Update to 2.2 new SSH NAT not working.

rdnd · Jan 28, 2015, 8:19 PM

After updating to 2.2 I tried adding a new NAT/PAT SSH and it's not working while the previous entries do.

stephenw10 · Jan 29, 2015, 12:17 AM

More details please. Screenshots of working/not working rules if possible. :)

Steve

rdnd · Feb 4, 2015, 9:24 PM

@stephenw10:

More details please. Screenshots of working/not working rules if possible. :)

Steve

Screenshot of rules…

doktornotor · Feb 4, 2015, 9:25 PM

You are trying to NAT one port to two different boxes (.182 and .251) and in addition run it locally on the same port on the pfsense box itself. No idea how you suppose this to work really. ::)

stephenw10 · Feb 4, 2015, 9:30 PM

These are firewall rules, I assume you are forwarding on different incoming ports? Can we see your port forward table also?
Which rule isn't working here?

Steve

rdnd · Feb 4, 2015, 9:35 PM

@stephenw10:

These are firewall rules, I assume you are forwarding on different incoming ports? Can we see your port forward table also?
Which rule isn't working here?

Steve

I am forwarding on different incoming public IPs. The last rule is not working. The NAT Port forward entry is on a different public IP. I have similar NAT from public IP to LAN that are working fine.

doktornotor · Feb 4, 2015, 9:38 PM

Post the port forward tab screenshot.

rdnd · Feb 4, 2015, 9:46 PM

@rdnd:

@stephenw10:

These are firewall rules, I assume you are forwarding on different incoming ports? Can we see your port forward table also?
Which rule isn't working here?

Steve

I am forwarding on different incoming public IPs. The last rule is not working. The NAT Port forward entry is on a different public IP. I have similar NAT from public IP to LAN that are working fine.

KOM · Feb 4, 2015, 9:55 PM

You have an IP Alias set up for .36?

rdnd · Feb 4, 2015, 10:04 PM

@KOM:

You have an IP Alias set up for .36?

Yep.

stephenw10 · Feb 4, 2015, 10:09 PM

You have logging enabled on that firewall rule, I take it you're not seeing anything being logged?

Since you're not using the .36 VIP for anything else it's function seems in doubt.

Any reason you chose not to use a linked firewall rule for this last entry?

Steve

rdnd · Feb 4, 2015, 10:32 PM

@stephenw10:

You have logging enabled on that firewall rule, I take it you're not seeing anything being logged?

Since you're not using the .36 VIP for anything else it's function seems in doubt.

Any reason you chose not to use a linked firewall rule for this last entry?

Steve

.36 is working, it's part of a block of public IPs. I have now linked the rule. Still no SSH to LAN from WAN. Do I need to restart system?

rdnd · Feb 4, 2015, 10:34 PM

@rdnd:

@stephenw10:

You have logging enabled on that firewall rule, I take it you're not seeing anything being logged?

Since you're not using the .36 VIP for anything else it's function seems in doubt.

Any reason you chose not to use a linked firewall rule for this last entry?

Steve

.36 is working, it's part of a block of public IPs. I have now linked the rule. Still no SSH to LAN from WAN. Do I need to restart system?

Yes no log for .36.

stephenw10 · Feb 4, 2015, 11:26 PM

You shouldn't have to reboot (though it won't hurt) but you should clear the state table if there's a chance you've got an existing state.

If you still see nothing try running a packet capture on WAN to make sure traffic is actually arriving.

Steve

rdnd · Feb 5, 2015, 12:39 AM

@stephenw10:

You shouldn't have to reboot (though it won't hurt) but you should clear the state table if there's a chance you've got an existing state.

If you still see nothing try running a packet capture on WAN to make sure traffic is actually arriving.

Steve

I cleared the state table and still unable to make SSH connection. Will run packet capture.

Thanks!

rdnd · Feb 5, 2015, 3:55 PM

After running a packet capture on public IP .36 there is no activity. I can ping the public IP .36 from within the LAN. The virtual IP .36 has been correctly configured in the Firewall > Virtual IP Addresses.

rdnd · Feb 5, 2015, 4:13 PM

@rdnd:

After running a packet capture on public IP .36 there is no activity. I can ping the public IP .36 from within the LAN. The virtual IP .36 has been correctly configured in the Firewall > Virtual IP Addresses.

Thinking that it may be the LAN/System blocking the SSH connection I changed the 10.0.0.45 to .249 on a VM. Then attempted outside access on .36 no go. On the LAN not a problem to SSH to .45 or .249.

rdnd · Feb 5, 2015, 5:04 PM

@rdnd:

@rdnd:

After running a packet capture on public IP .36 there is no activity. I can ping the public IP .36 from within the LAN. The virtual IP .36 has been correctly configured in the Firewall > Virtual IP Addresses.

Thinking that it may be the LAN/System blocking the SSH connection I changed the 10.0.0.45 to .249 on a VM. Then attempted outside access on .36 no go. On the LAN not a problem to SSH to .45 or .249.

I have changed the SSH Port number on the server to something other than 22. Changed the public IP to .35 and now am able to access the server from outside the LAN. Still need to know why the .36 is not functioning.

Thanks!

stephenw10 · Feb 5, 2015, 5:34 PM

You're seeing no traffic coming into the WAN side at all for the .36 VIP? If that's really the case then it has nothing to do with the LAN side in fact it's more likely some upstream routing issue, a stale ARP cache perhaps.
How exactly did you run the packet capture?

Steve

rdnd · Feb 5, 2015, 5:59 PM

@stephenw10:

You're seeing no traffic coming into the WAN side at all for the .36 VIP? If that's really the case then it has nothing to do with the LAN side in fact it's more likely some upstream routing issue, a stale ARP cache perhaps.
How exactly did you run the packet capture?

Steve

I went to Diagnostice then Packet Capture. Then initiated a SSH session from outside on the public IP of .36. Nothing. Did the same packet capture via LAN IP .45 and the packet capture showed all packets.