Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Ssh on port 443… not working

    General pfSense Questions
    5
    14
    2.8k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pfnoober
      last edited by

      Hello,
      I'm running 2.1.5 release on i386 in a transparent setup.

      I realize my question may be rather simplistic but I'm by no means an expert with pfsense or freebsd.  I've been able to get ssh running on my setup just fine on practically any port.  However I'd like to try and run ssh on port 443 and every time I switch to 443 in the setup, I can never get my client to make a connection.  I suspect there is some underlying service within pfsense that is still hanging onto 443, possibly the secure http webconfigurator.  I don't have any need for https in my setup and it is already running by default as standard http on port 80.  Is there some way I can check to see if something else is using that port and if so, disable it?

      Here is some output of what things look like right now:

      $ top
      last pid: 35820;  load averages:  0.47,  0.19,  0.09  up 29+21:50:38    23:00:29
      39 processes:  1 running, 34 sleeping, 4 zombie
      
      Mem: 114M Active, 81M Inact, 140M Wired, 10M Cache, 104M Buf, 577M Free
      Swap: 2048M Total, 2048M Free
      
        PID USERNAME  THR PRI NICE   SIZE    RES STATE    TIME   WCPU COMMAND
      35707 root        1  67    0 81840K 34188K piperd   0:42  4.98% php
      74219 root       10  44    0   218M   104M nanslp 101:37  0.00% ntop
      40183 root        1  76   20  3644K  1464K wait    26:40  0.00% sh
      33736 root        1  44    0  7200K  7220K select   7:24  0.00% ntpd
      76027 root        1  44    0  9260K  4896K bpf      3:53  0.00% bandwidthd
      76325 root        1  44    0  9260K  5028K bpf      3:41  0.00% bandwidthd
      76380 root        1  44    0  9260K  4696K bpf      3:35  0.00% bandwidthd
      76479 root        1  44    0  8236K  4240K bpf      3:34  0.00% bandwidthd
      22410 root        1  44    0  8016K  5156K kqread   3:00  0.00% lighttpd
      15296 root        7  44    0 56472K 15052K ucond    2:40  0.00% filterdns
      10037 root        1  44    0  5864K  2680K bpf      1:28  0.00% tcpdump
      43918 root        1  44    0  3412K  1420K select   0:23  0.00% syslogd
      44458 root        1  76    0  3352K  1336K nanslp   0:16  0.00% cron
      77303 root        1  70    0  3264K  1024K nanslp   0:10  0.00% minicron
      12110 root        1  44    0  3384K  1348K select   0:05  0.00% inetd
      35635 root        1  45    0 78256K 28908K accept   0:04  0.00% php
        260 root        1  76   20  3352K  1216K kqread   0:03  0.00% check_reload_status
      10112 root        1  44    0  3264K   908K piperd   0:03  0.00% logger
      
      
      $ ps
        PID  TT  STAT      TIME COMMAND
      10037  v0- S      1:28.28 /usr/sbin/tcpdump -s 256 -v -S -l -n -e -ttt -i pflog
      10112  v0- I      0:03.26 logger -t pf -p local0.info
      40183  v0- IN    26:40.22 /bin/sh /var/db/rrd/updaterrd.sh
      76027  v0- S      3:52.96 /usr/pbi/bandwidthd-i386/bandwidthd/bandwidthd
      76325  v0- S      3:40.69 /usr/pbi/bandwidthd-i386/bandwidthd/bandwidthd
      76380  v0- S      3:34.53 /usr/pbi/bandwidthd-i386/bandwidthd/bandwidthd
      76479  v0- S      3:34.16 /usr/pbi/bandwidthd-i386/bandwidthd/bandwidthd
      81105  v0  Is     0:00.05 login [pam] (login)
      81639  v0  I      0:00.02 -sh (sh)
      83507  v0  I+     0:00.02 /bin/sh /etc/rc.initial
      
      $ sockstat -4
      USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS      
      root     sockstat   72358 20 udp4   *:40679               *:*
      root     bandwidthd 76479 20 udp4   *:16009               *:*
      root     bandwidthd 76380 20 udp4   *:16009               *:*
      root     bandwidthd 76325 20 udp4   *:16009               *:*
      root     bandwidthd 76027 20 udp4   *:16009               *:*
      root     ntop       74219 2  tcp4   *:3000                *:*
      root     ntop       74219 20 udp4   *:16009               *:*
      root     syslogd    43918 13 udp4   *:514                 *:*
      root     php        35707 10 udp4   *:*                   *:*
      root     php        35707 20 udp4   *:40679               *:*
      root     php        35635 10 udp4   *:*                   *:*
      root     php        35635 20 udp4   *:52556               *:*
      root     ntpd       33736 21 udp4   *:123                 *:*
      root     ntpd       33736 22 udp4   (removed):123      *:*
      root     ntpd       33736 25 udp4   127.0.0.1:123         *:*
      root     php        23667 10 udp4   *:*                   *:*
      root     php        23667 20 udp4   *:40679               *:*
      root     php        22571 10 udp4   *:*                   *:*
      root     php        22571 20 udp4   *:52556               *:*
      root     lighttpd   22410 9  tcp4   *:80                  *:*
      root     lighttpd   22410 11 tcp4   (removed):80       (removed):12332
      root     sshd       16612 5  tcp4   *:22                *:*
      root     inetd      12110 10 udp4   127.0.0.1:6969        *:*
      
      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        A service on the firewall cannot affect traffic passing through to other hosts.

        If anything on the firewall is affecting it, it would have to be a NAT rule (Port forward, etc), or possibly a port forward in combination with NAT reflection.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • stephenw10S
          stephenw10 Netgate Administrator
          last edited by

          This is traffic to SSH on the pfSense box though, no?

          When you set SSH to run on port 443 do you see anything in the logs? I would expect some error if two services try to claim the same port.

          Steve

          1 Reply Last reply Reply Quote 0
          • P
            pfnoober
            last edited by

            @jimp:

            A service on the firewall cannot affect traffic passing through to other hosts.

            If anything on the firewall is affecting it, it would have to be a NAT rule (Port forward, etc), or possibly a port forward in combination with NAT reflection.

            I think I understand what you are saying, but when I ssh into pf from the outside, I am not hitting any host on the LAN side.  I am simply establishing ssh onto pf itself.  I don't have access to the console right now, but I'll check what my NAT settings and port forwarding settings are later and post back results.  I can tell you though that pf is not setup to NAT anything;  I have a separate router to handle all of that.

            @stephenw10:

            This is traffic to SSH on the pfSense box though, no?

            When you set SSH to run on port 443 do you see anything in the logs? I would expect some error if two services try to claim the same port.

            Steve

            I'll set it back to 443 this weekend and post back results from system logs (if any).

            1 Reply Last reply Reply Quote 0
            • P
              pfnoober
              last edited by

              @jimp:

              A service on the firewall cannot affect traffic passing through to other hosts.

              If anything on the firewall is affecting it, it would have to be a NAT rule (Port forward, etc), or possibly a port forward in combination with NAT reflection.

              Under Firewall, NAT, Port Forward has no entries.  1:1 has no entries.  Outbound is set to manual with no mappings listed.  NPt has no entries.

              1 Reply Last reply Reply Quote 0
              • P
                pfnoober
                last edited by

                @stephenw10:

                This is traffic to SSH on the pfSense box though, no?

                When you set SSH to run on port 443 do you see anything in the logs? I would expect some error if two services try to claim the same port.

                Steve

                Ok when I make a successful ssh into my system, the system log looks like this:

                Nov 10 17:25:24 	sshd[34537]: Received disconnect from x.x.x.x: 11: Closed due to user request.
                Nov 10 17:25:11 	sshd[34537]: Accepted keyboard-interactive/pam for admin from x.x.x.x port 54142 ssh2
                

                I also have it create a log entry every time this event is triggered which shows up in the Firewall log.

                Now when I change the System, Advanced entry to 443, and also my corresponding WAN rule which handles this traffic to 443, my ssh client keeps trying to connect but I don't get anything which prompts me for a login/password, so it times out.  I look in the System Logs and find the change I made in the Advanced settings shows up as this:

                Nov 10 17:29:08 	sshd[14583]: Server listening on 0.0.0.0 port 443.
                Nov 10 17:29:08 	sshd[14583]: Server listening on :: port 443.
                

                Here is some other diagnostic output from the change:

                
                $ sockstat -4
                USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS      
                root     sockstat   68630 20 udp4   *:40679               *:*
                root     sleep      67072 20 udp4   *:35821               *:*
                root     sh         20054 20 udp4   *:35821               *:*
                root     lighttpd   19588 14 tcp4   *:80                  *:*
                root     lighttpd   19588 16 tcp4   (removed):80       (removed):1538
                root     lighttpd   19588 20 udp4   *:35821               *:*
                root     sshd       14583 5  tcp4   *:443                 *:*
                root     bandwidthd 76479 20 udp4   *:16009               *:*
                root     bandwidthd 76380 20 udp4   *:16009               *:*
                root     bandwidthd 76325 20 udp4   *:16009               *:*
                root     bandwidthd 76027 20 udp4   *:16009               *:*
                root     ntop       74219 2  tcp4   *:3000                *:*
                root     ntop       74219 20 udp4   *:16009               *:*
                root     syslogd    43918 13 udp4   *:514                 *:*
                root     php        35707 10 udp4   *:*                   *:*
                root     php        35707 20 udp4   *:40679               *:*
                root     php        35635 10 udp4   *:*                   *:*
                root     php        35635 20 udp4   *:52556               *:*
                root     ntpd       33736 21 udp4   *:123                 *:*
                root     ntpd       33736 22 udp4   (removed):123      *:*
                root     ntpd       33736 25 udp4   127.0.0.1:123         *:*
                root     php        23667 10 udp4   *:*                   *:*
                root     php        23667 20 udp4   *:40679               *:*
                root     php        22571 10 udp4   *:*                   *:*
                root     php        22571 20 udp4   *:52556               *:*
                root     inetd      12110 10 udp4   127.0.0.1:6969        *:*
                

                I don't know why it shows up with the 0.0.0.0 address in the log.  My LAN port is set to 'none' and WAN is a static IP address.  I have the OPT1 interface set up as Bridge0 between the two and there are no VLANs in use.

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  0.0.0.0 means bind to all addresses on the host.  So you could ssh to your LAN address, WAN address, etc.  Firewall rules permitting, of course.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • P
                    pfnoober
                    last edited by

                    @Derelict:

                    0.0.0.0 means bind to all addresses on the host.  So you could ssh to your LAN address, WAN address, etc.  Firewall rules permitting, of course.

                    I guess I don't understand what you mean.  My LAN port has no address; my WAN port's address isn't routable.  How would I be able to ssh to the WAN port?

                    1 Reply Last reply Reply Quote 0
                    • stephenw10S
                      stephenw10 Netgate Administrator
                      last edited by

                      If you're not using the WAN address to SSH to what are you using?

                      What address do the logs show sshd is listening on when it's set to use port 22?

                      Steve

                      1 Reply Last reply Reply Quote 0
                      • P
                        pfnoober
                        last edited by

                        @stephenw10:

                        If you're not using the WAN address to SSH to what are you using?

                        What address do the logs show sshd is listening on when it's set to use port 22?

                        Steve

                        Oh I see what you're saying now.  Let me clarify:  I posted this thread because I wasn't able to ssh remotely, as in, via the internet, to my pfsense box on port 443.  I am always able to ssh from any machine on the LAN to the WAN port address.

                        And here are the log entries when I change it back to port 22 in the Advanced settings:

                        Nov 10 20:51:14 	check_reload_status: webConfigurator restart in progress
                        Nov 10 20:51:14 	check_reload_status: starting sshd
                        Nov 10 20:51:14 	php: /system_advanced_admin.php: webConfigurator configuration has changed. Restarting webConfigurator.
                        Nov 10 20:51:14 	php: /system_advanced_admin.php: secure shell configuration has changed. Restarting sshd.
                        Nov 10 20:51:14 	php: /system_advanced_admin.php: secure shell configuration has changed. Stopping sshd.
                        Nov 10 20:51:14 	sshd[19816]: Received signal 15; terminating.
                        Nov 10 20:51:13 	check_reload_status: Reloading filter
                        Nov 10 20:51:13 	check_reload_status: Syncing firewall
                        Nov 10 20:50:35 	php: rc.restart_webgui: Creating rrd update script
                        Nov 10 20:50:35 	kernel: Bump sched buckets to 256 (was 0)
                        Nov 10 20:50:35 	kernel: Bump sched buckets to 256 (was 0)
                        Nov 10 20:50:35 	kernel: Bump sched buckets to 256 (was 0)
                        Nov 10 20:50:35 	kernel: Bump sched buckets to 256 (was 0)
                        Nov 10 20:50:35 	kernel: Bump sched buckets to 256 (was 0)
                        Nov 10 20:50:33 	sshd[19816]: Server listening on 0.0.0.0 port 22.
                        Nov 10 20:50:33 	sshd[19816]: Server listening on :: port 22.
                        

                        Edit:  Now that I just posted this, I realize that the problem may in fact not be on pfsense, rather it's probably my router not properly passing traffic on 443.  Let me look into that one for a bit and I'll try to report back soon.

                        1 Reply Last reply Reply Quote 0
                        • stephenw10S
                          stephenw10 Netgate Administrator
                          last edited by

                          Ah OK. Also do you know that your ISP isn't blocking port 443? I haven't seen that for a while but it used to be quite common.

                          Steve

                          1 Reply Last reply Reply Quote 0
                          • K
                            kejianshi
                            last edited by

                            When running the pfsense gui on 443 its possible you may run into problems running something like SSH on 443 also.
                            Its so hit and miss with systems that when I run services on 443 or 80 I just put the pfsense gui somewhere else, like 7443

                            But yeah - could also be your modem.

                            1 Reply Last reply Reply Quote 0
                            • P
                              pfnoober
                              last edited by

                              Ok well I feel like an idiot now.  Turns out the problem was on the router actually in that there was a nat rule I previously setup to pass traffic from the outside in on set ranges of ports.  I literally have not logged into this device in several years and completely forgot all about this.  Once I modified some of the nat settings, traffic on 443 was passed just fine.  The problem never was on the pfsense side.

                              Sorry for wasting everyone's time on this but I do appreciate the help in trying to track down the issue.

                              1 Reply Last reply Reply Quote 0
                              • stephenw10S
                                stephenw10 Netgate Administrator
                                last edited by

                                No problem. Easily done.  ;)

                                Steve

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.