SFTP Access



  • I switched from smoothwall to pfsense but now I'm having an issue with a specific site.

    My setup is: dual wan, squid, squidguard, HAVP antivirus.

    The particular computer having the issue is not on the proxy I haven't setup a transparent proxy.
    The site I am try to access is sftp.link2gov.com and using sftp on port 22. I don't have access to pfsense by SSH setup.

    I cannot access the site however I can access other sftp sites. I could when I was using smoothwall although smoothwall did not have the dual wan setup. I have disconnected on of the WAN links without reseting the configuration to a single WAN to see if that would fix the problem.

    Does anyone have any ideas? Should I just abandon the dual wan setup? Or could it be something about pfsense itself that is causing the problem?


  • Rebel Alliance Global Moderator

    what doesn't work – why do you think pfsense would do something to this site and not others?  I can tell you it listens on 22, and I can connect to it

    EFT Server Enterprise 6.5.0.40Enter password:

    fi you PM creds be more than happy to test connectivity using pfsense, or not pfsense, etc.


  • Netgate Administrator

    Did disconnecting the wan make any difference? Are you load-balancing the two wans?
    What happens when you try to connect?
    More info please.  ;)

    Steve



  • I am load balancing the two WAN connections.

    The error that I get using psftp command line utility from putty website is: Fatal: Network error: Connection timed out.

    I can't give you login credentials they are hashed into the software, not that I would even if I had them.

    Disconnecting one of the WAN links did not fix the problem.

    I know that it works when I bypass pfsense by connecting a computer directly to the cable modem.

    Thanks for your reply's, guys.

    Rui


  • Netgate Administrator

    Since disconnecting one WAN didn't have an effect it seems unlikely to be a load-balancing problem. Even so you might want to enable 'sticky connections' or exclude that site from the load balancing.

    Check the firewall logs after you've tried to connect.

    Steve


  • Rebel Alliance Global Moderator

    is it a simple name resolution problem?  Connection timed out could be lots of things.  Sniff on pfsense lan and validate its resolving and sending connection request to the correct IP, etc.  As stated I can connect and get a banner of sorts back.

    Unless your blocking on pfsense outbound traffic pfsense doesn't care where you go.  And could not distinguish this ip from the next IP  What are you current lan rules and or floating rules, are you using aliases in allowing traffic?



  • Stephenw10, where would I exclude that site from the load balancing?

    johnpoz: Not a name resolution problem, I've done a nslookup and it resolves fine. Will look at the sniffing on the lan to see if I can tell more of what is happening.

    Rui



  • I have attached the only floating rule I have in a jpg.

    Here is the packet capture from pfsense on the LAN port:

    10:41:57.666222 00:22:19:07:47:28 > 00:13:72:0f:57:92, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 128, id 13837, offset 0, flags , proto TCP (6), length 52)
        192.168.1.23.64669 > 66.179.147.73.22: Flags , cksum 0x9241 (correct), seq 1772273340, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    10:42:00.666022 00:22:19:07:47:28 > 00:13:72:0f:57:92, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 128, id 13840, offset 0, flags , proto TCP (6), length 52)
        192.168.1.23.64669 > 66.179.147.73.22: Flags , cksum 0x9241 (correct), seq 1772273340, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    10:42:06.666431 00:22:19:07:47:28 > 00:13:72:0f:57:92, ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 128, id 13844, offset 0, flags , proto TCP (6), length 48)
        192.168.1.23.64669 > 66.179.147.73.22: Flags , cksum 0xa650 (correct), seq 1772273340, win 8192, options [mss 1460,nop,nop,sackOK], length 0
    

    Not sure exactly what I'm looking at.



  • Rebel Alliance Global Moderator

    Well I think the way you posted it caused the lines in the text..

    But here
    192.168.1.23.64669 > 66.179.147.73.22

    that is that IP talking to that fqdn you posted sftp.link2gov.com [66.179.147.73] on port 22 or ssh/sftp port.

    And here is answer back

    192.168.1.23.64669 > 66.179.147.73.22

    So clearly pfsense is not blocking the traffic..  Load it up into wireshark and see if your seeing RST come back or something.  So I would assume syn, and then syn,ack - but then there is another answer back.. maybe RST??  what does wireshark show?



  • There isn't anything in reply in that capture snippet, only LAN outbound.

    Go to Diagnostics>States and filter on that 66.179 IP, what do the states look like?



  • Here is the States Filter results:

    tcp 66.179.147.73:22 <- 192.168.1.23:49769 CLOSED:SYN_SENT 
    tcp 192.168.1.23:49769 -> 100.1.217.93:21780 -> 66.179.147.73:22 SYN_SENT:CLOSED



  • I tried 'sticky connections' and excluded that site from the load balancing without any effect.

    Rui



  • Is your SFTP server a machine on the LAN? (maybe a dumb question)

    Is that all that machine does is SFTP?

    which version of pfsense are you using?


  • Rebel Alliance Global Moderator

    My bad - you are correct there was no answer back, the lines thru the text must of confused me ;) hehehe

    So I would suggest now sniff on the wan - do you not see an answer?



  • So here it is guys. It seems that this particular site does not like a dual WAN firewall. I setup another pfsense box without the dual WAN and I can now access the site right through the firewall.

    That's too bad I was really linking the extra bandwith. I will now try to setup CARP so that I can at least have redundancy.

    Thanks for all the suggestions and help.

    Rui



  • It's almost certainly not the fact it's dual WAN, that site isn't replying to/is blocking the source IP you're sending it out from, or maybe a general connectivity issue for that network. A traceroute might be telling. The states you showed prove it's getting sent out no problem, getting NATed as it appears it should be, but gets no reply back at all.