SSH hungs



  • Hi all:

    Total newbie here. I just setup my xubuntu server with ssh daemon running. When I try to do local ssh access, it works fine. I tired it on both pfSense 2.0.2, and 2.0.3.

    $ ssh -vvv 192.168.1.2
    OpenSSH_5.9p1, OpenSSL 0.9.8r 8 Feb 2011
    debug1: Reading configuration data /Users/username/.ssh/config
    debug1: Reading configuration data /etc/ssh_config
    debug1: /etc/ssh_config line 20: Applying options for *
    debug1: /etc/ssh_config line 53: Applying options for *
    debug2: ssh_connect: needpriv 0
    debug1: Connecting to 192.168.1.2 [192.168.1.2] port 22.
    debug1: Connection established.
    ….

    Then I setup NAT port forward from WAN:22 to 192.168.1.2:22. Since I also have DDNS set, I tried to ssh from outside, it works fine as well. (Suppose it is home.dyndns.org)

    user@somewhereelse $ ssh -vvv home.dyndns.org
    debug1: Reading configuration data /home/…/.ssh/config
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: Applying options for *
    debug2: ssh_connect: needpriv 0
    debug1: Connecting to home.dyndns.org [1.2.3.4] port 22.
    debug1: Connection established.

    Then, I tried to ssh from LAN, with DDNS address. It hungs until timeout…

    $ ssh -vvv home.dyndns.org
    debug1: Reading configuration data /Users/username/.ssh/config
    debug1: /Users/username/.ssh/config line 9: Applying options for home
    debug1: Reading configuration data /etc/ssh_config
    debug1: /etc/ssh_config line 20: Applying options for *
    debug1: /etc/ssh_config line 53: Applying options for *
    debug1: Connecting to home.dyndns.org [1.2.3.4] port 22.
    debug1: connect to address 1.2.3.4 port 22: Operation timed out
    ssh: connect to host home.dyndns.org port 22: Operation timed out

    I have checked my sshd log, this time sshd has not received any packet from pfSense box.

    I suppose I did not set my pfSense properly. Any help would be appreciated!

    Thanks!

    EDIT: SOLVED
    Make sure system->advance->firewall/nat->Disable NAT reflection for port forwards is not enabled.

    Thanks for all ur help!



  • Your ssh access to home.dyndns.org from the LAN resolves to the public IP address. That SSH attempt does not arrive on the WAN interface hence your port forward on the WAN interface doesn't apply.

    If your pfSense has DNS forwarder enabled you could fix this problem by using a host overridein the DNS forwarder so LAN clients resolve home.dyndns.org to the private IP address.



  • Hi:

    I tried adding an entry in the Host Overrides, with Domain: home.dyndns.org, IP: 192.168.1.2, and reboot, but it does not seem to work. Can you point me to some direction so that I can further research this problem?

    On a side note, when i type

    $ ping home.dyndns.org
    PING home.dyndns.org (1.2.3.4): 56 data bytes
    64 bytes from 1.2.3.4: icmp_seq=0 ttl=64 time=1.054 ms
    64 bytes from 1.2.3.4: icmp_seq=1 ttl=64 time=2.826 ms

    as normal, however, when I try to resolve locally:

    $ whois home.dyndns.org
    NOT FOUND

    Is this the same issue? I'm not quite experience in this area.

    Thanks for your help.



  • Make sure tyhe NAT Reflection rules are not disabled in the pfSense config (System –> Advanced --> Firewall/NAT, then bottom section on page)



  • That does the trick. Thanks for helping!


Log in to reply