Port forwarding problem
-
I wasn't sure if I should post this in the NAT or Firewall forum, so that's why it's here in general.
I have a Ubuntu server behind my pfsense firewall that I need to ssh to from the outside. I have assigned the server a static internal IP, and I have forwarded port 22 to that IP, but it is not working. When I attempt to ssh to the wan IP on port 22 it hangs for a while then times out. I have also tried setting up a custom port 2222 for ssh but that is not working either, same problem. This is on pfSense 1.2.3. Maybe I have the port forwarding wrong?
My pfSense lan IP is 10.1.2.254, and the Ubuntu server's IP is 10.1.2.232. I made a NAT port forward to point incoming traffic on port 22 to port 22 on 10.1.2.232, and also made a NAT port forward pointing incoming traffic on port 2222 to port 22 on 10.1.2.232. Both rules are in place at this exact moment, but I have tried having only one rule in place at a time (both ways).
Any ideas?
-
And have you tried it from the outside? Sounds like your trying it from a box on the 10.1.2 network – that would be a nat reflection, or loopback forwarding. For that to work you have to enable it.
If your on the same lan as your ssh server, why not just hit the 10.1.2.232 address directly - why are you hitting your pfsense wan IP just to be forwarded back in.
Have some try it from the wan side of your network. Also is your wan IP actually public IP, or is it behind a NAT as well. Does your pfsense wan IP start with 10.x.x.x or 192.168.x.x or 172.16-31.x..x if so then your behind a double nat. And for forwarding to work from the OUTSIDE you will need to make sure the device in front of pfsense doing nat is forwarding that port to your pfsense wan IP.
-
No, I am trying it from the wan. I have a ssh app on my phone, so I've been trying to ssh in from a 3G connection. I have also tried doing it tethering my laptop to my phone for internet. The actual owner of the server is currently overseas and also cannot access it.
If I want to SSH to the server from within the lan, yeah, I just use 10.1.2.232, and that works fine. That's not the problem.
Also, my wan IP is the public IP. I am using a block of static ip's from windstream. The modem/gateway is x.x.x.1 and the public IP for the pfsense box is x.x.x.2. Pardon the x's, but security, y'know? Publically, x.x.x.2 is the IP that's shown.
-
And is your pfsense WAN IP NOT start with 10.x or 192.168.x.x or 172.16-31 – Quite often when users have issue with port forwarding its because they are behind a double nat and didn't know it. Is your WAN IP an actual PUBLIC IP address? Or is it behind some other NAT device.
What does your pfsense plug into - what is the model number of the device pfsense is connected to?
Port forwarding should take all of 2 seconds to setup. Create the nat, and let it auto create the firewall wan rule for you - shazam forwarding is done. Its not rocket science. If your on a public IP on your pfsense wan, you have any host firewall running on your server that could be blocking traffic that is not coming from its lan network?
-
Ha, I edited my post to answer that question at the same time you posted.
Anyway, yes, the only device between the pfsense box and the internet is windstream's equipment. We're on a T1.
-
So then verify the traffic is hitting pfsense with a tcpdump or from the diag screen packet capture. Then doing a sniff on the lan interface of the pfsense make sure its being sent to your server.
So I access a ubuntu box behind my pfsense on 192.168.1.7, with public IP of 24.13.x.x
So as you can see here are my nat and firewall lan rules that send 22 to my server on 192.168.1.7
You can see my wan IP, and lan and wan interfaces in the pfsense screen. Then doing a tcpdump on both my lan and wan interfaces you can see the traffic come in to 22 from public IP to my 24.13 public IP, and then it goes out on the lan interface from the public to my private IP on 22.
And you can see the return traffic.
First step in troubleshooting is make sure the traffic is hitting your firewall. Maybe you have wrong IP, maybe your ISP blocks 22? etc.. You need to verify its hitting your pfsense wan, and then pfsense is sending it out. You could then sniff on your server - is it seeing the traffic. If it is seeing the traffic then there most be a host firewall on that server that not allowing it from that source IP.
Another common mistake users make is putting something in that source PORT, like 22 when you have no idea what the source port of the traffic is going to be. 999/1000 times source port should be any in common rules.
-
It is my recollection that some SSH servers need to be configured to specify which IP addresses are allowed access.
I suggest you check your SSH configuration. SSH log might record failed access attempts.
As johnpoz suggested, tcpdump is a useful tool to verify your access attempt passes various points along its path.
Have you reset firewall states after setting up your port forward? See Diagnostics -> States, click on Reset States tab.
-
Post your port forward and firewall rules. Also… on the linux server... make sure it's actually listening on port 22... and that the software firewall is either off... or has 22 allowed. I would turn it off for testing.
-
Here's my NAT rule
Interface - WAN
External address - any
Protocol - TCP
External port range - from: SSH to:(other)
NAT IP - 10.1.2.232
Local port - SSH
No XMLRPC Sync - Not CheckedAnd my Firewall Rule
Action - Pass
Disabled - not checked
Interface - WAN
Protocol - TCP
Source - "not" not checked Type: Any Address: Blank
Advanced / Source port range - from: any to: any
Source OS - any
Destination - "not" not checked
Type: Single host or alias
Address: 10.1.2.232
Destination port range - from: SSH to: SSH
Log - checked
Advanced Options - all empty
State type - keep state
No XMLRPC Sync - not checked
Schedule - none
Gateway - defaultI deleted the rules regarding port 2222, since they weren't working anyway.
I tried doing screenshots but the forum says my image files are too large and I don't wanna mess with that.
To answer other questions - yes I have reset the states - And I also did a packet capture on port 22 while making an attempt to connect, and this was the result:
11:00:28.624981 IP 66.87.74.16.17597 > x.x.x.2.22: tcp 0
11:00:31.614608 IP 66.87.74.16.17597 > x.x.x.2.22: tcp 0
11:00:37.626820 IP 66.87.74.16.17597 > x.x.x.2.22: tcp 0x's for privacy
-
Also worth mentioning, tcpdump isn't logging anything at all when I do "tcpdump port 22" and attempt to connect to the server. Just for testing's sake, I also enabled ssh on the pfsense box and established a connection to it from the LAN side, and ran the same command "tcpdump port 22" and it logged my connection to the pfsense box.
-
You can use a service like photobucket.com, which will export the html image code… allowing you to post screenshots.
-
You haven't told us the 'source address' and 'destination address' fields in your NAT rule. Only 'external address' which isn't one of the fields. Confusing! ;)
Steve
-
^ exactly. there is no external address field in nat, do you mean src is set to any. Then what is your dst address in the nat, it should be wan address. If you put in the IP address of your server then no it would never work. Because the wan would never see traffic dest of your private IP address. All traffic on your wan interface would be a dst of your wan address.
Once your wan rule allows the traffic in, then the nat would nat and forward that traffic to where you want it to go.
Nor did you list what the source port in your nat rule is set too in your above. Just post a screen shot.. As to it being too large - what the hell are you using to take it with print screen, that is going to be a BMP file? Use one of the 1000's of free tools out there to take your screen shot and save it in a format that makes sense, jpg, png, etc. And they also allow you to reduce size and quality to make for very small size.
Windows 7 has the built in snipping tool for example.
By default your firewall wan rule should be autocreated when you setup the nat/forward.
-
You haven't told us the 'source address' and 'destination address' fields in your NAT rule. Only 'external address' which isn't one of the fields. Confusing! ;)
Steve
I told you everything that's in the rule…
Anyway, the problem with posting screenshots was that I was trying to post all of my screenshots in one post... thus why the forum was saying too large. Anyway, here's screenshots... broken up over multiple posts
Attached here is my NAT settings
 -
And firewall settings
 -
Firewall rule page 1
 -
Firewall rule page 2
 -
Firewall rule page 3
 -
What version of of sense are you running? I don't see interface on the nat rule
It's on the edit page but not the rule listing.
Are you using old 1.x line?
-
Hmm, looks like 1.2.3 or earlier. You should update when you have an opportunity to so safely.
Anyway you should have 'external address' set to 'interface address'.Steve
