Update to 2.2 new SSH NAT not working.

rdnd

After updating to 2.2 I tried adding a new NAT/PAT SSH and it's not working while the previous entries do.

stephenw10

More details please. Screenshots of working/not working rules if possible.  :)

Steve

rdnd

@stephenw10:

More details please. Screenshots of working/not working rules if possible.  :)

Steve

Screenshot of rules…

doktornotor

You are trying to NAT one port to two different boxes (.182 and .251) and in addition run it locally on the same port on the pfsense box itself. No idea how you suppose this to work really.  ::)

stephenw10

These are firewall rules, I assume you are forwarding on different incoming ports? Can we see your port forward table also?
Which rule isn't working here?

Steve

rdnd

@stephenw10:

These are firewall rules, I assume you are forwarding on different incoming ports? Can we see your port forward table also?
Which rule isn't working here?

Steve

I am forwarding on different incoming public IPs.  The last rule is not working.  The NAT Port forward entry is on a different public IP.  I have similar NAT from public IP to LAN that are working fine.

doktornotor

Post the port forward tab screenshot.

rdnd

@rdnd:

@stephenw10:

These are firewall rules, I assume you are forwarding on different incoming ports? Can we see your port forward table also?
Which rule isn't working here?

Steve

I am forwarding on different incoming public IPs.  The last rule is not working.  The NAT Port forward entry is on a different public IP.  I have similar NAT from public IP to LAN that are working fine.

KOM

You have an IP Alias set up for  .36?

rdnd

@KOM:

You have an IP Alias set up for  .36?

Yep.

stephenw10

You have logging enabled on that firewall rule, I take it you're not seeing anything being logged?

Since you're not using the .36 VIP for anything else it's function seems in doubt.

Any reason you chose not to use a linked firewall rule for this last entry?

Steve

rdnd

@stephenw10:

You have logging enabled on that firewall rule, I take it you're not seeing anything being logged?

Since you're not using the .36 VIP for anything else it's function seems in doubt.

Any reason you chose not to use a linked firewall rule for this last entry?

Steve

.36 is working, it's part of a block of public IPs.  I have now linked the rule.  Still no SSH to LAN from WAN.  Do I need to restart system?

rdnd

@rdnd:

@stephenw10:

You have logging enabled on that firewall rule, I take it you're not seeing anything being logged?

Since you're not using the .36 VIP for anything else it's function seems in doubt.

Any reason you chose not to use a linked firewall rule for this last entry?

Steve

.36 is working, it's part of a block of public IPs.  I have now linked the rule.  Still no SSH to LAN from WAN.  Do I need to restart system?

Yes no log for .36.

stephenw10

You shouldn't have to reboot (though it won't hurt) but you should clear the state table if there's a chance you've got an existing state.

If you still see nothing try running a packet capture on WAN to make sure traffic is actually arriving.

Steve

rdnd

@stephenw10:

You shouldn't have to reboot (though it won't hurt) but you should clear the state table if there's a chance you've got an existing state.

If you still see nothing try running a packet capture on WAN to make sure traffic is actually arriving.

Steve

I cleared the state table and still unable to make SSH connection.  Will run packet capture.

Thanks!

rdnd

After running a packet capture on public IP .36 there is no activity.  I can ping the public IP .36 from within the LAN.  The virtual IP .36 has been correctly configured in the Firewall > Virtual IP Addresses.

rdnd

@rdnd:

After running a packet capture on public IP .36 there is no activity.  I can ping the public IP .36 from within the LAN.  The virtual IP .36 has been correctly configured in the Firewall > Virtual IP Addresses.

Thinking that it may be the LAN/System blocking the SSH connection I changed the 10.0.0.45 to .249 on a VM.  Then attempted outside access on .36 no go.  On the LAN not a problem to SSH to .45 or .249.

rdnd

@rdnd:

@rdnd:

After running a packet capture on public IP .36 there is no activity.  I can ping the public IP .36 from within the LAN.  The virtual IP .36 has been correctly configured in the Firewall > Virtual IP Addresses.

Thinking that it may be the LAN/System blocking the SSH connection I changed the 10.0.0.45 to .249 on a VM.  Then attempted outside access on .36 no go.  On the LAN not a problem to SSH to .45 or .249.

I have changed the SSH Port number on the server to something other than 22.  Changed the public IP to .35 and now am able to access the server from outside the LAN.  Still need to know why the .36 is not functioning.

Thanks!

stephenw10

You're seeing no traffic coming into the WAN side at all for the .36 VIP? If that's really the case then it has nothing to do with the LAN side in fact it's more likely some upstream routing issue, a stale ARP cache perhaps.
How exactly did you run the packet capture?

Steve

rdnd

@stephenw10:

You're seeing no traffic coming into the WAN side at all for the .36 VIP? If that's really the case then it has nothing to do with the LAN side in fact it's more likely some upstream routing issue, a stale ARP cache perhaps.
How exactly did you run the packet capture?

Steve

I went to Diagnostice then Packet Capture.  Then initiated a SSH session from outside on the public IP of .36.  Nothing.  Did the same packet capture via LAN IP .45 and the packet capture showed all packets.

stephenw10

If you run a packet capture on the WAN you should see packets arriving for the .36 VIP. If you don't then either the VIP isn't setup correctly or the traffic simply isn't arriving to be forwarded in the first place.

Steve

rdnd

@stephenw10:

If you run a packet capture on the WAN you should see packets arriving for the .36 VIP. If you don't then either the VIP isn't setup correctly or the traffic simply isn't arriving to be forwarded in the first place.

Steve

Created a new FW rule.  ICMP from any to any and tested all my public IPs from outside of LAN.  All but .36 replied.  .36 is just not communicating at all.  Time to call ISP.

Thanks!

rdnd

Called ISP had them flush ARP cache on modem.  Removed virtual IP form FW, configured laptop with .36 public IP and pertinent info.  Pinged gateway public IP address of .33 and worked well.  Pinged
website also worked.  Added back virtual IP to FW then created new NAT/Rule and then tried connecting to new LAN IP NAT/PAT from outside .36, did not work.  Can still ping all other public IPs except .36.
Hmm?

stephenw10

And if you run a packet capture on WAN you still don't see any incoming traffic for .36?

Steve

rdnd

@stephenw10:

And if you run a packet capture on WAN you still don't see any incoming traffic for .36?

Steve

Just ran packet capture on .36, no traffic.

stephenw10

How exactly did you connect up the laptop that was configured to be .36?

Presumably this was all working fine under 2.1.5. Did you have a .36 VIP at that point? Can you go back to test 2.1.5?
I'm failing to see how 2.2 could be any different to 2.1.5 here though. At a fundamental level if you're not receiving any packets for the .36 IP on WAN then your ISP isn't sending them.  :-\

Steve

doktornotor

@rdnd:

@stephenw10:

And if you run a packet capture on WAN you still don't see any incoming traffic for .36?

Steve

Just ran packet capture on .36, no traffic.

Back to your ISP.

rdnd

Looks like I will take another workstation toss in a couple quality NICs and create another test FW.  If .36 fails to receive traffic it's ISP problem for sure. 
Thanks all for the help/info.