Can't ssh into pfsense from wan side
Does anyone have any idea why I wouldn't be able to ssh into the pfsense
box from the wan side? I am able to ssh in from the lan side and webgui
works from either end. I have a wan rule that looks something like:
proto = tcp
src = my.computer.address:anyport
dst = pfsense.wan.address:22
This is all I need, isn't it? This ssh rule is derived from my https rule which
works (only diff is the dest port).
I tried two experiments. First, with WinXP using SSH Corp's free ssh client:
I try to ssh in from the wan side, it looks like a connection is set up
because I'm prompted for my password. But after entering my password
it prompts me again (as if I'd entered the wrong password) and it goes on
like this ad infinitum.
Experiment two, ubuntu 9.04 using whatever ssh comes with it (box stock):
Ssh-ing from the wan side, I don't even get a password prompt. From the
lan side, it's all good.
I'm using pfsense 1.2.2
PS: anyone got an ETA on the pfsense book?
danswartz last edited by
can you post output of:
pfctl -s rules | grep ssh
block drop in log quick proto tcp from <sshlockout>to any port = ssh label "sshlockout"
pass in quick on xl0 reply-to (xl0 www.xxx.yy.254) inet proto tcp from <physics>to <allowssh>port = ssh flags S/SA keep state label "USER_RULE: Allow incoming ssh"
pass in quick on xl0 reply-to (xl0 www.xxx.yy.254) inet proto tcp from www.xxx.zzz.52 to www.xxx.yy.40 port = ssh flags S/SA keep state label "USER_RULE: Allow ssh admin from deadbeat"
block drop in quick on xl1 inet proto tcp from ! 192.168.1.199 to 192.168.1.1 label "USER_RULE: restrict ssh access to pfsense"
on lanside, only private.199 can ssh into the pfsense box (private.1)
on wanside, only public.52 can ssh into the pfsense box (public.40)
only certain wanside machines can initiate ssh connections through the firewall and then only to select lanside machines (VIPs used here)
nothing originating from the lan side will be allowed through to the wan side (except as above)
Everything is still a work in progress so execution and intent may not line up exactly.
Found it. Screwed up port forward rule.