Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    autossh on pfsense

    Scheduled Pinned Locked Moved General pfSense Questions
    16 Posts 3 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • _
      _sKo_
      last edited by

      Hi all,

      I'm tryng to estabilish a reverse ssh tunnel from a pfsense firewall to a MySql server in the WAN.
      This is needed becasue the MySql server accept only local connections.

      I found this guide about FreeBSD (https://project.altservice.com/issues/834) but in the pkg pfsense's repository the autossh package is not available.

      Any advice?

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @_sKo_
        last edited by

        @ltrivellizzi said in autossh on pfsense:

        a MySql server in the WAN.

        You mean on the wan net on pfsense, or you mean the internet or some remote network that is not actually your "wan net" that you access through your wan net.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        _ 1 Reply Last reply Reply Quote 0
        • _
          _sKo_ @johnpoz
          last edited by

          @johnpoz the server is on the WAN net of the firewall and still in a LAN. No internet, no remote network.

          johnpozJ 1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            That link fails for me so I'm not sure exactly what you're trying to achieve here. Is this a one time thing? What are you connecting to the server with?
            There are many ways you could do this. A VPN would work.

            Steve

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator @_sKo_
              last edited by

              @ltrivellizzi well if it was actually on your pfsense "wan net" then to it the connection would be coming from pfsense wan IP (unless you turned off nat on pfsense).. So to it the connection would be from its local network.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                Ah, I assumed he was trying to use pfSense as a proxy so he could connect to the server from some external location.

                johnpozJ 1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator @stephenw10
                  last edited by johnpoz

                  @stephenw10 that is not how I took it.

                  But if he has this

                  mysql -- wan net -- pfsense -- lan net -- client

                  And client wants to talk to mysql, unless he turned off nat on pfsense to mysql the connection would be coming from pfsense wan net IP. So to mysql that would be its local network.

                  You sure its a "wan" to pfsense - out of the box pfsense would nat lan side network to wan net IP. But if that is not really a wan to pfsense, ie no internet or other networks access through that network. Then it would not be natting.

                  If that is the case to make it look like local network to mysql you would need to do a outbound nat from your lan net to the wan net IP. This is done by default when pfsense actually has a wan, ie a connection it uses to get to other networks - a gateway set on the interface.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S
                    stephenw10 Netgate Administrator
                    last edited by

                    Mmm, hence my assumption it was for external access. Also that's what that guide describes.

                    However in that setup autossh needs to be installed on the mysql server not pfSense.

                    Use a VPN!

                    Steve

                    1 Reply Last reply Reply Quote 0
                    • _
                      _sKo_
                      last edited by

                      Hi all,

                      the schema is like mysql -- wan net -- pfsense -- lan net -- client, like @johnpoz stated, and the client need to talk to mysql but mysql does not accept connection from the local network but only from localhost.

                      I've routers build up with ubuntu and iptables that have an ssh tunnel to the MySql server configured like 3306:localhost:3306.
                      This tunnels are established via autossh to make them permanent.

                      johnpozJ 1 Reply Last reply Reply Quote 0
                      • stephenw10S
                        stephenw10 Netgate Administrator
                        last edited by

                        You can just install it from the FreeBSD repo and since it appears to have no depencies it's relatively low risk:

                        [22.01-RELEASE][admin@cedev-4.stevew.lan]/root: pkg add http://pkg.freebsd.org/FreeBSD:12:amd64/quarterly/All/autossh-1.4g.pkg
                        Fetching autossh-1.4g.pkg: 100%   23 KiB  23.5kB/s    00:01    
                        Installing autossh-1.4g...
                        Extracting autossh-1.4g: 100%
                        [22.01-RELEASE][admin@cedev-4.stevew.lan]/root: rehash
                        [22.01-RELEASE][admin@cedev-4.stevew.lan]/root: autossh
                        usage: autossh [-V] [-M monitor_port[:echo_port]] [-f] [SSH_OPTIONS]
                        
                            -M specifies monitor port. May be overridden by environment
                               variable AUTOSSH_PORT. 0 turns monitoring loop off.
                               Alternatively, a port for an echo service on the remote
                               machine may be specified. (Normally port 7.)
                            -f run in background (autossh handles this, and does not
                               pass it to ssh.)
                            -V print autossh version and exit.
                        
                        Environment variables are:
                            AUTOSSH_GATETIME    - how long must an ssh session be established
                                                  before we decide it really was established
                                                  (in seconds). Default is 30 seconds; use of -f
                                                  flag sets this to 0.
                            AUTOSSH_LOGFILE     - file to log to (default is to use the syslog
                                                  facility)
                            AUTOSSH_LOGLEVEL    - level of log verbosity
                            AUTOSSH_MAXLIFETIME - set the maximum time to live (seconds)
                            AUTOSSH_MAXSTART    - max times to restart (default is no limit)
                            AUTOSSH_MESSAGE     - message to append to echo string (max 64 bytes)
                            AUTOSSH_PATH        - path to ssh if not default
                            AUTOSSH_PIDFILE     - write pid to this file
                            AUTOSSH_POLL        - how often to check the connection (seconds)
                            AUTOSSH_FIRST_POLL  - time before first connection check (seconds)
                            AUTOSSH_PORT        - port to use for monitor connection
                            AUTOSSH_DEBUG       - turn logging to maximum verbosity and log to
                                                  stderr
                        

                        But be aware of the risks:
                        https://docs.netgate.com/pfsense/en/latest/recipes/freebsd-pkg-repo.html

                        Steve

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator @_sKo_
                          last edited by johnpoz

                          @ltrivellizzi said in autossh on pfsense:

                          but only from localhost.

                          Why don't you just allow network connections? That would be way easier solution. Not like your opening up to the public internet allow access from your own local IPs

                          edit:
                          Doesn't mysql just default to binding to 127.0.0.1? in the mysqld.cnf, changing that to actually bind to the boxes IP, or all zeros should allow you access from your clients.

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          1 Reply Last reply Reply Quote 0
                          • _
                            _sKo_
                            last edited by

                            @johnpoz I'm just trying to stick as much as possible to the "as is" situation.

                            johnpozJ 1 Reply Last reply Reply Quote 0
                            • johnpozJ
                              johnpoz LAYER 8 Global Moderator @_sKo_
                              last edited by johnpoz

                              @_sko_ said in autossh on pfsense:

                              "as is" situation.

                              But its a horrible solution..

                              You want/need to access something from your network, but that thing defaults to only listening on loopback.. So you setup a ssh connection and trick into thinking your local.. So you have created complexity for no reason, and its going to be a performance hit, running traffic through any sort of tunnel adds overhead, requires resources to perform the encryption and decryption of the traffic..

                              Vs just changing 127.0.0.1 in the conf file to 0.0.0.0 ?

                              Occam’s Razor vs Rube Goldberg

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.8, 24.11

                              _ 1 Reply Last reply Reply Quote 0
                              • _
                                _sKo_ @johnpoz
                                last edited by

                                @johnpoz I see your point but the tunnel let the MySql server to be configured in a more secure way. But @stephenw10 just let me stop thinking about this solution because of the warnings in the linked page.

                                Thanks for the support and the help!

                                johnpozJ 1 Reply Last reply Reply Quote 0
                                • johnpozJ
                                  johnpoz LAYER 8 Global Moderator @_sKo_
                                  last edited by

                                  @_sko_ said in autossh on pfsense:

                                  tunnel let the MySql server to be configured in a more secure way

                                  So you have hackers or botware running on your local network?

                                  You stated that this "wan" is not connected to the internet. So who has access to this "network" where this mysql box sits? Your devices, your users? Are you own devices and users considered hostile?

                                  And these device need to go through pfsense to get to the mysql box do they not. So simple non rube goldberg setup to secure access to this device is rule on pfsense to limit who can talk to it and on what port.

                                  If your routing traffic through pfsense via this ssh tunnel.. How is it any different than allowing access just via a firewall rule?

                                  The only way this becomes more secure is stuff on the same network as the mysql box wouldn't be able to access it. So again going with the occams razor approach which is simpler.. isolate this box from others on its own network via firewall on the host, or private vlan, or just putting it in its own limited network where the bad guys don't sit, etc.

                                  You do you - but your approach as you have described your setup seems over complicated and is more likely to cause performance issues and connectivity issues than any added security.

                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                  If you get confused: Listen to the Music Play
                                  Please don't Chat/PM me for help, unless mod related
                                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                                  _ 1 Reply Last reply Reply Quote 0
                                  • _
                                    _sKo_ @johnpoz
                                    last edited by

                                    @johnpoz said in autossh on pfsense:

                                    @_sko_ said in autossh on pfsense:

                                    tunnel let the MySql server to be configured in a more secure way

                                    So you have hackers or botware running on your local network?

                                    You stated that this "wan" is not connected to the internet. So who has access to this "network" where this mysql box sits? Your devices, your users? Are you own devices and users considered hostile?

                                    I stated wrong. Sorry but my english is a little bit rusty. The local network has a gateway and is connected to the internet but you are right just a too much complicated solution for the problem.

                                    I just enabled a rinetd rule for the pfsense firewall in the MySql server et voilà.

                                    Thanks!

                                    1 Reply Last reply Reply Quote 1
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.