Access webgui from outside (public ip)?



  • hello guys

    If my WAN is a public ip (isdn, t1…), can I access webgui from internet using that public ip? I supose a firewall rule should be created to allow this; can I acess trought SSH (ssh -l root -p 222 x.x.x.x)??

    thanks



  • As long as you put rules on WAN that allow this –> yes it is possible.



  • Is this the reason for this error, when I try to ssh my pfsense?

    ~$ ssh -l root x.x.x.x -p 222
    ssh: connect to host x.x.x.x port 222: No route to host

    ??? ??? ??? ???

    Ping to that ip works fine



  • Yep.
    First you have to create a rule on WAN to pass traffic to your gateway's SSH port.
    If ping works fine from outside you have an allow ICMP rule on WAN already. Otherwise those packets would get dropped or rejected as well.



  • where can I create this rules? firewall -> rules -> wan????

    then
    proto: tcp/udp
    source: *
    port: 222
    destination: wan address
    port: 222
    gateway: *

    I tested this and didnt work!

    thanks a lot for your help



  • I'll assume you changed the listening port to 222 under system, advanced.
    Anyway the rule should be:
    proto: tcp source:* port:* dest:wan address port:222 gateway:*
    (ssh is tcp only. the destination port is 222, not the source)



  • @dotdash:

    I'll assume you changed the listening port to 222 under system, advanced.
    Anyway the rule should be:
    proto: tcp source:* port:* dest:wan address port:222 gateway:*
    (ssh is tcp only. the destination port is 222, not the source)

    I tested this rule with both gateway:* and gateway: x.x.x.x (this is the WAN gateway), but still have the same error:

    ~$ ssh -l root x.x.x.x -p 222
    ssh: connect to host x.x.x.x port 222: No route to host

    Could not this be a error in the Wan gw (in this case my wan router)??

    thanks



  • 'No route to host' sounds like there is a problem getting to the pfsense box from where you were testing from. Double-check you can ping the address you are trying to ssh to from the box you are trying to connect from…



  • Yes, I also think this is very strange.

    I can ping from the host I am to the host that my pfsense is; but when I try to ssh it, I get that message (no route to host); when I traceroute my pfsense box, I can see the last router before my wan router; the strange is that I have another box that is in the same network, so it uses the same gw that my pfsense; in this box I can ping, ssh, everything…

    in my opinion, even if I donot open my firewall to get in throught ssh, using nmap it should at least show me what ports are blocked, etc... but nmap, from that same machine, shows me this:

    nmap x.x.x.x (pfsense wan ip)

    Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2007-10-10 12:54 BRT
    Note: Host seems down. If it is really up, but blocking our ping probes, try -P0
    Nmap finished: 1 IP address (0 hosts up) scanned in 0.297 seconds

    I have some free ips from that network, so maybe later I may try another IP and see if the same happens to it; the ip I'm using in pfsense is the first in the range; the linux box (that works fine) is the 2nd; I can try set the 3rd to see what happens, but I also thinks that something is (should be) wrong...

    is there any other test to do with it??
    thanks!!



  • 1. Try and ssh to the firewall from the LAN side.
    2. Go to advanced, disable the firewall, and try again from the Internet.



  • @srs:

    in my opinion, even if I donot open my firewall to get in throught ssh, using nmap it should at least show me what ports are blocked, etc… but nmap, from that same machine, shows me this:

    nmap x.x.x.x (pfsense wan ip)

    Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2007-10-10 12:54 BRT
    Note: Host seems down. If it is really up, but blocking our ping probes, try -P0

    (emphasis mine)

    It doesn't respond to pings, if you want to see results you need to use -P0.



  • @dotdash:

    1. Try and ssh to the firewall from the LAN side.
    2. Go to advanced, disable the firewall, and try again from the Internet.

    I tryied ssh the wan interface, from the lan side and nothing happens, it keeps trying to contact without success.



  • can you ssh to the LAN IP?



  • yes, this always worked; I never tryied ssh the wan because it was behind an adsl modem; now I'm using a frame relay circuit and do not have anything between me and internet.


Log in to reply