
                      last edited by DominikHoffmann

                      @johnpoz: I guess, I was not familiar with did not fully understand exactly what everything on the pfSense dashboard meant.

                      Screen Shot 2020-11-18 at 5.31.45 PM.png

                      If I had understood, I would have noticed that the IP on the Internet (obscured, green) was not identical to the WAN_DHCP address (circled in red).

                      My ISP has given me a static IP address, and everything works now, including my OpenVPN setup about which I had posted earlier. I am still trying to ascertain, why it worked in the first place.

                      Thanks very much for all of you who helped shed light on the issue.

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ Offline
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        Or just that 100.68 is a Carrier grade nat IP.. 10.64/10

                        Well how it worked in the first place, is when it was working you were not on a CGNat IP..

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.