Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SFTP Access

    Scheduled Pinned Locked Moved General pfSense Questions
    16 Posts 5 Posters 3.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      ehanover
      last edited by

      I switched from smoothwall to pfsense but now I'm having an issue with a specific site.

      My setup is: dual wan, squid, squidguard, HAVP antivirus.

      The particular computer having the issue is not on the proxy I haven't setup a transparent proxy.
      The site I am try to access is sftp.link2gov.com and using sftp on port 22. I don't have access to pfsense by SSH setup.

      I cannot access the site however I can access other sftp sites. I could when I was using smoothwall although smoothwall did not have the dual wan setup. I have disconnected on of the WAN links without reseting the configuration to a single WAN to see if that would fix the problem.

      Does anyone have any ideas? Should I just abandon the dual wan setup? Or could it be something about pfsense itself that is causing the problem?

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        what doesn't work – why do you think pfsense would do something to this site and not others?  I can tell you it listens on 22, and I can connect to it

        EFT Server Enterprise 6.5.0.40Enter password:

        fi you PM creds be more than happy to test connectivity using pfsense, or not pfsense, etc.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • stephenw10S
          stephenw10 Netgate Administrator
          last edited by

          Did disconnecting the wan make any difference? Are you load-balancing the two wans?
          What happens when you try to connect?
          More info please.  ;)

          Steve

          1 Reply Last reply Reply Quote 0
          • E
            ehanover
            last edited by

            I am load balancing the two WAN connections.

            The error that I get using psftp command line utility from putty website is: Fatal: Network error: Connection timed out.

            I can't give you login credentials they are hashed into the software, not that I would even if I had them.

            Disconnecting one of the WAN links did not fix the problem.

            I know that it works when I bypass pfsense by connecting a computer directly to the cable modem.

            Thanks for your reply's, guys.

            Rui

            1 Reply Last reply Reply Quote 0
            • stephenw10S
              stephenw10 Netgate Administrator
              last edited by

              Since disconnecting one WAN didn't have an effect it seems unlikely to be a load-balancing problem. Even so you might want to enable 'sticky connections' or exclude that site from the load balancing.

              Check the firewall logs after you've tried to connect.

              Steve

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                is it a simple name resolution problem?  Connection timed out could be lots of things.  Sniff on pfsense lan and validate its resolving and sending connection request to the correct IP, etc.  As stated I can connect and get a banner of sorts back.

                Unless your blocking on pfsense outbound traffic pfsense doesn't care where you go.  And could not distinguish this ip from the next IP  What are you current lan rules and or floating rules, are you using aliases in allowing traffic?

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • E
                  ehanover
                  last edited by

                  Stephenw10, where would I exclude that site from the load balancing?

                  johnpoz: Not a name resolution problem, I've done a nslookup and it resolves fine. Will look at the sniffing on the lan to see if I can tell more of what is happening.

                  Rui

                  1 Reply Last reply Reply Quote 0
                  • E
                    ehanover
                    last edited by

                    I have attached the only floating rule I have in a jpg.

                    Here is the packet capture from pfsense on the LAN port:

                    10:41:57.666222 00:22:19:07:47:28 > 00:13:72:0f:57:92, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 128, id 13837, offset 0, flags , proto TCP (6), length 52)
                        192.168.1.23.64669 > 66.179.147.73.22: Flags , cksum 0x9241 (correct), seq 1772273340, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
                    10:42:00.666022 00:22:19:07:47:28 > 00:13:72:0f:57:92, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 128, id 13840, offset 0, flags , proto TCP (6), length 52)
                        192.168.1.23.64669 > 66.179.147.73.22: Flags , cksum 0x9241 (correct), seq 1772273340, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
                    10:42:06.666431 00:22:19:07:47:28 > 00:13:72:0f:57:92, ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 128, id 13844, offset 0, flags , proto TCP (6), length 48)
                        192.168.1.23.64669 > 66.179.147.73.22: Flags , cksum 0xa650 (correct), seq 1772273340, win 8192, options [mss 1460,nop,nop,sackOK], length 0
                    

                    Not sure exactly what I'm looking at.

                    floating.jpg
                    floating.jpg_thumb

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      Well I think the way you posted it caused the lines in the text..

                      But here
                      192.168.1.23.64669 > 66.179.147.73.22

                      that is that IP talking to that fqdn you posted sftp.link2gov.com [66.179.147.73] on port 22 or ssh/sftp port.

                      And here is answer back

                      192.168.1.23.64669 > 66.179.147.73.22

                      So clearly pfsense is not blocking the traffic..  Load it up into wireshark and see if your seeing RST come back or something.  So I would assume syn, and then syn,ack - but then there is another answer back.. maybe RST??  what does wireshark show?

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • C
                        cmb
                        last edited by

                        There isn't anything in reply in that capture snippet, only LAN outbound.

                        Go to Diagnostics>States and filter on that 66.179 IP, what do the states look like?

                        1 Reply Last reply Reply Quote 0
                        • E
                          ehanover
                          last edited by

                          Here is the States Filter results:

                          tcp 66.179.147.73:22 <- 192.168.1.23:49769 CLOSED:SYN_SENT 
                          tcp 192.168.1.23:49769 -> 100.1.217.93:21780 -> 66.179.147.73:22 SYN_SENT:CLOSED

                          1 Reply Last reply Reply Quote 0
                          • E
                            ehanover
                            last edited by

                            I tried 'sticky connections' and excluded that site from the load balancing without any effect.

                            Rui

                            1 Reply Last reply Reply Quote 0
                            • K
                              kejianshi
                              last edited by

                              Is your SFTP server a machine on the LAN? (maybe a dumb question)

                              Is that all that machine does is SFTP?

                              which version of pfsense are you using?

                              1 Reply Last reply Reply Quote 0
                              • johnpozJ
                                johnpoz LAYER 8 Global Moderator
                                last edited by

                                My bad - you are correct there was no answer back, the lines thru the text must of confused me ;) hehehe

                                So I would suggest now sniff on the wan - do you not see an answer?

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                SG-4860 24.11 | Lab VMs 2.8, 24.11

                                1 Reply Last reply Reply Quote 0
                                • E
                                  ehanover
                                  last edited by

                                  So here it is guys. It seems that this particular site does not like a dual WAN firewall. I setup another pfsense box without the dual WAN and I can now access the site right through the firewall.

                                  That's too bad I was really linking the extra bandwith. I will now try to setup CARP so that I can at least have redundancy.

                                  Thanks for all the suggestions and help.

                                  Rui

                                  1 Reply Last reply Reply Quote 0
                                  • C
                                    cmb
                                    last edited by

                                    It's almost certainly not the fact it's dual WAN, that site isn't replying to/is blocking the source IP you're sending it out from, or maybe a general connectivity issue for that network. A traceroute might be telling. The states you showed prove it's getting sent out no problem, getting NATed as it appears it should be, but gets no reply back at all.

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.