OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 16.7 Legacy Series »
  • [SOLVED] Remote administration via SSH
« previous next »
  • Print
Pages: [1]

Author Topic: [SOLVED] Remote administration via SSH  (Read 11232 times)

roundtree

  • Newbie
  • *
  • Posts: 7
  • Karma: 0
    • View Profile
[SOLVED] Remote administration via SSH
« on: December 21, 2016, 07:28:52 pm »
I'm trying to enable SSH for remote administration but seem stuck on the pf rules.  I've confirmed that SSH is enabled and available from the LAN, but after adding what I think to be the right rule, it doesn't seem to work.  Here's what I have in the WebGUI:



When I look at rules output from pfctl, this is the rule present (sans WAN IPs):

Code: [Select]
pass in log quick on em0 reply-to (em0 xxx.xxx.xxx.xxx) inet proto tcp from any to xxx.xxx.xxx.xxx port = ssh flags S/SA keep state label "USER_RULE: Remote SSH Admin"
This should be possible right?  I looked for a while and can't find any references that don't lead back to pfSense instead.
« Last Edit: January 27, 2017, 12:01:27 am by franco »
Logged

ThuTex

  • Newbie
  • *
  • Posts: 18
  • Karma: 2
    • View Profile
Re: Remote administration via SSH
« Reply #1 on: December 21, 2016, 10:37:10 pm »
first, personal opinion.... firewall to protect your network, remotely manageable... yikes.

secondly, try a port above 1024  with a forward (maybe your isp blocks low ports)

and last (not sure about this one)... maybe you also need to have a port forward to specify the fact that you want the firewall to respond and not a server behind it. (maybe this can be fixed with destination "this firewall" instead of "wan address" ?)
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13624
  • Karma: 1173
    • View Profile
Re: Remote administration via SSH
« Reply #2 on: December 21, 2016, 11:08:19 pm »
The image is cropped. Is em0 LAN or WAN?
Logged

roundtree

  • Newbie
  • *
  • Posts: 7
  • Karma: 0
    • View Profile
Re: Remote administration via SSH
« Reply #3 on: December 21, 2016, 11:41:41 pm »
em0 is WAN, em1 is LAN
Logged

roundtree

  • Newbie
  • *
  • Posts: 7
  • Karma: 0
    • View Profile
Re: Remote administration via SSH
« Reply #4 on: December 22, 2016, 12:05:38 am »
A little background:

  • This particular firewall is part of a lab environment, so there's no ISP involved.
  • I've tried several combinations for the destination address, with no difference.
  • Adding a port-forward rule also didn't seem to help.
  • If I disable pf via the shell, the firewall responds (as one would expect any FreeBSD system to do so).

Certainly, I intend to deploy OPNsense using OpenVPN for remote management, but that won't be feasible for every deployment scenario and really don't want to be stuck relying on TeamViewer with a LAN workstation.  :o
Logged

abalsam

  • Newbie
  • *
  • Posts: 23
  • Karma: 0
    • View Profile
Re: Remote administration via SSH
« Reply #5 on: December 22, 2016, 04:36:14 am »
I noted that you said this is for a lab environment.  That almost always means private IP address used on the WAN interface. Please double check on the WAN interface settings that the "Block Private Networks" option is not checked.  Otherwise it would block all traffic coming into the WAN interface.
Logged

istok011

  • Newbie
  • *
  • Posts: 4
  • Karma: 1
    • View Profile
Re: Remote administration via SSH
« Reply #6 on: December 22, 2016, 12:21:43 pm »
Click System>Settings>Administration>...about the middle of the page you have options

-Enable Secure Shell
-Permit root user login
-Permit password login

Below is the
-SSH Port (blank) -enter 22

Thats it..no firewal rule...but will be added auto...
Logged

roundtree

  • Newbie
  • *
  • Posts: 7
  • Karma: 0
    • View Profile
Re: Remote administration via SSH
« Reply #7 on: December 22, 2016, 11:38:41 pm »
Quote from: abalsam on December 22, 2016, 04:36:14 am
I noted that you said this is for a lab environment.  That almost always means private IP address used on the WAN interface. Please double check on the WAN interface settings that the "Block Private Networks" option is not checked.  Otherwise it would block all traffic coming into the WAN interface.

Yep, I unchecked the private and bogon networks options previously.
Logged

roundtree

  • Newbie
  • *
  • Posts: 7
  • Karma: 0
    • View Profile
Re: Remote administration via SSH
« Reply #8 on: December 22, 2016, 11:41:13 pm »
Quote from: istok011 on December 22, 2016, 12:21:43 pm
Click System>Settings>Administration>...about the middle of the page you have options

-Enable Secure Shell
-Permit root user login
-Permit password login

Below is the
-SSH Port (blank) -enter 22

Thats it..no firewal rule...but will be added auto...

All already enabled, but no dice.  The root option isn't needed, and I do plan to use certs so the password option also won't be required.
Logged

bartjsmit

  • Hero Member
  • *****
  • Posts: 1537
  • Karma: 166
    • View Profile
Re: Remote administration via SSH
« Reply #9 on: December 23, 2016, 11:11:02 am »
Do you have a NAT port forward rule to expose sshd on the WAN side?

Bart...
Logged

bartjsmit

  • Hero Member
  • *****
  • Posts: 1537
  • Karma: 166
    • View Profile
Re: Remote administration via SSH
« Reply #10 on: December 23, 2016, 11:28:23 am »
I still had a VM that I used after a hardware change to test this with. Confirmed as working. The redacted IP is the LAN IP of the firewall.

Bart...
Logged

roundtree

  • Newbie
  • *
  • Posts: 7
  • Karma: 0
    • View Profile
Re: Remote administration via SSH
« Reply #11 on: December 23, 2016, 01:52:55 pm »
Quote from: bartjsmit on December 23, 2016, 11:28:23 am
I still had a VM that I used after a hardware change to test this with. Confirmed as working. The redacted IP is the LAN IP of the firewall.

Bart...

Thanks, Bart.  That did the trick.  It's still confusing to me why a filter rule cannot permit SSH to the WAN inteface, when the listener is active and I can tcpdump the inbound packets, but this works like a top.
Logged

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 16.7 Legacy Series »
  • [SOLVED] Remote administration via SSH
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2