OPNsense Forum

Archive => 18.7 Legacy Series => Topic started by: badwestguy on September 26, 2018, 01:56:44 pm

Title: 18.7.3 can't acces from WAN to ssh
Post by: badwestguy on September 26, 2018, 01:56:44 pm

Hello OPNsense,


I recently decided to install opnsense as a firewall in my organization.

Before installing it as a main device, I decided to test its virtual version. Installed on one of the servers, indicated two virtual network adapters:
wan (dncp4) - 192.168.88.120/24 - received from my current router.
lan (static) - 10.10.1.1/24 - here works dhcp server


I created another virtual device (ubuntu 18.04) and connected it to the same network adapter.

After that, I turned on ssh on both network adapters (wan, lan), added rules for access, allowed the connection for root.

However, I have access only from the side of lan (from virtual ubuntu). The router remains unavailable from the wan network.


Configs here:
(https://thumb.ibb.co/nvk3p9/1.png) (https://ibb.co/nvk3p9)
(https://thumb.ibb.co/mNMb99/2.png) (https://ibb.co/mNMb99) (https://thumb.ibb.co/nKW9U9/3.png) (https://ibb.co/nKW9U9)
(https://thumb.ibb.co/iUoZwp/4.png) (https://ibb.co/iUoZwp)
(https://thumb.ibb.co/hgYOp9/5.png) (https://ibb.co/hgYOp9)
(https://thumb.ibb.co/hUcSGp/6.png) (https://ibb.co/hUcSGp)

Title: Re: 18.7.3 can't acces from WAN to ssh
Post by: marjohn56 on September 26, 2018, 03:04:40 pm

Not a good idea to expose the SSH port to the WAN for obvious reasons. If you want to remote into the firewall you're always better off using a VPN.

Title: Re: 18.7.3 can't acces from WAN to ssh
Post by: qinohe on September 26, 2018, 05:35:57 pm

@ marjohn56, while I do agree to you that VPN is stronger, it probably don't matter now since he's behind a second router and could be for testing only ;)

@ badwestguy,

You don't have option 'Block private networks' enabled on the WAN interface?

Greetings, mark

Title: Re: 18.7.3 can't acces from WAN to ssh
Post by: badwestguy on September 26, 2018, 05:39:07 pm

Thanks for answer, @marjohn56!


Yes, I know about the risks of using ssh at wan.


Now I want to configure web interface of the system (OPNsense) for using it in feature.
The main idea - edit files from wan port with sftp and ssh access.
Of course, I can doing it from PCs in LAN segment, but all this PC is virtual and it's not comfortable to work with OPNsense GUI from virtual PC with VNC.


Any idea how to connect from WAN to SSH?

Title: Re: 18.7.3 can't acces from WAN to ssh
Post by: marjohn56 on September 26, 2018, 05:52:51 pm

Yes, use OpnVPN, then you can SSH into the LAN side of OPNsense without any issues.

Title: Re: 18.7.3 can't acces from WAN to ssh
Post by: badwestguy on September 26, 2018, 06:06:40 pm

Quote from: qinohe on September 26, 2018, 05:35:57 pm

@ badwestguy,

You don't have option 'Block private networks' enabled on the WAN interface?

Greetings, mark

Both "Block private networks" and "Block bogon networks" is disabled.

Quote from: marjohn56 on September 26, 2018, 05:52:51 pm

Yes, use OpnVPN, then you can SSH into the LAN side of OPNsense without any issues.

It's much more harder to configure OpenVPN than only use ssh from WAN  :)

Title: Re: 18.7.3 can't acces from WAN to ssh
Post by: marjohn56 on September 26, 2018, 06:16:21 pm

It takes all of 5 minutes to configure OpenVPN using the wizard, it's taken you longer than that already! 8)

Title: Re: 18.7.3 can't acces from WAN to ssh
Post by: fabian on September 26, 2018, 06:44:19 pm

Your WAN is RFC1918 which is NOT routed to the public internet. You are probably behind a carrier grade nat which makes it impossible to reach your device via the internet or you are behind a home router which needs a port forward to make it work.

Title: Re: 18.7.3 can't acces from WAN to ssh
Post by: badwestguy on September 27, 2018, 03:12:00 pm

Quote from: fabian on September 26, 2018, 06:44:19 pm

Your WAN is RFC1918 which is NOT routed to the public internet. You are probably behind a carrier grade nat which makes it impossible to reach your device via the internet or you are behind a home router which needs a port forward to make it work.

Yes, I know. This OPNsense installed on my server behind router.

It's IP - 192.168.88.120, my laptops IP - 192.168.88.85.
I want to connect from my laptop to OPNsense server with SSH.
All firewall rules is good (in my mind), all other settings is good (in my mind), but... I can't.


Any idea?

Quote from: marjohn56 on September 26, 2018, 06:16:21 pm

It takes all of 5 minutes to configure OpenVPN using the wizard, it's taken you longer than that already! 8)

Maybe it's good idea, but I want to connect via ssh, and not try everything in order to access from outside.

OPNsense is able to resolve the connection over ssh from the WAN network?

Title: Re: 18.7.3 can't acces from WAN to ssh
Post by: franco on September 27, 2018, 04:04:04 pm

Enable checkbox "Disable Reply-to" under Firewall: Settings: Advanced.


Cheers,
Franco

Title: Re: 18.7.3 can't acces from WAN to ssh
Post by: badwestguy on September 27, 2018, 06:26:50 pm

Quote from: franco on September 27, 2018, 04:04:04 pm

Enable checkbox "Disable Reply-to" under Firewall: Settings: Advanced.

Thank you so much, Franco! It's help.


Maybe OPNsense team can add this to the manuals?

Title: Re: 18.7.3 can't acces from WAN to ssh
Post by: franco on September 27, 2018, 08:44:31 pm

It's a complex set of preconditions where documentation doesn't work because you'll only find it if you know what you're looking for. :/

We made the GUI a bit more intuitive with https://github.com/opnsense/core/issues/2458 avoiding to set gateways for WAN saying they are only required in multi-WAN scenarios. If you go to WAN and set the gateway back to "Auto-detect" that will likely fix it too.


Cheers,
Franco