Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Ssh from external source to dmz address is not connecting

    Scheduled Pinned Locked Moved Firewalling
    5 Posts 2 Posters 2.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      samsco
      last edited by

      I have tried to set up ssh access to a server for tech support but cannot get the port forward set correctly to hit the server in the dmz

      I have  wan, lan, dmz

      my email server is on the dmz

      I set up a nat  port forward and a rule  which I want to restrict ssh access to the email server from a specific IP address. 
      this is how I set it up

      NAT 
      If          Proto      Ext. port range    NAT IP                                              Int. port range
      WAN    TCP              5678           192.168.8.10                                          22 (SSH)
                                                              (ext.:mystaticip)
      RULE
      Proto Source                      Port            Destination                  Port                  Gateway
      TCP  xxx.xxx.xxx.xxx      5678              192.168.8.10            22 (SSH)                *

      When the techie tries to log in from xxx  he says it will not connect

      Should I change the RULE  so that the Destination is DMZ address or DMZ subnet?  If so how would the techie actually get to the specific address of the server

      I can ssh to machines on my lan and then ssh to the server on the dmz  but I would prefer to have tech support people able to ssh directly to the machine I need help on.

      any suggestions are appreciated

      Thank you
      walter

      " most problems with a computer can be traced to the loose nut between the chair and the keyboard"

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Why are you specifying a source port on the firewall rule? Remove that and it should work.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • S
          samsco
          last edited by

          The thought was to use a non standard port to come in on to add a layer to the security of my network

          I use a non standard port to access my accounting information and my company documents on the lan and was trying to do the
          same with accessing the email server.

          We will give your suggestion a try and see if that is where the problem is

          thank you

          wsams  :)

          " most problems with a computer can be traced to the loose nut between the chair and the keyboard"

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            The source port on the firewall rule isn't the same as the external port on the NAT rule.

            The NAT rule reads (in plain language)

            Port forward from anyone on any port to the WAN IP on port 5678 into 192.168.8.10 on port 22.

            The the firewall rule reads:

            Allow from anyone with a source port of 5678 to reach 192.168.8.10 on port 22.

            The "external port" on the NAT rule is not the same as the source port on a firewall rule. NAT happens before firewall rules are processed, so the external port is never seen or used in firewall rules. So you can leave the NAT rule alone and just edit the firewall rule, and it will be working on your non-standard port.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • S
              samsco
              last edited by

              jimp

              thank you for the instruction,  you correctly interpreted my mis-understanding of how the firewall works,

              I will implement your suggestion and post results

              wsams

              " most problems with a computer can be traced to the loose nut between the chair and the keyboard"

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.