Hello All,
I needed to have SSH access on WAN port so I changed port to non-standard, added suitable rule to allow this over to the firewall. It does not work. Then I changed the port back to 22 and adjusted the rule accordingly. Still did not work. Then I changed system GUI port to a high port and updated the rule for that. Again no luck.
For each of these actions, I added same rule on a management port and that works every single time. I even disabled reply-to under the rule but still no joy. I am running latest 27 code.
Is there something special to turn on to allow management access on outside? I just need SSH on a high port.
Thanks
If you showed us the configuration of your rule we could possibly help you ;)
Well,
1. Make sure SSH is enabled
2. Make sure sure SSH is listening on WAN interface (in additions to others maybe)
3. Define a port number that suits your needs
4. Create a firewall rule on WAN interface to allow TCP traffic to the WAN IP and SSH port
If you don't have any luck with this, please describe what you did in steps 2,3,4 and how you do your testing. Make sure your ISP allows that port and no NAT rules masquerade on that specific port.
Note: This can expose a security risk when you use weak passwords. A non-standard port won't help you.
Addition: And of course, if WAN has a private IP, make sure you do not block private traffic on that very interface.
Thank you Patrick and @tron80.
I have all of this done right. As I mentioned, I replicated this on another OPT interface with exact same procedure and that works every single time. SSH and http on the non standard ports work on LAN as well as Mgmt / OPT interface. Listen interface is default All.
The ISP service is commercial with no ports blocked by ISP. And I forgot to mention that when I added a non-standard http port to the alias of ports allowed (which includes non standard SSH also, like 33123 for SSH and 33125 for http), then admin login page shows up but when I type in the username / password, nothing happens and task bar shows waiting for ----. And after doing refresh on page, does not bring up the admin login page again for me to try once more. After few minutes, I timeout on page.
And WAN has public IP address. I do have HA of two boxes and then I have HA IP also for CARP and I also have a NAT range of IPs for NAtting traffic out. All these IPs are from a block of Public IPs provided by ISP. I tried individual WAN public IPs, the HA Public IP with same results.
Under the rule, I have tried changing state type to various options and nothing makes this work.
Essentially rule has Action of Pass, interface is WAN, direction in, TCP/IP type v4, protocol TCP, source any, destination WAN address, destination port range is the alias of two ports described above. reply-to is disabled, was default before and I have tried going back and forth, source OS is Any.
Thanks so much for your help in trying to troubleshoot this issue.
Changed destination to This firewall rather than the WAN IP address and it works now.
I will only have SSH access on a non-standard port with a strong password. I cannot limit it to source Public IPs as my home IP changes. I can look into SSH lockout feature, which I believe is enabled by default.
Please advise.
Thanks
Disable password authentication and use private/public key.
Thanks Patrick. That is a great idea. I will follow your recommendation on that and that then also allows effortless connections when needed.
There are some advanced options under rule for max concurrent connections etc. Do they help against DDOS attempts?
The better avenue would be to log on the company network using 2FA, and once inside you can use SSH keys.
Drilling holes in the perimeter FW is not the best idea, and there's no added security in using different ports.
If 2FA is not an option, another option to consider is sslh
pkg install os-sslhQuoteThere are some advanced options under rule for max concurrent connections etc. Do they help against DDOS attempts?
DDoS should by handled by the ISP primarily. Your company doesn't have the resources and your ISP is directly interested in dropping that traffic from traversing their network - only to be dropped on your premises.
Thanks @newsense for your advice. I am not a company. This is all for a community events wifi. ISPs do offer DDoS service packages but that does cost a lot. With no inbound port forwarding or NAT mappings, only thing to protect is firewall itself against unauthorized login attempts. I have seen that changing SSH port to a high port does help reduce this by a big degree. Second will be to use SSH keys to use and not passwords for SSH.
Yes 2 factor authentication is too much as it is tied to a phone that could be misplaced / or certain areas with no cell coverage, may not work. I will look into SSH / SSL multiplexer and see if this will help in my situation.
Thanks again
OK, fair enough. Not advocating for paying for DDOS packages from your ISP, but they're still required to mitigate it.
The remaining noise should be handled by OPNsense if still needed.
Firewall: Settings: Advanced - you have an Anti DDOS option there - use responsibly, defaults matter.
Thanks again @newsense.
I have enabled syncookies as adaptive with 60% start and 30% end for state table entries. Hope that is good enough for my use case.
But I am not able to comprehend the use of SSLH and how will it help in strengthening the SSH posture for WAN side access. SSLH as I read allows sharing of a single port for say https and SSL if say only https is allowed in by ISP. I don't have any such blocks.
fail2ban is one measure, but that requires it looking into logs and then take action. But to limit the CPU and memory consumption, I have disabled all kinds of logging to the extent that even syslog-ng service is disabled. In that case fail2ban will also not work.
Will SSH on non-standard port with key based authentication not be robust enough for my needs of just a Guest Wi-Fi outbound access (no inbound access and no need, other than for me to login sometimes to check the usage etc.)? I might simply add an old PC inside and then setup openvpn to get to it and then manage the firewall from there.
Yeah maybe sslh is not for you. It's even worse though doing http authentication over the internet.
If the page you're aiming for is the OPNsense UI then you can do ssh tunneling and access OPNsense over a secure connection --- and close any other holes in the FW
Hi @newsense, how do I access http over SSH using SSH tunneling please?
Thanks
For example:
ssh -L8080:127.0.0.1:80 <user>@<ssh-target-host>
This means "forward the local port 8080 on my PC/Mac/whatever to the address and port 127.0.0.1:80 on the remote side.
Then you use http://127.0.0.1:8080/ in your browser.
For HTTPS replace e.g. 8080 with 8443 and 80 with 443.
Thank you so much Patrick for excellent explanation. I will try this sometime later today and confirm. Though I only wished to access SSH on a non-standard port, but this is interesting at least for me to try and keep in back pocket just in case.
I assume this still uses port 22 for the establishment of SSH tunnel that carries within it the forwarded ports between http/https server and local machine. so OPNSense firewall needs to expose port 22 for SSH on WAN interface.
Can I have underlying SSH tunnel to use something like port 54321?
Appreciate all your help.
Of course, add option "-p <port>" to the ssh command.
Excellent. I will try this and report back.
God bless you and all the developers and authors of Opensource software and systems. Keep doing good work.
Hi Patrick. It works. Thanks so much for your help and support.