autossh on pfsense
-
Hi all,
I'm tryng to estabilish a reverse ssh tunnel from a pfsense firewall to a MySql server in the WAN.
This is needed becasue the MySql server accept only local connections.I found this guide about FreeBSD (https://project.altservice.com/issues/834) but in the pkg pfsense's repository the autossh package is not available.
Any advice?
-
@ltrivellizzi said in autossh on pfsense:
a MySql server in the WAN.
You mean on the wan net on pfsense, or you mean the internet or some remote network that is not actually your "wan net" that you access through your wan net.
-
@johnpoz the server is on the WAN net of the firewall and still in a LAN. No internet, no remote network.
-
That link fails for me so I'm not sure exactly what you're trying to achieve here. Is this a one time thing? What are you connecting to the server with?
There are many ways you could do this. A VPN would work.Steve
-
@ltrivellizzi well if it was actually on your pfsense "wan net" then to it the connection would be coming from pfsense wan IP (unless you turned off nat on pfsense).. So to it the connection would be from its local network.
-
Ah, I assumed he was trying to use pfSense as a proxy so he could connect to the server from some external location.
-
@stephenw10 that is not how I took it.
But if he has this
mysql -- wan net -- pfsense -- lan net -- client
And client wants to talk to mysql, unless he turned off nat on pfsense to mysql the connection would be coming from pfsense wan net IP. So to mysql that would be its local network.
You sure its a "wan" to pfsense - out of the box pfsense would nat lan side network to wan net IP. But if that is not really a wan to pfsense, ie no internet or other networks access through that network. Then it would not be natting.
If that is the case to make it look like local network to mysql you would need to do a outbound nat from your lan net to the wan net IP. This is done by default when pfsense actually has a wan, ie a connection it uses to get to other networks - a gateway set on the interface.
-
Mmm, hence my assumption it was for external access. Also that's what that guide describes.
However in that setup autossh needs to be installed on the mysql server not pfSense.
Use a VPN!
Steve
-
Hi all,
the schema is like mysql -- wan net -- pfsense -- lan net -- client, like @johnpoz stated, and the client need to talk to mysql but mysql does not accept connection from the local network but only from localhost.
I've routers build up with ubuntu and iptables that have an ssh tunnel to the MySql server configured like 3306:localhost:3306.
This tunnels are established via autossh to make them permanent. -
You can just install it from the FreeBSD repo and since it appears to have no depencies it's relatively low risk:
[22.01-RELEASE][admin@cedev-4.stevew.lan]/root: pkg add http://pkg.freebsd.org/FreeBSD:12:amd64/quarterly/All/autossh-1.4g.pkg Fetching autossh-1.4g.pkg: 100% 23 KiB 23.5kB/s 00:01 Installing autossh-1.4g... Extracting autossh-1.4g: 100% [22.01-RELEASE][admin@cedev-4.stevew.lan]/root: rehash [22.01-RELEASE][admin@cedev-4.stevew.lan]/root: autossh usage: autossh [-V] [-M monitor_port[:echo_port]] [-f] [SSH_OPTIONS] -M specifies monitor port. May be overridden by environment variable AUTOSSH_PORT. 0 turns monitoring loop off. Alternatively, a port for an echo service on the remote machine may be specified. (Normally port 7.) -f run in background (autossh handles this, and does not pass it to ssh.) -V print autossh version and exit. Environment variables are: AUTOSSH_GATETIME - how long must an ssh session be established before we decide it really was established (in seconds). Default is 30 seconds; use of -f flag sets this to 0. AUTOSSH_LOGFILE - file to log to (default is to use the syslog facility) AUTOSSH_LOGLEVEL - level of log verbosity AUTOSSH_MAXLIFETIME - set the maximum time to live (seconds) AUTOSSH_MAXSTART - max times to restart (default is no limit) AUTOSSH_MESSAGE - message to append to echo string (max 64 bytes) AUTOSSH_PATH - path to ssh if not default AUTOSSH_PIDFILE - write pid to this file AUTOSSH_POLL - how often to check the connection (seconds) AUTOSSH_FIRST_POLL - time before first connection check (seconds) AUTOSSH_PORT - port to use for monitor connection AUTOSSH_DEBUG - turn logging to maximum verbosity and log to stderr
But be aware of the risks:
https://docs.netgate.com/pfsense/en/latest/recipes/freebsd-pkg-repo.htmlSteve
-
@ltrivellizzi said in autossh on pfsense:
but only from localhost.
Why don't you just allow network connections? That would be way easier solution. Not like your opening up to the public internet allow access from your own local IPs
edit:
Doesn't mysql just default to binding to 127.0.0.1? in the mysqld.cnf, changing that to actually bind to the boxes IP, or all zeros should allow you access from your clients. -
@johnpoz I'm just trying to stick as much as possible to the "as is" situation.
-
@_sko_ said in autossh on pfsense:
"as is" situation.
But its a horrible solution..
You want/need to access something from your network, but that thing defaults to only listening on loopback.. So you setup a ssh connection and trick into thinking your local.. So you have created complexity for no reason, and its going to be a performance hit, running traffic through any sort of tunnel adds overhead, requires resources to perform the encryption and decryption of the traffic..
Vs just changing 127.0.0.1 in the conf file to 0.0.0.0 ?
Occam’s Razor vs Rube Goldberg
-
@johnpoz I see your point but the tunnel let the MySql server to be configured in a more secure way. But @stephenw10 just let me stop thinking about this solution because of the warnings in the linked page.
Thanks for the support and the help!
-
@_sko_ said in autossh on pfsense:
tunnel let the MySql server to be configured in a more secure way
So you have hackers or botware running on your local network?
You stated that this "wan" is not connected to the internet. So who has access to this "network" where this mysql box sits? Your devices, your users? Are you own devices and users considered hostile?
And these device need to go through pfsense to get to the mysql box do they not. So simple non rube goldberg setup to secure access to this device is rule on pfsense to limit who can talk to it and on what port.
If your routing traffic through pfsense via this ssh tunnel.. How is it any different than allowing access just via a firewall rule?
The only way this becomes more secure is stuff on the same network as the mysql box wouldn't be able to access it. So again going with the occams razor approach which is simpler.. isolate this box from others on its own network via firewall on the host, or private vlan, or just putting it in its own limited network where the bad guys don't sit, etc.
You do you - but your approach as you have described your setup seems over complicated and is more likely to cause performance issues and connectivity issues than any added security.
-
@johnpoz said in autossh on pfsense:
@_sko_ said in autossh on pfsense:
tunnel let the MySql server to be configured in a more secure way
So you have hackers or botware running on your local network?
You stated that this "wan" is not connected to the internet. So who has access to this "network" where this mysql box sits? Your devices, your users? Are you own devices and users considered hostile?
I stated wrong. Sorry but my english is a little bit rusty. The local network has a gateway and is connected to the internet but you are right just a too much complicated solution for the problem.
I just enabled a rinetd rule for the pfsense firewall in the MySql server et voilà.
Thanks!