Update to 2.2 new SSH NAT not working.



  • After updating to 2.2 I tried adding a new NAT/PAT SSH and it's not working while the previous entries do.


  • Netgate Administrator

    More details please. Screenshots of working/not working rules if possible.  :)

    Steve



  • @stephenw10:

    More details please. Screenshots of working/not working rules if possible.  :)

    Steve

    Screenshot of rules…



  • Banned

    You are trying to NAT one port to two different boxes (.182 and .251) and in addition run it locally on the same port on the pfsense box itself. No idea how you suppose this to work really.  ::)


  • Netgate Administrator

    These are firewall rules, I assume you are forwarding on different incoming ports? Can we see your port forward table also?
    Which rule isn't working here?

    Steve



  • @stephenw10:

    These are firewall rules, I assume you are forwarding on different incoming ports? Can we see your port forward table also?
    Which rule isn't working here?

    Steve

    I am forwarding on different incoming public IPs.  The last rule is not working.  The NAT Port forward entry is on a different public IP.  I have similar NAT from public IP to LAN that are working fine.


  • Banned

    Post the port forward tab screenshot.



  • @rdnd:

    @stephenw10:

    These are firewall rules, I assume you are forwarding on different incoming ports? Can we see your port forward table also?
    Which rule isn't working here?

    Steve

    I am forwarding on different incoming public IPs.  The last rule is not working.  The NAT Port forward entry is on a different public IP.  I have similar NAT from public IP to LAN that are working fine.




  • You have an IP Alias set up for  .36?



  • @KOM:

    You have an IP Alias set up for  .36?

    Yep.


  • Netgate Administrator

    You have logging enabled on that firewall rule, I take it you're not seeing anything being logged?

    Since you're not using the .36 VIP for anything else it's function seems in doubt.

    Any reason you chose not to use a linked firewall rule for this last entry?

    Steve



  • @stephenw10:

    You have logging enabled on that firewall rule, I take it you're not seeing anything being logged?

    Since you're not using the .36 VIP for anything else it's function seems in doubt.

    Any reason you chose not to use a linked firewall rule for this last entry?

    Steve

    .36 is working, it's part of a block of public IPs.  I have now linked the rule.  Still no SSH to LAN from WAN.  Do I need to restart system?



  • @rdnd:

    @stephenw10:

    You have logging enabled on that firewall rule, I take it you're not seeing anything being logged?

    Since you're not using the .36 VIP for anything else it's function seems in doubt.

    Any reason you chose not to use a linked firewall rule for this last entry?

    Steve

    .36 is working, it's part of a block of public IPs.  I have now linked the rule.  Still no SSH to LAN from WAN.  Do I need to restart system?

    Yes no log for .36.


  • Netgate Administrator

    You shouldn't have to reboot (though it won't hurt) but you should clear the state table if there's a chance you've got an existing state.

    If you still see nothing try running a packet capture on WAN to make sure traffic is actually arriving.

    Steve



  • @stephenw10:

    You shouldn't have to reboot (though it won't hurt) but you should clear the state table if there's a chance you've got an existing state.

    If you still see nothing try running a packet capture on WAN to make sure traffic is actually arriving.

    Steve

    I cleared the state table and still unable to make SSH connection.  Will run packet capture.

    Thanks!



  • After running a packet capture on public IP .36 there is no activity.  I can ping the public IP .36 from within the LAN.  The virtual IP .36 has been correctly configured in the Firewall > Virtual IP Addresses.



  • @rdnd:

    After running a packet capture on public IP .36 there is no activity.  I can ping the public IP .36 from within the LAN.  The virtual IP .36 has been correctly configured in the Firewall > Virtual IP Addresses.

    Thinking that it may be the LAN/System blocking the SSH connection I changed the 10.0.0.45 to .249 on a VM.  Then attempted outside access on .36 no go.  On the LAN not a problem to SSH to .45 or .249.



  • @rdnd:

    @rdnd:

    After running a packet capture on public IP .36 there is no activity.  I can ping the public IP .36 from within the LAN.  The virtual IP .36 has been correctly configured in the Firewall > Virtual IP Addresses.

    Thinking that it may be the LAN/System blocking the SSH connection I changed the 10.0.0.45 to .249 on a VM.  Then attempted outside access on .36 no go.  On the LAN not a problem to SSH to .45 or .249.

    I have changed the SSH Port number on the server to something other than 22.  Changed the public IP to .35 and now am able to access the server from outside the LAN.  Still need to know why the .36 is not functioning.

    Thanks!


  • Netgate Administrator

    You're seeing no traffic coming into the WAN side at all for the .36 VIP? If that's really the case then it has nothing to do with the LAN side in fact it's more likely some upstream routing issue, a stale ARP cache perhaps.
    How exactly did you run the packet capture?

    Steve



  • @stephenw10:

    You're seeing no traffic coming into the WAN side at all for the .36 VIP? If that's really the case then it has nothing to do with the LAN side in fact it's more likely some upstream routing issue, a stale ARP cache perhaps.
    How exactly did you run the packet capture?

    Steve

    I went to Diagnostice then Packet Capture.  Then initiated a SSH session from outside on the public IP of .36.  Nothing.  Did the same packet capture via LAN IP .45 and the packet capture showed all packets.


  • Netgate Administrator

    If you run a packet capture on the WAN you should see packets arriving for the .36 VIP. If you don't then either the VIP isn't setup correctly or the traffic simply isn't arriving to be forwarded in the first place.

    Steve



  • @stephenw10:

    If you run a packet capture on the WAN you should see packets arriving for the .36 VIP. If you don't then either the VIP isn't setup correctly or the traffic simply isn't arriving to be forwarded in the first place.

    Steve

    Created a new FW rule.  ICMP from any to any and tested all my public IPs from outside of LAN.  All but .36 replied.  .36 is just not communicating at all.  Time to call ISP.

    Thanks!



  • Called ISP had them flush ARP cache on modem.  Removed virtual IP form FW, configured laptop with .36 public IP and pertinent info.  Pinged gateway public IP address of .33 and worked well.  Pinged
    website also worked.  Added back virtual IP to FW then created new NAT/Rule and then tried connecting to new LAN IP NAT/PAT from outside .36, did not work.  Can still ping all other public IPs except .36.
    Hmm?


  • Netgate Administrator

    And if you run a packet capture on WAN you still don't see any incoming traffic for .36?

    Steve



  • @stephenw10:

    And if you run a packet capture on WAN you still don't see any incoming traffic for .36?

    Steve

    Just ran packet capture on .36, no traffic.


  • Netgate Administrator

    How exactly did you connect up the laptop that was configured to be .36?

    Presumably this was all working fine under 2.1.5. Did you have a .36 VIP at that point? Can you go back to test 2.1.5?
    I'm failing to see how 2.2 could be any different to 2.1.5 here though. At a fundamental level if you're not receiving any packets for the .36 IP on WAN then your ISP isn't sending them.  :-\

    Steve


  • Banned

    @rdnd:

    @stephenw10:

    And if you run a packet capture on WAN you still don't see any incoming traffic for .36?

    Steve

    Just ran packet capture on .36, no traffic.

    Back to your ISP.



  • Looks like I will take another workstation toss in a couple quality NICs and create another test FW.  If .36 fails to receive traffic it's ISP problem for sure. 
    Thanks all for the help/info.