Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can't ssh into pfsense from wan side

    Scheduled Pinned Locked Moved General pfSense Questions
    4 Posts 2 Posters 5.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      anothereric
      last edited by

      Does anyone have any idea why I wouldn't be able to ssh into the pfsense
      box from the wan side?  I am able to ssh in from the lan side and webgui
      works from either end.  I have a wan rule that looks something like:
        proto = tcp
        src = my.computer.address:anyport
        dst = pfsense.wan.address:22
      This is all I need, isn't it?  This ssh rule is derived from my https rule which
      works (only diff is the dest port).

      I tried two experiments.  First, with WinXP using SSH Corp's free ssh client:
      I try to ssh in from the wan side, it looks like a connection is set up
      because I'm prompted for my password.  But after entering my password
      it prompts me again (as if I'd entered the wrong password) and it goes on
      like this ad infinitum.

      Experiment two, ubuntu 9.04 using whatever ssh comes with it (box stock):
      Ssh-ing from the wan side, I don't even get a password prompt.  From the
      lan side, it's all good.

      I'm using pfsense 1.2.2

      TIA
      eric

      PS: anyone got an ETA on the pfsense book?

      1 Reply Last reply Reply Quote 0
      • D
        danswartz
        last edited by

        can you post output of:

        pfctl -s rules | grep ssh
        1 Reply Last reply Reply Quote 0
        • A
          anothereric
          last edited by

          pfctl -s rules | grep ssh

          block drop in log quick proto tcp from <sshlockout>to any port = ssh label "sshlockout"
          pass in quick on xl0 reply-to (xl0 www.xxx.yy.254) inet proto tcp from <physics>to <allowssh>port = ssh flags S/SA keep state label "USER_RULE: Allow incoming ssh"
          pass in quick on xl0 reply-to (xl0 www.xxx.yy.254) inet proto tcp from www.xxx.zzz.52 to www.xxx.yy.40 port = ssh flags S/SA keep state label "USER_RULE: Allow ssh admin from deadbeat"
          block drop in quick on xl1 inet proto tcp from ! 192.168.1.199 to 192.168.1.1 label "USER_RULE: restrict ssh access to pfsense"

          My intent:
            on lanside, only private.199 can ssh into the pfsense box (private.1)
            on wanside, only public.52 can ssh into the pfsense box (public.40)
            only certain wanside machines can initiate ssh connections through the firewall and then only to select lanside machines (VIPs used here)
            nothing originating from the lan side will be allowed through to the wan side (except as above)

          Everything is still a work in progress so execution and intent may not line up exactly.

          Thanks,
          eric</allowssh></physics></sshlockout>

          1 Reply Last reply Reply Quote 0
          • A
            anothereric
            last edited by

            Found it.  Screwed up port forward rule.

            eric

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.