Can't ssh into pfsense from wan side



  • Does anyone have any idea why I wouldn't be able to ssh into the pfsense
    box from the wan side?  I am able to ssh in from the lan side and webgui
    works from either end.  I have a wan rule that looks something like:
      proto = tcp
      src = my.computer.address:anyport
      dst = pfsense.wan.address:22
    This is all I need, isn't it?  This ssh rule is derived from my https rule which
    works (only diff is the dest port).

    I tried two experiments.  First, with WinXP using SSH Corp's free ssh client:
    I try to ssh in from the wan side, it looks like a connection is set up
    because I'm prompted for my password.  But after entering my password
    it prompts me again (as if I'd entered the wrong password) and it goes on
    like this ad infinitum.

    Experiment two, ubuntu 9.04 using whatever ssh comes with it (box stock):
    Ssh-ing from the wan side, I don't even get a password prompt.  From the
    lan side, it's all good.

    I'm using pfsense 1.2.2

    TIA
    eric

    PS: anyone got an ETA on the pfsense book?



  • can you post output of:

    pfctl -s rules | grep ssh
    


  • pfctl -s rules | grep ssh

    block drop in log quick proto tcp from <sshlockout>to any port = ssh label "sshlockout"
    pass in quick on xl0 reply-to (xl0 www.xxx.yy.254) inet proto tcp from <physics>to <allowssh>port = ssh flags S/SA keep state label "USER_RULE: Allow incoming ssh"
    pass in quick on xl0 reply-to (xl0 www.xxx.yy.254) inet proto tcp from www.xxx.zzz.52 to www.xxx.yy.40 port = ssh flags S/SA keep state label "USER_RULE: Allow ssh admin from deadbeat"
    block drop in quick on xl1 inet proto tcp from ! 192.168.1.199 to 192.168.1.1 label "USER_RULE: restrict ssh access to pfsense"

    My intent:
      on lanside, only private.199 can ssh into the pfsense box (private.1)
      on wanside, only public.52 can ssh into the pfsense box (public.40)
      only certain wanside machines can initiate ssh connections through the firewall and then only to select lanside machines (VIPs used here)
      nothing originating from the lan side will be allowed through to the wan side (except as above)

    Everything is still a work in progress so execution and intent may not line up exactly.

    Thanks,
    eric</allowssh></physics></sshlockout>



  • Found it.  Screwed up port forward rule.

    eric


Log in to reply