6100 unreachable from WAN
-
Hi All.
I have about 30 6100's out there with no issue.
Ive installed a new one at a property, and I can only reach the GUI, or SSH once in a blue moon. Most of the time it is timing out.
The Hotel is running perfectly, and internet traffic is running great, it just seems to be an issue with remote access.
It is currently running version 23.01, and has a very basic config, but changing the access port from 443 to 50443.
Wondering if a firmware update will fix it, or if this is an issue others have faced?
-
I wouldn't expect a firmware update to make any difference but you should do it anyway because 23.01 is old.
Are you connecting by IP address? Is the firewall using a static IP on it's WAN?
If you're connecting by fqdn is it resolving correctly? If it's dyndns is that updating?
Also I recommend always using a VPN for remote access whenever possible.
Steve
-
@stephenw10 thanks for your reply.
In the very small window, I was able to access the logs.
The Netgate was blocking because of SSH attacks.
Adding an ACL to the WAN fixed the problem.
-
Because you were trying to login with the wrong credentials? SSHguard will block the source IP of failed connection attempts. So even if the WAN is open to any address (it shouldn't be) it shouldn't block you.
-
@stephenw10 using the right credentials. But the logs were showing many, many attempts with all sorted of credentials and ports.
-
Hmm, well that sounds like you have the WAN open to the world on those ports which is almost always a bad idea!
You should use a VPN.
If you can't use a VPN for some reason you should have any pass rules on WAN restricted to known source IPs only.
-
@stephenw10 yep, hence introducing the ACL...
-
We contain this by creating NAT rules on an off port from a specific IP/network that point to an internal interface (such as the LAN or Mgmt VLAN). That way there is no external attack surface. Alternatively, use a VPN when possible.
