Ssh from external source to dmz address is not connecting



  • I have tried to set up ssh access to a server for tech support but cannot get the port forward set correctly to hit the server in the dmz

    I have  wan, lan, dmz

    my email server is on the dmz

    I set up a nat  port forward and a rule  which I want to restrict ssh access to the email server from a specific IP address. 
    this is how I set it up

    NAT 
    If          Proto      Ext. port range    NAT IP                                              Int. port range
    WAN    TCP              5678           192.168.8.10                                          22 (SSH)
                                                            (ext.:mystaticip)
    RULE
    Proto Source                      Port            Destination                  Port                  Gateway
    TCP  xxx.xxx.xxx.xxx      5678              192.168.8.10            22 (SSH)                *

    When the techie tries to log in from xxx  he says it will not connect

    Should I change the RULE  so that the Destination is DMZ address or DMZ subnet?  If so how would the techie actually get to the specific address of the server

    I can ssh to machines on my lan and then ssh to the server on the dmz  but I would prefer to have tech support people able to ssh directly to the machine I need help on.

    any suggestions are appreciated

    Thank you
    walter

    " most problems with a computer can be traced to the loose nut between the chair and the keyboard"


  • Rebel Alliance Developer Netgate

    Why are you specifying a source port on the firewall rule? Remove that and it should work.



  • The thought was to use a non standard port to come in on to add a layer to the security of my network

    I use a non standard port to access my accounting information and my company documents on the lan and was trying to do the
    same with accessing the email server.

    We will give your suggestion a try and see if that is where the problem is

    thank you

    wsams  :)

    " most problems with a computer can be traced to the loose nut between the chair and the keyboard"


  • Rebel Alliance Developer Netgate

    The source port on the firewall rule isn't the same as the external port on the NAT rule.

    The NAT rule reads (in plain language)

    Port forward from anyone on any port to the WAN IP on port 5678 into 192.168.8.10 on port 22.

    The the firewall rule reads:

    Allow from anyone with a source port of 5678 to reach 192.168.8.10 on port 22.

    The "external port" on the NAT rule is not the same as the source port on a firewall rule. NAT happens before firewall rules are processed, so the external port is never seen or used in firewall rules. So you can leave the NAT rule alone and just edit the firewall rule, and it will be working on your non-standard port.



  • jimp

    thank you for the instruction,  you correctly interpreted my mis-understanding of how the firewall works,

    I will implement your suggestion and post results

    wsams

    " most problems with a computer can be traced to the loose nut between the chair and the keyboard"


Locked