Could not SSH from WAN



  • Hi pfSense members,

    I just got a new Netgate RCC-VE 2440 and installed pfSense.

    This is for a simple home network. OPT1 is connected to few VOIP routers & OPT2 is connected to a NAS. I have enabled OPT1 & OPT2 added rules, VOIP's & NAS are working fine.

    However I could not SSH into the NAS from WAN. I am able to SSH from LAN to the NAS @ OPT2 by using NAS IP but couldn't SSH via port forwarding from WAN.

    For testing sake, OPT2 firewall rule is setup to pass any traffic from source to destination
    NAT rule is; Source: any, Destination port: 700, Redirect target IP: 10.1.3.101, Redirect target port: 700

    This created a linked rule in WAN interface (all appears okay). I also tried default SSH port, suspecting conflict changed around few port numbers without success.

    Suspecting issues with NAS, I connected a Ubuntu laptop running SSH server to OPT2. Logged in successfully from LAN but could not SSH from WAN. This confirms the issue to be with the firewall settings.

    I had this SSH setup using D-Link firewall before replacing. With pfSense I spent 2 days without success… so seeking some help from the experts.

    Thanks

    Josh


  • Banned

    Yeah, it takes about 30 seconds to configure. Assuming you actually are testing from WAN (and not using your WAN IP from LAN), see firewall logs.



  • Post screenshots of your WAN firewall rules and your port-forward NAT rules.


  • Rebel Alliance Global Moderator

    "This confirms the issue to be with the firewall settings."

    Or it could be firewall on the NAS that only allows access from local network.

    Lets see your port forward, lets see your firewall rules.

    This is in reality 10 seconds to configure.  Port forward to your private IP = done, it will by default create the wan rule for you.

    Go to canyouseeme org and test it.  If doesn't work then use the port forwarding troubleshooting doc https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting




  • I had this SSH setup using D-Link firewall before replacing. With pfSense I spent 2 days without success..

    Dude, there are worlds between them!



  • Thanks for all the reply.

    I use a remote server to test SSH. Last night I got it working by changing "Destination port range" to SSH and "Redirect target port" to 700. I logged in using port 22 from the remote server.

    Previously I had the "Destination port range" to 700 and tried to ssh -p 700 from the server. According to the documents this should have worked fine but I have no idea why pfSense will not forward port 700 or any other ports I tried before.

    Is this a bug?



  • Redirect Target Port: The internal port where this traffic will be forwarded, and is usually the same as the external port as defined in Destination port range. If multiple ports in a range are used for the Destination port range, this is the starting port of the range as it must be the same size range.

    https://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense%3F


  • Netgate

    @Josh2440:

    Thanks for all the reply.

    I use a remote server to test SSH. Last night I got it working by changing "Destination port range" to SSH and "Redirect target port" to 700. I logged in using port 22 from the remote server.

    Previously I had the "Destination port range" to 700 and tried to ssh -p 700 from the server. According to the documents this should have worked fine but I have no idea why pfSense will not forward port 700 or any other ports I tried before.

    Is this a bug?

    No. It works for everybody but you.

    If you would rather use 700 than 22, put it back, confirm it doesn't work as you're expecting, and post what you did.



  • Bunch of rsync jobs are queued from the server to NAS. When its done I'll replace Destination port range to 700 and ssh -p 700 from the server and update the findings.

    But that's how I was trying before… using same Destination & Redirect Target Port


  • Banned

    Hmm, but rsync uses 873/TCP. Plus, when using rsync over SSH, SSH needs to be actually running on the port you are trying to use. Sigh, no idea what are you trying to do.



  • my files are getting backed up without errors. coming through port 22 forwarded to 700


  • Banned

    Wonderful. You just told us it doesn't work in the first post. Well, good luck.


  • Netgate

    Yeah.  I rsync over SSH to my NAS all the time.  All on ports other than 22:

    WAN:8022 -> 192.168.1.100:22
    WAN:8023 -> 192.168.1.101:22
    WAN:8024 -> 192.168.1.102:22
    etc
    etc