Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Inbound traffic to internal IPs

    NAT
    4
    14
    5247
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pfsenseguru
      last edited by

      Hello,

      I have a WAN interface setup in pfsense with external IP (x.x.x.131) and TWO LAN interfaces connected to pfsense with internal IPs (10.1.1.1) and (10.1.2.1). I can access the internet from these LAN interfaces through the WAN interface of the pfsense but now I need to be able to allow inbound traffic to access one of the computers connected to LAN 1 (10.1.1.1) interface. I was looking into port forwarding in NAT and the attached screenshot is my current settings. But I am still unable to access the LAN computer from outside (internet) by getting into the particular port for pfsense. For example, the command 'ssh user@xx.xx.xx.131:22' doesn't let me connect to the destination pc.

      Any advise will be a great help, as I am not very familiar with port forwarding :(

      Thanks a bunch!

      Regards
      Ehsan
      ![nat forward.jpg_thumb](/public/imported_attachments/1/nat forward.jpg_thumb)
      ![nat forward.jpg](/public/imported_attachments/1/nat forward.jpg)

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Change source to any (or an alias containing the remote  IP addresses you want to restrict access to).

        Change Dest to WAN address.

        And you don't show it but you want to enable the firewall rule tracking too or you'll have to create a rule to pass the traffic.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10000 words and 15 conference calls.
        DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • P
          pfsenseguru
          last edited by

          Hey,

          Thank you so much for your reply!

          I made the changes as you specified (screenshots attached) but I am still unable to access the internal PC from outside. I can individually ssh into pfsense and then ssh into the internal pc but not straight. As I have specified before, with the command - "ssh 10.114.113.131:22" it gives me an error - Could not resolve hostname 10.114.113.131:22 - Name or service not known.

          Is there any further changes I need to make?

          Thanks

          Regards

          ![nat forward.jpg](/public/imported_attachments/1/nat forward.jpg)
          ![nat forward.jpg_thumb](/public/imported_attachments/1/nat forward.jpg_thumb)
          ![firewall rules.jpg](/public/imported_attachments/1/firewall rules.jpg)
          ![firewall rules.jpg_thumb](/public/imported_attachments/1/firewall rules.jpg_thumb)

          1 Reply Last reply Reply Quote 0
          • P
            pfsenseguru
            last edited by

            Also, I have squid proxy service running on pfsense. Do I need to make any exception on the proxy server?

            Thanks,

            1 Reply Last reply Reply Quote 0
            • KOMK
              KOM
              last edited by

              Your rule should be on WAN targeting WAN Address, not LAN with LAN Address.  The correct rule should have already been created for you if you had selected Add associated filter rule in the Filter rule association option on the Port Forward: Edit page.  It's the default, I believe.

              Squid is a caching server and it doesn't have any bearing on your problem.

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                No idea what ssh client you're using but the standard *nix one takes a -p 22 command not a :22 suffix.  Though you shouldn't need it at all because 22 is the default.

                Don't overthink it.  Just do: ssh IP.AD.DR.ESS

                Does the server you're sshing into have a firewall on it?  Possibly it is allowing connections from the local network but disallowing it from elsewhere.

                Does the server you're sshing to have pfSense as its default gateway?  If not it would work from the local network but not from anywhere else.

                And, yes, your LAN Rule is wrong.  Delete it.  Then check the Filter Rule Association checkbox on the NAT rule like KOM says.  Let it make the rule for you.  Post your WAN rules.  This has nothing to do with rules on LAN1.  Nothing you place there will make this work or not work.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10000 words and 15 conference calls.
                DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • P
                  pfsenseguru
                  last edited by

                  Hi,

                  Thank you so much for your feedback with the issue.

                  I have got rid of the LAN firewall rule and let the NAT rule append the WAN rule accordingly. I have attached  the firewall rule.

                  Well i am currently serving a dhcp service to assign the IP addresses of the clients connected to the LAN interface and yes the default gateway is routing to the Pfsense lan interface ip (10.1.1.1) for the client (10.1.1.20).

                  Also an interesting update. After playing around with the NAT forward and the firewall rules, I cannot ssh into pfsense from outside anymore (which I was able to before). While trying to ssh into pfsense from the internet, I get the following error:

                  @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
                  @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!    @
                  @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
                  IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
                  Someone could be eavesdropping on you right now (man-in-the-middle attack)!
                  It is also possible that a host key has just been changed.
                  The fingerprint for the RSA key sent by the remote host is
                  xx:xx:xx:xx:xx:xx:xx:xx:xx:96:c5:30:21:ec:8f:49.
                  Please contact your system administrator.
                  Add correct host key in /local/users/wifiuser/.ssh/known_hosts to get rid of this message.
                  Offending RSA key in /local/users/wifiuser/.ssh/known_hosts:1
                    remove with: ssh-keygen -f "/local/users/wifiuser/.ssh/known_hosts" -R 10.114.113.131
                  RSA host key for 10.114.113.131 has changed and you have requested strict checking.
                  Host key verification failed.

                  I am not too sure what may have caused this. But I am able to ssh into pfsense from the internal LAN computer with the pfsense gateway.

                  1 Reply Last reply Reply Quote 0
                  • P
                    pfsenseguru
                    last edited by

                    I am running linux on the remote machine that I am trying to ssh FROM. But on the internal LAN computer that I am trying to get to…I am running cygwin on windows

                    1 Reply Last reply Reply Quote 0
                    • DerelictD
                      Derelict LAYER 8 Netgate
                      last edited by

                      @Ehsan92:

                      Hi,

                      Thank you so much for your feedback with the issue.

                      I have got rid of the LAN firewall rule and let the NAT rule append the WAN rule accordingly. I have attached  the firewall rule.

                      Well i am currently serving a dhcp service to assign the IP addresses of the clients connected to the LAN interface and yes the default gateway is routing to the Pfsense lan interface ip (10.1.1.1) for the client (10.1.1.20).

                      Also an interesting update. After playing around with the NAT forward and the firewall rules, I cannot ssh into pfsense from outside anymore (which I was able to before). While trying to ssh into pfsense from the internet, I get the following error:

                      @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
                      @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!    @
                      @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
                      IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
                      Someone could be eavesdropping on you right now (man-in-the-middle attack)!
                      It is also possible that a host key has just been changed.
                      The fingerprint for the RSA key sent by the remote host is
                      xx:xx:xx:xx:xx:xx:xx:xx:xx:96:c5:30:21:ec:8f:49.
                      Please contact your system administrator.
                      Add correct host key in /local/users/wifiuser/.ssh/known_hosts to get rid of this message.
                      Offending RSA key in /local/users/wifiuser/.ssh/known_hosts:1
                        remove with: ssh-keygen -f "/local/users/wifiuser/.ssh/known_hosts" -R 10.114.113.131
                      RSA host key for 10.114.113.131 has changed and you have requested strict checking.
                      Host key verification failed.

                      I am not too sure what may have caused this. But I am able to ssh into pfsense from the internal LAN computer with the pfsense gateway.

                      Ok.  First you have to separate routing problems from other problems.  Those messages mean that you ARE hitting an ssh server at the IP address but you have previously connected to an ssh server at the same IP address that served up a different key.  SSH warns you about this to help prevent man-in-the-middle attacks.

                      Everything you need to know is in the error message received or in google.  You might want to read it.

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10000 words and 15 conference calls.
                      DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • P
                        pfsenseguru
                        last edited by

                        So I followed the steps to delete the old key and retried initiating a new ssh connection but I receive the error "Permission denied." when I put in the user credentials to access the pfsense from outside. But if I disable the firewall and the NAT port forward rule, I am able to login to pfsense as before using ssh.

                        Just a feeling, maybe with the port forward and the firewall rules, it is able to talk to the ssh server running on the internal client? but something might not be right with the command that I am using?

                        I am using the command:

                        ssh -t [pfsenseuser]@10.114.113.131 -p 22 [clientuser]@10.1.1.20

                        and I get permission denied error

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator
                          last edited by

                          Um  10.114.113.131 is NOT an external/public address.

                          Are you on one of the lans you have?  This is what you said in your first post.. You have a wan with external ip, and 2 lan segments.
                          "with external IP (x.x.x.131) and TWO LAN interfaces connected to pfsense with internal IPs (10.1.1.1) and (10.1.2.1)."

                          why would you hide your external if rfc1918 address space?

                          if your coming from outside pfsense, ie from the wan side and you want to access something on lan - then you would need port forward.  If your on lan 1 and and to ssh to lan 2 - then you just need firewall rules to allow that.

                          So what is the IP address of your client that is trying to talk to 10.114.113.131 which is just a private rfc1918 address that is not routable on the internet.

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 23.05.1 | Lab VMs CE 2.6, 2.7

                          1 Reply Last reply Reply Quote 0
                          • P
                            pfsenseguru
                            last edited by

                            Hey johnpoz,

                            I believe you have taken a look at my system before while fixing the firewall rules for the LAN while I wasn't able to access internet on the LAN computers through the proxy setup in pfsense.

                            So the WAN address is 10.114.113.131 and yes, the LAN interfaces are connected with 10.1.1.1 and 10.1.2.1 address space to the pfsense. With outside, I meant any incoming connection. I am trying to get into 10.1.1.20 (LAN1) from 10.114.16.20 address space….so I need to port forward the address in pfsense. I am able to individually ssh into 10.114.113.131 (pfsense WAN) and then to 10.1.1.20 but I cannot do so straightaway, bypassing the port forward in WAN. When I setup my firewall and NAT rules to port forward the ssh connection from WAN address to 10.1.1.20, I get a permission denied error when it prompts for my admin password for pfsense.

                            1 Reply Last reply Reply Quote 0
                            • johnpozJ
                              johnpoz LAYER 8 Global Moderator
                              last edited by

                              If your forwarding to 10.1.1.20, then you wouldn't get prompted for pfsense anything.  You would get prompted for the username and password of the ssh server running on 10.1.1.20

                              If your forwarding standard ssh port to 10.1.1.20, then no you wouldn't be able to get to pfsense ssh server from wan side.

                              If you want to do both, then use a different port for one of them.  Say 2222 for pfsense and standard 22 for your inside box  you create the forwards for.

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 23.05.1 | Lab VMs CE 2.6, 2.7

                              1 Reply Last reply Reply Quote 0
                              • P
                                pfsenseguru
                                last edited by

                                IT IS FIXED! =D

                                Silly me, I was using [pfsenseuser]@10.114.113.131 to get to the other machine whereas I should have used [clientuser]@10.114.113.131. When I changed the command to the correct one, I was able to login to the ssh server running on the client machine (10.1.1.20). I implemented a different port for that client so that I could access both the ssh connection on the pfsense and the client machine. Everything is working now.

                                Thank you so much for all your help, good people! =D

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post