Inbound traffic to internal IPs



  • Hello,

    I have a WAN interface setup in pfsense with external IP (x.x.x.131) and TWO LAN interfaces connected to pfsense with internal IPs (10.1.1.1) and (10.1.2.1). I can access the internet from these LAN interfaces through the WAN interface of the pfsense but now I need to be able to allow inbound traffic to access one of the computers connected to LAN 1 (10.1.1.1) interface. I was looking into port forwarding in NAT and the attached screenshot is my current settings. But I am still unable to access the LAN computer from outside (internet) by getting into the particular port for pfsense. For example, the command 'ssh user@xx.xx.xx.131:22' doesn't let me connect to the destination pc.

    Any advise will be a great help, as I am not very familiar with port forwarding :(

    Thanks a bunch!

    Regards
    Ehsan
    ![nat forward.jpg_thumb](/public/imported_attachments/1/nat forward.jpg_thumb)
    ![nat forward.jpg](/public/imported_attachments/1/nat forward.jpg)


  • LAYER 8 Netgate

    Change source to any (or an alias containing the remote  IP addresses you want to restrict access to).

    Change Dest to WAN address.

    And you don't show it but you want to enable the firewall rule tracking too or you'll have to create a rule to pass the traffic.



  • Hey,

    Thank you so much for your reply!

    I made the changes as you specified (screenshots attached) but I am still unable to access the internal PC from outside. I can individually ssh into pfsense and then ssh into the internal pc but not straight. As I have specified before, with the command - "ssh 10.114.113.131:22" it gives me an error - Could not resolve hostname 10.114.113.131:22 - Name or service not known.

    Is there any further changes I need to make?

    Thanks

    Regards

    ![nat forward.jpg](/public/imported_attachments/1/nat forward.jpg)
    ![nat forward.jpg_thumb](/public/imported_attachments/1/nat forward.jpg_thumb)
    ![firewall rules.jpg](/public/imported_attachments/1/firewall rules.jpg)
    ![firewall rules.jpg_thumb](/public/imported_attachments/1/firewall rules.jpg_thumb)



  • Also, I have squid proxy service running on pfsense. Do I need to make any exception on the proxy server?

    Thanks,



  • Your rule should be on WAN targeting WAN Address, not LAN with LAN Address.  The correct rule should have already been created for you if you had selected Add associated filter rule in the Filter rule association option on the Port Forward: Edit page.  It's the default, I believe.

    Squid is a caching server and it doesn't have any bearing on your problem.


  • LAYER 8 Netgate

    No idea what ssh client you're using but the standard *nix one takes a -p 22 command not a :22 suffix.  Though you shouldn't need it at all because 22 is the default.

    Don't overthink it.  Just do: ssh IP.AD.DR.ESS

    Does the server you're sshing into have a firewall on it?  Possibly it is allowing connections from the local network but disallowing it from elsewhere.

    Does the server you're sshing to have pfSense as its default gateway?  If not it would work from the local network but not from anywhere else.

    And, yes, your LAN Rule is wrong.  Delete it.  Then check the Filter Rule Association checkbox on the NAT rule like KOM says.  Let it make the rule for you.  Post your WAN rules.  This has nothing to do with rules on LAN1.  Nothing you place there will make this work or not work.



  • Hi,

    Thank you so much for your feedback with the issue.

    I have got rid of the LAN firewall rule and let the NAT rule append the WAN rule accordingly. I have attached  the firewall rule.

    Well i am currently serving a dhcp service to assign the IP addresses of the clients connected to the LAN interface and yes the default gateway is routing to the Pfsense lan interface ip (10.1.1.1) for the client (10.1.1.20).

    Also an interesting update. After playing around with the NAT forward and the firewall rules, I cannot ssh into pfsense from outside anymore (which I was able to before). While trying to ssh into pfsense from the internet, I get the following error:

    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!    @
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
    Someone could be eavesdropping on you right now (man-in-the-middle attack)!
    It is also possible that a host key has just been changed.
    The fingerprint for the RSA key sent by the remote host is
    xx:xx:xx:xx:xx:xx:xx:xx:xx:96:c5:30:21:ec:8f:49.
    Please contact your system administrator.
    Add correct host key in /local/users/wifiuser/.ssh/known_hosts to get rid of this message.
    Offending RSA key in /local/users/wifiuser/.ssh/known_hosts:1
      remove with: ssh-keygen -f "/local/users/wifiuser/.ssh/known_hosts" -R 10.114.113.131
    RSA host key for 10.114.113.131 has changed and you have requested strict checking.
    Host key verification failed.

    I am not too sure what may have caused this. But I am able to ssh into pfsense from the internal LAN computer with the pfsense gateway.



  • I am running linux on the remote machine that I am trying to ssh FROM. But on the internal LAN computer that I am trying to get to…I am running cygwin on windows


  • LAYER 8 Netgate

    @Ehsan92:

    Hi,

    Thank you so much for your feedback with the issue.

    I have got rid of the LAN firewall rule and let the NAT rule append the WAN rule accordingly. I have attached  the firewall rule.

    Well i am currently serving a dhcp service to assign the IP addresses of the clients connected to the LAN interface and yes the default gateway is routing to the Pfsense lan interface ip (10.1.1.1) for the client (10.1.1.20).

    Also an interesting update. After playing around with the NAT forward and the firewall rules, I cannot ssh into pfsense from outside anymore (which I was able to before). While trying to ssh into pfsense from the internet, I get the following error:

    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!    @
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
    Someone could be eavesdropping on you right now (man-in-the-middle attack)!
    It is also possible that a host key has just been changed.
    The fingerprint for the RSA key sent by the remote host is
    xx:xx:xx:xx:xx:xx:xx:xx:xx:96:c5:30:21:ec:8f:49.
    Please contact your system administrator.
    Add correct host key in /local/users/wifiuser/.ssh/known_hosts to get rid of this message.
    Offending RSA key in /local/users/wifiuser/.ssh/known_hosts:1
      remove with: ssh-keygen -f "/local/users/wifiuser/.ssh/known_hosts" -R 10.114.113.131
    RSA host key for 10.114.113.131 has changed and you have requested strict checking.
    Host key verification failed.

    I am not too sure what may have caused this. But I am able to ssh into pfsense from the internal LAN computer with the pfsense gateway.

    Ok.  First you have to separate routing problems from other problems.  Those messages mean that you ARE hitting an ssh server at the IP address but you have previously connected to an ssh server at the same IP address that served up a different key.  SSH warns you about this to help prevent man-in-the-middle attacks.

    Everything you need to know is in the error message received or in google.  You might want to read it.



  • So I followed the steps to delete the old key and retried initiating a new ssh connection but I receive the error "Permission denied." when I put in the user credentials to access the pfsense from outside. But if I disable the firewall and the NAT port forward rule, I am able to login to pfsense as before using ssh.

    Just a feeling, maybe with the port forward and the firewall rules, it is able to talk to the ssh server running on the internal client? but something might not be right with the command that I am using?

    I am using the command:

    ssh -t [pfsenseuser]@10.114.113.131 -p 22 [clientuser]@10.1.1.20

    and I get permission denied error


  • LAYER 8 Global Moderator

    Um  10.114.113.131 is NOT an external/public address.

    Are you on one of the lans you have?  This is what you said in your first post.. You have a wan with external ip, and 2 lan segments.
    "with external IP (x.x.x.131) and TWO LAN interfaces connected to pfsense with internal IPs (10.1.1.1) and (10.1.2.1)."

    why would you hide your external if rfc1918 address space?

    if your coming from outside pfsense, ie from the wan side and you want to access something on lan - then you would need port forward.  If your on lan 1 and and to ssh to lan 2 - then you just need firewall rules to allow that.

    So what is the IP address of your client that is trying to talk to 10.114.113.131 which is just a private rfc1918 address that is not routable on the internet.



  • Hey johnpoz,

    I believe you have taken a look at my system before while fixing the firewall rules for the LAN while I wasn't able to access internet on the LAN computers through the proxy setup in pfsense.

    So the WAN address is 10.114.113.131 and yes, the LAN interfaces are connected with 10.1.1.1 and 10.1.2.1 address space to the pfsense. With outside, I meant any incoming connection. I am trying to get into 10.1.1.20 (LAN1) from 10.114.16.20 address space….so I need to port forward the address in pfsense. I am able to individually ssh into 10.114.113.131 (pfsense WAN) and then to 10.1.1.20 but I cannot do so straightaway, bypassing the port forward in WAN. When I setup my firewall and NAT rules to port forward the ssh connection from WAN address to 10.1.1.20, I get a permission denied error when it prompts for my admin password for pfsense.


  • LAYER 8 Global Moderator

    If your forwarding to 10.1.1.20, then you wouldn't get prompted for pfsense anything.  You would get prompted for the username and password of the ssh server running on 10.1.1.20

    If your forwarding standard ssh port to 10.1.1.20, then no you wouldn't be able to get to pfsense ssh server from wan side.

    If you want to do both, then use a different port for one of them.  Say 2222 for pfsense and standard 22 for your inside box  you create the forwards for.



  • IT IS FIXED! =D

    Silly me, I was using [pfsenseuser]@10.114.113.131 to get to the other machine whereas I should have used [clientuser]@10.114.113.131. When I changed the command to the correct one, I was able to login to the ssh server running on the client machine (10.1.1.20). I implemented a different port for that client so that I could access both the ssh connection on the pfsense and the client machine. Everything is working now.

    Thank you so much for all your help, good people! =D


Log in to reply