SSH Problem

Draikkari · Jan 5, 2024, 10:46 AM

I'm not sure what would be right place to ask. I try from here.

Pfsense is somehow blocking ssh connection to outside from network. I don't have any explanation why is that.

I have my home network behind pfsense. For share one movie for my friend I did set raspi outside of pfsense. Idea was let him download that with sftp and not compromise my home network.

After moving that raspi out from pfsense ssh is not working anymore. No any good explanation for that. I thought that rasbian lite was not working as expected and move to dietpi. Traffic somehow stop between my home network and raspi. As ssh client I have tried Ubuntu openssh and windows builtin client. As sshd there has been dropbear and openssh server.

Ssh is working with phone as expected and I did ask friend of my to test that also.

Connection fail to timeout at end. Debug from ubuntu ssh client:
farmari1:~$ ssh root@89.27.76.10 -vvv
OpenSSH_8.9p1 Ubuntu-3ubuntu0.6, OpenSSL 3.0.2 15 Mar 2022
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
....
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-256,ssh-rsa,ssh-dss>
Connection closed by 89.27.76.10 port 22

Does this sound familiar to anyone?

hecsa · Jan 5, 2024, 11:52 AM

@Draikkari
Hi,
I hope you are doing great.
I think I don't fully understood your configuration. You have your network behind pfSense, and only one node, the Rasppibefore the pfSense WAN interface?
Thanks, and best regards,
HeCSa.

Draikkari · Jan 5, 2024, 1:04 PM

@hecsa
Hello and thank you for your reply.

Sorry for uncomplete description. I'm connected to internet with cable modem what is set to bridge all connections. After that cable modem I have pfsense. And behind pfsense is my home network (NAS, Printer, desktops, home automation etc) Usually all devices are behind of pfsense but to avoid giving access to home network and avoid opening ports I did connect that raspi to same cable modem where pfsense is connected. Raspi has it own public ip address as well as pfsense.

I can connect to raspi with my phone from mobile network but when I turn off mobile data and try to connect with wifi behind pfsense connection will time out. My friend has connected successfully from his computer to that same raspi. I have tried to connect from my home network with two different computers. Another running with ubuntu and another with Windows. And with phone using android and JuiceSSH. So I can say for sure that reason is pfsense why that connection is not working.

As I'm just using pfsense mostly just for nat, there are no complex rules or anything else. I have not needed to connect any ssh-server outside of my home network since 2010 school times. At that time it was working but it was like pfsense-1.2 or similar. I'm unable to say when it broke.

Best diagram what I can do with paint within 2 minutes. But I hope that it explain. Just samsung connection outside of pfsense is working

johnpoz · Jan 5, 2024, 1:04 PM

@Draikkari your isp provides you multiple public IPs?

Cable modems don't normally have mulitiple ethernet connections, some of the new ones do with 1g and 2.5ge interfaces..

What specific "modem" do you have?

So your saying you have this..

Where pfsense has some public IP, and your pi also has some pubic IP on the same network? Or is a different network? What is the mask on these devices? They are on the same network, or do you have like 2 different IPs on different networks?

You can get to 1.2.3.5 in my example, and also you can get to pfsense 1.2.3.4 from the internet.. But pfsense can not talk to your pi..

Does pfsense see the mac address of your pi, if on pfsense ping its IP, do you get a response, if you look in your arp table on pfsense have trying to ping your pi IP do you see its mac address? If your directly connected to interfaces on your "modem" its quite possible they are isolated from each other. Even if they are on the same network, etc.

If you can not see the mac of your pi from your pfsense, or even if you do but can not ping the pi, you could try putting in a switch.

Draikkari · Jan 5, 2024, 2:36 PM

@johnpoz

Thank you for your reply. Configuration is as first diagram. Cable modem is Sagemcom F@st 3890V3 it has 4 ethernet ports and all have been set to bridge. My ISP gives me 5 public IP address assigned by dhcp but almost never change.

Interface configuration:

And raspi has

Ping is working behind pfsense but ssh just hang. Feel free to test with ip 89.27.76.10

Also ssh is working outside of my home network. From log I don't find anything related. There are open states when I try to get ssh connection.

But some packets just don't find their destination. Finally after few minutes of waiting ssh connection is closed by server.

johnpoz · Jan 5, 2024, 2:59 PM

@Draikkari those are different networks.

That traffic would be routed through your ISP.. If you can not get to each other - that points to a ISP restriction or routing problem.

That first network would include 40-47 for the 3rd octet, while your pi would be 72-79...

edit: btw as just a side note, that is not a "modem" that is a gateway, a modem/router combo..

https://support.sagemcom.com/en/gateways/fst-3890-v3-bbn?language_content_entity=en

Draikkari · Jan 5, 2024, 3:16 PM

@johnpoz

That's good point. And in fact it is reason why it is not working. I did connect my phone to cable modem directly bypassing pfsense.

Thank you for your help. I don't keep myself as a total novice so this was driving me crazy. But it didn't even come to my mind that ISP has misconfigured something. Especially because my friend is using same ISP (very common here in Finland) and he was able to get connection.

johnpoz · Jan 5, 2024, 3:27 PM

@Draikkari said in SSH Problem:

ISP has misconfigured something

Not sure I would use/jump to the word misconfigured.. It could be on purpose, isolating their customers netblocks.. You could reach out to your isp for explanation, or a change so your devices can talk to each other - maybe make sure they are on the same network, etc.

But those are 2 different networks - so you would need to route between them.. be that happening farther upstream in the isp network, or if could be done at your gateway (isp device)..

You "might" be able to work around the problem with creating static arp entries on each device for the other devices mac.. So that they don't route to get to each other, but just talk directly..

Might have to create another IP on each device and use that other IP range to talk to the other device, etc.. This could be say 172.16.0.0/30 interface where one is .1 and the other is .2, etc.

But the static arp on each might work - but lots of years since played with doing anything like that.

Draikkari · Jan 5, 2024, 4:27 PM

@johnpoz
I agree that it has been done with purpose. Main point for me is that I know the reason why it is not working. It is nothing wrong with my network.

Everything was set for file transfer (Vietnam war documentary) and I move that raspi outside from my firewall. Then test that connection is working and it wasn't :D Didn't come to my mind that there is limitation for some reason. And really strange limitation. Because ssh client connect and sshd reply and then before authentication connection just time out. I'm able to complete my task even not able to connect for that raspi from my home network.

But thank you for your help. Without you I would start to drink soon Haha

johnpoz · Jan 5, 2024, 4:52 PM

@Draikkari said in SSH Problem:

Without you I would start to drink

hahaha - I don't see that a problem either, hehe Whats the old saying.. Can't drink all day if you don't start in the morning..