Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Simple way to open up SSH port from LAN to DMZ

    Scheduled Pinned Locked Moved Firewalling
    36 Posts 5 Posters 1.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JonathanLeeJ
      JonathanLee @johnpoz
      last edited by

      @johnpoz ntp is a nat rule

      Make sure to upvote

      1 Reply Last reply Reply Quote 0
      • JonathanLeeJ
        JonathanLee @johnpoz
        last edited by JonathanLee

        @johnpoz thanks I forgot about the dns, that was created before I had the block all http https, I use to have a on system wpad and moved it to a raspberry pi zero wpad, after I moved it I just made a block rule and moved on. It looks like I still have some cleaning up to do. Thanks for the recommendations again..

        Make sure to upvote

        1 Reply Last reply Reply Quote 0
        • JonathanLeeJ
          JonathanLee @johnpoz
          last edited by

          @johnpoz

          Thanks for the recommendations, done I forgot about that before I had to have the ports open for WPAD so after I moved my wpad out of the system I just added a block and didn't look at the other rules. I do not need them anymore. Thanks

          Screenshot 2025-03-29 at 11.58.07.png

          Make sure to upvote

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @JonathanLee
            last edited by

            @JonathanLee how does allowing ntp to 192.168.1.1 fix ntp???

            how is allowing 192.168.1.2 to talk to 192.168.1.1 have anything to do with nat syslog?? If your source is 192.168.1.2 - have to assume your wlan is 192.168.1/something - why would you need or want to nat syslog? Or ntp?

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            JonathanLeeJ 1 Reply Last reply Reply Quote 0
            • JonathanLeeJ
              JonathanLee @johnpoz
              last edited by JonathanLee

              @johnpoz
              I have a fixed destination on the AP it only sends to 514 and won't use the package port 5140 so I nat it to it. Wireless AP to Firewall.

              For Syslog I have to nat it because the AP uses a different port that is fixed for sending syslogs that way I can view them only on the firewall and not have to log into the AP each time I want to see who is on the NAS. The device uses destination 514 but the package is 5140 so I had to make a nat rule. I got sick of logging in to view logs. After it is saved on my NVMe drive and not the SSD.

              Screenshot 2025-03-29 at 12.13.07.png

              For NTP yes this works I have to NAT it for things and it functions forces everything to use the firewall and with the firewall it goes to the authenticated NTP with nist.gov Screenshot 2025-03-29 at 12.16.20.png

              Screenshot 2025-03-29 at 12.14.30.png

              It works but you have to add the loopbacks into the nat rule also with it negated it would not work with only the firewall address. So it has to be not ! firewall/loopbacks and it works.

              Something was messing with time on our network moving it 15-20 mins during tests and stuff, mean people. But this fixed it, NTP is an old protocol, with it authenticated and forced to be used I have not had a time jump issue in a long time.

              Make sure to upvote

              johnpozJ 1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator @JonathanLee
                last edited by johnpoz

                @JonathanLee said in Simple way to open up SSH port from LAN to DMZ:

                The device uses destination 514 but the package is 5140

                You can change that

                port.jpg

                If you want to redirect things trying to use other ntp - then just do a redirect to localhost (127.0.0.1).. I have no idea what your talking about where ntp was jumping 15-20 minutes.. Ntp doesn't work like that..

                What are you calling loopbacks - pfsense address on an interface?

                Simpler solution for devices that use some other fqdn for dns is a simple host override so it resolves to the ntp server you want to point them too.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                JonathanLeeJ 2 Replies Last reply Reply Quote 1
                • JonathanLeeJ
                  JonathanLee @johnpoz
                  last edited by

                  @johnpoz I can't use port 514 on the firewall it is already in use

                  ba4f73a0-eefe-4c63-99ea-5a310fb12564-image.png

                  08d5ee84-5d91-43fd-ba2a-1a1376b5d374-image.png

                  And I can't set the ap to use a different port..

                  I think the loopback or pfsense itself uses port 514 for something already

                  Make sure to upvote

                  1 Reply Last reply Reply Quote 0
                  • JonathanLeeJ
                    JonathanLee @johnpoz
                    last edited by

                    @johnpoz The time would move 15 mins..

                    Example your taking a timed test and all the sudden 15 mins is gone, there was something going on with it during cyber security classes. With it secure like this the time is correct and does not shift on the devices. Who knows maybe the professor was trying to teach us to use authenticated time services like auth NTP.

                    Make sure to upvote

                    johnpozJ 1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator @JonathanLee
                      last edited by

                      @JonathanLee well that 514 sure seems like a bug to me.. I can set syslog to not listen on all interfaces. So its only bound to localhost.

                      syslog.jpg

                      But then yeah your right still get the error even if I set syslog-ng to listen on different interface

                      bug.jpg

                      There is no way that should be an issue... Something wrong in the parsing of port in use in that package.

                      As to your ntp - have no idea what your going on about.. As to using authenticated ntp - sure ok, go for it.. But on your secure local network.. Seems pretty freaking tin foil hat to me.. Who and the F is going to mess with your ntp on your own local secure network, from a client talking to to your own firewall.. Come on - someone is watching too much mister robot..

                      So you were taking a test, and you lost 15 minutes.. Yeah that happens - you lost track of time, it wasn't your ntp server being hacked and time altered by 15 minutes ;)

                      Still don't get how natting ntp fixes that??

                      If your concerned about ntp being messed with on your own local network between a client and your firewall - you got bigger fish to fry if you ask me.. That is some paranoid level shit right there... Maybe lay off the recreational herb ;)

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      JonathanLeeJ 1 Reply Last reply Reply Quote 0
                      • JonathanLeeJ
                        JonathanLee @johnpoz
                        last edited by JonathanLee

                        @johnpoz I saw it wouldn’t let me set it to the port I needed so I improvised. That time thing only occurred when I was doing my AA in cyber security we had so many labs and also a red blue team exercise so I would not be surprised if an instructor wanted to expand our knowledge and see if someone went to authenticated NTP. Who knows. It was cool to be part of the nist.gov stuff. I know the latest software revision now includes the ntp stuff. I wonder if others had concerns also.

                        The reason I NAT ntp is because not everything uses the firewall but it will use it when requests are NAT to it. Example Windows 11, Raspberry PI they request some specific sites yes I could add a dns override for them but I just NAT any requests to the firewall and it uses the nist.gov encrypted time system. So it gets secure time. The systems get the right time and it works. It seems tinfoil hat, but no issues with time jumps ever again.

                        Make sure to upvote

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.