pfSense - Enable ssh (port 22) access through the WAN using terminal/console/shell

eduardolucioac

We need to enable pfSense ssh (port 22) access through the WAN interface to perform certain configurations using pfSense's terminal/console/shell.

Actions already taken...

• "Secure Shell (sshd)" has already been enabled via pfSense console option 14 14) Enable Secure Shell (sshd);
• We run the command easyrule pass wan tcp any any 22 to allow access to ssh (port 22).
• Using option 12 12) PHP shell + pfSense tools we execute the commands...

$config['system']['ssh']['enable'] = "enabled";
write_config();
exec

... ,...

$config['system']['enablesshd'] = "true";
write_config();
exec

... and...

playback enablesshd

;

Situation...

• Using the option "Filter Logs" (10) we observed that calls to ssh (port 22) being blocked;
• Turning off the firewall with the command pfctl -d we can access ssh (port 22) normally.

IMPORTANT: We need enable access to sshd (port 22) through pfSense's terminal/console/shell.

PLUS: We know that access can be allowed through the gui (http/web gui), but we need this initial access to be allowed through the pfSense terminal/console/shell.

NOTE: We know that allow access via ssh (port 22) on the WAN interface is not recommended, but initially it is necessary for us.

Thanks! =D

JKnott

Did you create a rule to allow ssh?

BTW, use shared keys to connect, not passwords. Instead of allowing ssh directly, I allow only OpenVPN to connect.

KOM

@eduardolucioac It works for me. Do you have tcp/22 NAT'd to some other address perhaps? I mention this because my lab test initially failed because I already had tcp/22 NAT'd to an internal server that wasn't powered on. Do you have multi-WAN?

eduardolucioac

@jknott

You talk about this...

easyrule pass wan tcp any any 22

... ?

If not... What command should I use to create the necessary rule using pfSense's terminal/console/shell?

Thanks! =D

eduardolucioac

@kom

Do you have tcp/22 NAT'd to some other address perhaps?

I didn't quite understand your question, but I don't think so. Anyway, pfSense does not initially have any kind of configuration and I can also say that if we turn off the firewall with the pfctl -d command we can access ssh (port 22) normally.

Do you have multi-WAN?

No. I have only one network interface serving as a WAN.

Thanks! =D

KOM

@eduardolucioac OK, I just went back to factory defaults and configured it again and again it works for me. Post a screenshot of your WAN rules with any public details obscured. Let's see what's going on.

Edit: In your example, you don't have a ; after your exec. I don't know if that makes a difference or not but the docs show exec;

eduardolucioac

@kom

Post a screenshot of your WAN rules with any public details obscured. Let's see what's going on.

What command can I perform to provide the information you need?

In your example, you don't have a ; after your exec.[...]

No. The lack of ";" does not cause any problem.

KOM

@eduardolucioac It depends on your OS. Use whatever tool/utility you can get and take a screen. On Windows you can do a shift-PrtScn and then paste it into Paint or whatever. To post it, use the icon that's second from the far right (Upload Image).

Also, is your WAN using a private (RFC1918) IP address? Are you trying to access it from the Internet or another LAN? What is the description of the block in the log, eg. Default deny rule IPv4 (1000000103)?

eduardolucioac

@kom

Also, is your WAN using a private (RFC1918) IP address?

Yes.

Are you trying to access it from the Internet or another LAN?

From another LAN.

For...

It depends on your OS. Use whatever tool/utility you can get and take a screen.[...]

... and...

What is the description of the block in the log, eg. Default deny rule IPv4 (1000000103)?

... here is a complete set of informations...

• PF RULESET

• Generated Rules

cat /tmp/rules.debug

cat_tmp_rules_debug.txt

cat /etc/inc/filter.inc

cat_etc_inc_filter_inc.txt

• Interpreted Rules

. Show firewall rules...

pfctl -sr

pfctl_-sr.txt

. NAT rules

pfctl -sn

pfctl_-sn.txt

. All rules

pfctl -sa

pfctl_-sa.txt

. More verbose output including rule counters, ID numbers, and so on...

pfctl -vvsr

pfctl_-vvsr.txt

. Additional rules in anchors from packages or features such as UPnP...

pfSsh.php playback pfanchordrill

pfSsh_php_playback_pfanchordrill.txt

• FIREWALL LOG

• Parsed log...

cat /var/log/filter.log | filterparser.php

cat_var_log_filter_log_x_filterparser_php.txt

• Raw log...

cat /var/log/filter.log

cat_var_log_filter_log.txt

Thanks! =D

[Ref(s).: Viewing the pf ruleset , Viewing the Firewall Log ]

eduardolucioac

@kom

[...] I just went back to factory defaults and configured it again and again it works for me.[...]

What version of pfSense are you using? I am using 2.5.1.

KOM

@eduardolucioac 21.05

If your WAN is private, did you set the interface to not automatically block all rfc1918 traffic (Interfaces - WAN - Reserved Networks)?

eduardolucioac

@kom

If your WAN is private, did you set the interface to not automatically block all rfc1918 traffic (Interfaces - WAN - Reserved Networks)?

I believe it is not blocking. But how can I confirm this?

KOM

@eduardolucioac I told you already. Go to Interfaces - WAN. Scroll down to Reserved Networks at the bottom. Uncheck Block private networks and loopback addresses. You want this checked if your WAN is public, unchecked if WAN is private and you want to allow inbound connections from other LANs.

eduardolucioac

@kom

I told you already. Go to Interfaces - WAN. Scroll down to Reserved Networks at the bottom. Uncheck Block private networks and loopback addresses. You want this checked if your WAN is public, unchecked if WAN is private and you want to allow inbound connections from other LANs.

It is true. You already said that. I didn't understand. Sorry!

This is the option noted in this post Block private networks and loopback addresses .

However I have a question... How can I do this using pfSense's terminal/console/shell?

Thanks!

KOM

@eduardolucioac Duh, sorry I forgot you were limited to console only.

Try:

$config['interfaces']['wan']['blockpriv'] = "";

I'm not sure how to set this though. "" may work, or there may be some other way to null the value. If you uncheck from GUI, save then check the config file, the <blockpriv>on</blockpriv> line is missing entirely. I don't know how to delete a line from config.

jimp

@kom said in pfSense - Enable ssh (port 22) access through the WAN using terminal/console/shell:

I'm not sure how to set this though. "" may work, or there may be some other way to null the value. If you uncheck from GUI, save then check the config file, the <blockpriv>on</blockpriv> line is missing entirely. I don't know how to delete a line from config.

unset($config['interfaces']['wan']['blockpriv']);

eduardolucioac

Below is the complete process to enable access to the pfSense's server sshd (ssh, port 22) from a private network...

Using option 8 ("8) Shell") turning off the firewall with the command...

pfctl -d

... and access pfSense server through the ssh (port 22)...

ssh root@<PFSENSE_SRV_IP>

... using the initial password "pfsense".

TIP: We recommend changing the initial password.

Using option 12 ("12) PHP shell + pfSense tools") perform the commands...

unset($config['interfaces']['wan']['blockpriv']);
write_config();
exec;

... and exit...

exit

Using option 8 ("8) Shell") again, add a rule to allow access through port 22 on the wan interface...

easyrule pass wan tcp any any 22

TIP: The "any any" parameters allow you to restrict the source IP and destination IP respectively.

NOTE: The above command will turn on the firewall (same as pfctl -e) and this will drop the ssh connection (port 22), but the ssh connection will be allowed.

PLUS: For more explanations about why private networks and loopback addresses are blocked by default on WAN here Block private networks - What does that do, what is it used for ? and here Address Allocation for Private Internets.