Text only | Text with Images

OPNsense Forum

Archive => 21.1 Legacy Series => Topic started by: windswept321 on May 18, 2021, 03:04:39 PM

Title: Remote SSH NAT port forward to internal network device not working
Post by: windswept321 on May 18, 2021, 03:04:39 PM
This one is a little strange, as I was copying a known working configuration from another opnsense box I have, but I can't get it working.

After a wasted day, I would really appreciate any advice...

Basically, I have a Raspberry Pi running on a dedicated VLAN I want to allow SSH access to.
The LAN network is 192.168.1.X/24, while the VLAN is 192.168.6.X, with the Pi at 192.168.6.100.

The NAT port forward rule looks like this:

   Interface   Proto   Address   Ports   Address   Ports    IP                   Ports   
        WAN           TCP           *           *   WAN net   46   192.168.6.100   22 (SSH)   

Firewall rules for VLAN 6 are:

Protocol                     Source   Port   Destination      Port   Gateway   Schedule   Description

IPv4+6 TCP/UDP.       VLAN net   *   VLAN address       53 (DNS)   *   *            allow DNS
IPv4+6 TCP/UDP   VLAN net   *   *                        *                   *   *            allow VLAN to WAN rule
IPv4     TCP           WAN net   *   192.168.6.100/24  22 (SSH)   *   *            allow remote SSH

Firewall rules for the WAN interface:

Protocol                     Source   Port   Destination      Port   Gateway   Schedule   Description

IPv4 TCP                          *   *   192.168.6.100    22 (SSH)        *                 *   

Thanks for reading.
Title: Re: Remote SSH NAT port forward to internal network device not working
Post by: astuckey on May 20, 2021, 06:46:38 PM
I'm wondering since the OPNsense is binding on 22 for it's own ssh daemon it might be interfering with the NAT.
Could you try a different external port - 2222 for the NAT?

Also (though the NAT config might be taking care of it), there doesn't seem to be a WAN rule with the destination of the WAN address/net.

What are the symptoms you are seeing? Timeout, or RST for example.
Title: Re: Remote SSH NAT port forward to internal network device not working
Post by: uros on May 21, 2021, 01:06:28 PM
Hello,

I have a similar problem if not the same.

I'm also trying to port forward to SSH.

Firewall WAN rule
Protocol    Source    Port    Destination    Port       Gateway    Schedule       Description
IPv4 TCP    *        *       *             SSH_EXT     *          *     
IPv4 TCP    *       *       *             25 (SMTP)    *          *           

NAT port forward
Interface    Proto    Address    Ports    Address       Ports       IP          Ports       Description
WAN    TCP    *          *       WAN address    SSH_EXT     PC_02      22 (SSH)
WAN    TCP    *          *       WAN address    25 (SMTP)     MAIL         25 (SMTP)

*SSH_EXT is a 40000+ port

Looking at the live logs SSH rule gets blocked by Default block rule while SMTP works without any problems.
Both devices are on the same VLAN.

If I enable Filter rule association(PASS) then the SSH rule works without a problem but I read somewhere that
this way rule bypasses the FW rules and I don't want it to.

Few more observations.
SSH rule works if I do 22 to 22 port forward so it seems that the problem is only if port gets redirected from different port.
I also tried to port forward to random port, 456, instead of 22 to see if port 22 was in use somewhere on the FW but it was also blocked by the deafult block rule.
Tried it with SSH access to the FW enabled and disabled.

EDIT: Version OPNsense 21.1.5-amd64

Any ideas?

Thank you in advance!

Best regards,
Uros
Text only | Text with Images