Text only | Text with Images

OPNsense Forum

English Forums => 24.7, 24.10 Legacy Series => Topic started by: spfld on December 08, 2024, 02:46:07 AM

Title: NAT Port Forwarding not working for SSH
Post by: spfld on December 08, 2024, 02:46:07 AM
I'm having a problem getting NAT port forwarding working for SSH, but a nearly identical rule (different target IP but on the same LAN, different ports) for Plex works without a problem.

Internet <-> (FiOS DHCP address) FiOS router (192.168.1.1) <-> (192.168.1.201) OPNsense (192.168.2.1) <-> (192.168.2.33) SSH server

The FiOS router has 192.168.1.201 set as the DMZ host so all Internet traffic is being sent there. This all worked using a previous Linux box as the firewall (same Internet client, same FiOS router, same SSH server, same IP addresses & ports, etc.); the only change is the upgrade to the OPNsense firewall, so I'm confident that the other pieces are working.

tcpdump on the ssh server does see the incoming connection
Code Select
# tcpdump -vv port 22
20:15:51.660109 IP (tos 0x0, ttl 50, id 28928, offset 0, flags [DF], proto TCP (6), length 60)
    remote.host.45618 > 192.168.2.33.ssh: Flags [S], cksum 0xcd3a (correct), seq 1454014126, win 64240, options [mss 1420,sackOK,TS val 1787846930 ecr 0,nop,wscale 7], length 0

but the remote ssh client immediately returns
Code Select
ssh: connect to host example.dyndns.com port 2222: No route to host

without even a moment's pause.

Firewall > Settings > Advanced > "Disable reply-to on WAN rules" does not seem to make a difference.

OPNsense NAT rule and firewall log entries attached.

Any suggestions are appreciated. I'm probably missing something simple as I learn OPNsense. Thanks in advance!
Title: Re: NAT Port Forwarding not working for SSH
Post by: bartjsmit on December 08, 2024, 09:26:29 AM
Try SSH with a port other than 22?
Title: Re: NAT Port Forwarding not working for SSH
Post by: Patrick M. Hausen on December 08, 2024, 09:57:36 AM
Disable the global "anti-lockout" rule.
Title: Re: NAT Port Forwarding not working for SSH
Post by: spfld on December 08, 2024, 07:20:53 PM
Quote from: bartjsmit on December 08, 2024, 09:26:29 AM
Try SSH with a port other than 22?

No difference if I have the SSH server listening on 2222 and port forward from 2222 to 2222.


Quote from: Patrick M. Hausen on December 08, 2024, 09:57:36 AM
Disable the global "anti-lockout" rule.

No difference here either, unfortunately.
Title: Re: NAT Port Forwarding not working for SSH
Post by: Bob.Dig on December 08, 2024, 07:27:26 PM
Select FIOS Address instead of This Firewall.
Title: Re: NAT Port Forwarding not working for SSH
Post by: spfld on December 08, 2024, 08:00:33 PM
Quote from: Bob.Dig on December 08, 2024, 07:27:26 PM
Select FIOS Address instead of This Firewall.

Tried but still getting the "No route to host" error from the SSH client.

(FWIW, "This Firewall" works with the Plex NAT.)
Text only | Text with Images