1
17.7 Legacy Series / Can't seem to get Port Forwarding working
« on: January 22, 2018, 12:55:08 am »
I've been having a lot of trouble getting a port forward working. My goal is to forward SSH to a desktop.
Related to the SSH connection, I'm using keys, and it works within the LAN. I've changed the port to 10022 just to rule out any issues related to the default 22.
igb0 is my LAN, igb1 is my WAN.
Attached is a screenshot of my Port Forward page.
I've tried "catching" the connection as I try to SSH in, but I don't see it in the Normal View of the Log Files. Not sure how to continue to debug this as I'm just getting a connection timeout. Any help is appreciated.
EDIT 1: canyouseeme.org is reporting 10022 open. It was reporting 22 was open as I was trying that port (and is now closed).
(desktop) ssh -vvv user@184.9.150.155
OpenSSH_7.5p1, LibreSSL 2.6.3
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: resolving "184.9.150.155" port 10022
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to 184.9.150.155 [184.9.150.155] port 10022.
debug1: connect to address 184.9.150.155 port 10022: Operation timed out
root@OPNsense:/tmp # cat rules.debug
set ruleset-optimization basic
set optimization normal
set timeout { adaptive.start 0, adaptive.end 0 }
set limit states 814000
set limit src-nodes 814000
# System aliases
loopback = "{ lo0 }"
lan = "{ igb0 }"
wan = "{ igb1 }"
# SSH Lockout Table
table <sshlockout> persist
table <webConfiguratorlockout> persist
# Other tables
table <virusprot>
table <bogons> persist file "/usr/local/etc/bogons"
table <bogonsv6> persist file "/usr/local/etc/bogonsv6"
# User Aliases
# Plugins tables
set loginterface igb0
set skip on pfsync0
scrub on $lan all
scrub on $wan all
no nat proto carp
no rdr proto carp
# Outbound NAT rules (automatic)
# Subnets to NAT
tonatsubnets = "{ 127.0.0.0/8 192.168.1.0/24 }"
nat on $wan from $tonatsubnets to any port 500 -> 184.9.150.155/32 static-port
nat on $wan from $tonatsubnets to any -> 184.9.150.155/32 port 1024:65535
# Anti lockout, prevent redirects for protected ports to this interface ip
no rdr on igb0 proto tcp from any to ( igb0 ) port { 443 80 }
# NAT Inbound Redirects
rdr on igb1 inet proto tcp from any to (igb1) port 10022 -> 192.168.1.102
# Reflection redirect
rdr on igb0 inet proto tcp from any to (igb1) port 10022 -> 192.168.1.102
antispoof log for igb0
antispoof log for igb1
#pass in log quick on lo0 inet6 from {any} to {any} label "Pass all loopback IPv6"
#block in log quick inet6 from {any} to {any} label "Block all IPv6"
block in log inet from {any} to {any} label "Default deny rule"
block in log inet6 from {any} to {any} label "Default deny rule"
pass in log quick inet6 proto ipv6-icmp from {any} to {any} icmp6-type {1,2,135,136} keep state label "IPv6 requirements (ICMP)"
pass out log quick inet6 proto ipv6-icmp from {fe80::/10} to {fe80::/10,ff02::/16} icmp6-type {129,133,134,135,136} keep state label "IPv6 requirements (ICMP)"
pass in log quick inet6 proto ipv6-icmp from {fe80::/10} to {fe80::/10,ff02::/16} icmp6-type {128,133,134,135,136} keep state label "IPv6 requirements (ICMP)"
pass in log quick inet6 proto ipv6-icmp from {ff02::/16} to {fe80::/10} icmp6-type {128,133,134,135,136} keep state label "IPv6 requirements (ICMP)"
block in log quick inet proto {tcp udp} from {any} port {0} to {any}
block in log quick inet6 proto {tcp udp} from {any} port {0} to {any}
block in log quick inet proto {tcp udp} from {any} to {any} port {0}
block in log quick inet6 proto {tcp udp} from {any} to {any} port {0}
block in log quick proto carp from {(self)} to {any}
pass in log quick proto carp from {any} to {any}
block in log quick proto tcp from {<sshlockout>} to {(self)} port {22} label "sshlockout"
block in log quick proto tcp from {<webConfiguratorlockout>} to {(self)} port {443} label "webConfiguratorlockout"
block in log quick from {<virusprot>} to {any} label "virusprot overload table"
#block in log quick on lo0 from {<bogons>} to {any} label "block bogon IPv4 networks from loopback"
#block in log quick on lo0 from {<bogonsv6>} to {any} label "block bogon IPv6 networks from loopback"
#block in log quick on lo0 from {10.0.0.0/8,127.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fc00::/7} to {any} label "Block private networks from loopback"
#block in log quick on igb0 from {<bogons>} to {any} label "block bogon IPv4 networks from LAN"
#block in log quick on igb0 from {<bogonsv6>} to {any} label "block bogon IPv6 networks from LAN"
#block in log quick on igb0 from {10.0.0.0/8,127.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fc00::/7} to {any} label "Block private networks from LAN"
block in log quick on igb1 from {<bogons>} to {any} label "block bogon IPv4 networks from WAN"
block in log quick on igb1 from {<bogonsv6>} to {any} label "block bogon IPv6 networks from WAN"
block in log quick on igb1 from {10.0.0.0/8,127.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fc00::/7} to {any} label "Block private networks from WAN"
pass in log quick on igb0 proto udp from {any} port {68} to {255.255.255.255} port {67} label "allow access to DHCP server"
pass in log quick on igb0 proto udp from {any} port {68} to {(self)} port {67} label "allow access to DHCP server"
pass out log quick on igb0 proto udp from {(self)} port {67} to {any} port {68} label "allow access to DHCP server"
pass in log quick on igb0 inet6 proto udp from {fe80::/10} to {fe80::/10,ff02::/16} port {546} label "allow access to DHCPv6 server on LAN"
pass in log quick on igb0 inet6 proto udp from {fe80::/10} to {ff02::/16} port {547} label "allow access to DHCPv6 server on LAN"
pass in log quick on igb0 inet6 proto udp from {ff02::/16} to {fe80::/10} port {547} label "allow access to DHCPv6 server on LAN"
pass in log quick on igb0 inet6 proto udp from {fe80::/10} to {(self)} port {546} label "allow access to DHCPv6 server on LAN"
pass out log quick on igb0 inet6 proto udp from {(self)} port {547} to {fe80::/10} label "allow access to DHCPv6 server on LAN"
pass in log on igb1 proto udp from {any} port {67} to {any} port {68} label "allow DHCP client on WAN"
pass out log on igb1 proto udp from {any} port {68} to {any} port {67} label "allow DHCP client on WAN"
pass in log quick on lo0 from {any} to {any} label "pass loopback"
pass out log from {any} to {any} keep state allow-opts label "let out anything from firewall host itself"
pass in log quick on igb0 proto tcp from {any} to {(self)} port {443 80} keep state label "anti-lockout rule"
pass out log route-to ( igb1 184.9.144.1 ) from {igb1} to {!(igb1:network)} keep state allow-opts label "let out anything from firewall host itself"
pass in quick on igb0 inet from {(igb0:network)} to {any} label "USER_RULE: Default allow LAN to any rule"
pass in quick on igb0 inet6 from {(igb0:network)} to {any} label "USER_RULE: Default allow LAN IPv6 to any rule"
pass in quick on igb1 reply-to ( igb1 184.9.144.1 ) inet proto tcp from {any} to {192.168.1.102} port {10022} label "USER_RULE: NAT "
Related to the SSH connection, I'm using keys, and it works within the LAN. I've changed the port to 10022 just to rule out any issues related to the default 22.
igb0 is my LAN, igb1 is my WAN.
Attached is a screenshot of my Port Forward page.
I've tried "catching" the connection as I try to SSH in, but I don't see it in the Normal View of the Log Files. Not sure how to continue to debug this as I'm just getting a connection timeout. Any help is appreciated.
EDIT 1: canyouseeme.org is reporting 10022 open. It was reporting 22 was open as I was trying that port (and is now closed).
(desktop) ssh -vvv user@184.9.150.155
OpenSSH_7.5p1, LibreSSL 2.6.3
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: resolving "184.9.150.155" port 10022
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to 184.9.150.155 [184.9.150.155] port 10022.
debug1: connect to address 184.9.150.155 port 10022: Operation timed out
root@OPNsense:/tmp # cat rules.debug
set ruleset-optimization basic
set optimization normal
set timeout { adaptive.start 0, adaptive.end 0 }
set limit states 814000
set limit src-nodes 814000
# System aliases
loopback = "{ lo0 }"
lan = "{ igb0 }"
wan = "{ igb1 }"
# SSH Lockout Table
table <sshlockout> persist
table <webConfiguratorlockout> persist
# Other tables
table <virusprot>
table <bogons> persist file "/usr/local/etc/bogons"
table <bogonsv6> persist file "/usr/local/etc/bogonsv6"
# User Aliases
# Plugins tables
set loginterface igb0
set skip on pfsync0
scrub on $lan all
scrub on $wan all
no nat proto carp
no rdr proto carp
# Outbound NAT rules (automatic)
# Subnets to NAT
tonatsubnets = "{ 127.0.0.0/8 192.168.1.0/24 }"
nat on $wan from $tonatsubnets to any port 500 -> 184.9.150.155/32 static-port
nat on $wan from $tonatsubnets to any -> 184.9.150.155/32 port 1024:65535
# Anti lockout, prevent redirects for protected ports to this interface ip
no rdr on igb0 proto tcp from any to ( igb0 ) port { 443 80 }
# NAT Inbound Redirects
rdr on igb1 inet proto tcp from any to (igb1) port 10022 -> 192.168.1.102
# Reflection redirect
rdr on igb0 inet proto tcp from any to (igb1) port 10022 -> 192.168.1.102
antispoof log for igb0
antispoof log for igb1
#pass in log quick on lo0 inet6 from {any} to {any} label "Pass all loopback IPv6"
#block in log quick inet6 from {any} to {any} label "Block all IPv6"
block in log inet from {any} to {any} label "Default deny rule"
block in log inet6 from {any} to {any} label "Default deny rule"
pass in log quick inet6 proto ipv6-icmp from {any} to {any} icmp6-type {1,2,135,136} keep state label "IPv6 requirements (ICMP)"
pass out log quick inet6 proto ipv6-icmp from {fe80::/10} to {fe80::/10,ff02::/16} icmp6-type {129,133,134,135,136} keep state label "IPv6 requirements (ICMP)"
pass in log quick inet6 proto ipv6-icmp from {fe80::/10} to {fe80::/10,ff02::/16} icmp6-type {128,133,134,135,136} keep state label "IPv6 requirements (ICMP)"
pass in log quick inet6 proto ipv6-icmp from {ff02::/16} to {fe80::/10} icmp6-type {128,133,134,135,136} keep state label "IPv6 requirements (ICMP)"
block in log quick inet proto {tcp udp} from {any} port {0} to {any}
block in log quick inet6 proto {tcp udp} from {any} port {0} to {any}
block in log quick inet proto {tcp udp} from {any} to {any} port {0}
block in log quick inet6 proto {tcp udp} from {any} to {any} port {0}
block in log quick proto carp from {(self)} to {any}
pass in log quick proto carp from {any} to {any}
block in log quick proto tcp from {<sshlockout>} to {(self)} port {22} label "sshlockout"
block in log quick proto tcp from {<webConfiguratorlockout>} to {(self)} port {443} label "webConfiguratorlockout"
block in log quick from {<virusprot>} to {any} label "virusprot overload table"
#block in log quick on lo0 from {<bogons>} to {any} label "block bogon IPv4 networks from loopback"
#block in log quick on lo0 from {<bogonsv6>} to {any} label "block bogon IPv6 networks from loopback"
#block in log quick on lo0 from {10.0.0.0/8,127.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fc00::/7} to {any} label "Block private networks from loopback"
#block in log quick on igb0 from {<bogons>} to {any} label "block bogon IPv4 networks from LAN"
#block in log quick on igb0 from {<bogonsv6>} to {any} label "block bogon IPv6 networks from LAN"
#block in log quick on igb0 from {10.0.0.0/8,127.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fc00::/7} to {any} label "Block private networks from LAN"
block in log quick on igb1 from {<bogons>} to {any} label "block bogon IPv4 networks from WAN"
block in log quick on igb1 from {<bogonsv6>} to {any} label "block bogon IPv6 networks from WAN"
block in log quick on igb1 from {10.0.0.0/8,127.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fc00::/7} to {any} label "Block private networks from WAN"
pass in log quick on igb0 proto udp from {any} port {68} to {255.255.255.255} port {67} label "allow access to DHCP server"
pass in log quick on igb0 proto udp from {any} port {68} to {(self)} port {67} label "allow access to DHCP server"
pass out log quick on igb0 proto udp from {(self)} port {67} to {any} port {68} label "allow access to DHCP server"
pass in log quick on igb0 inet6 proto udp from {fe80::/10} to {fe80::/10,ff02::/16} port {546} label "allow access to DHCPv6 server on LAN"
pass in log quick on igb0 inet6 proto udp from {fe80::/10} to {ff02::/16} port {547} label "allow access to DHCPv6 server on LAN"
pass in log quick on igb0 inet6 proto udp from {ff02::/16} to {fe80::/10} port {547} label "allow access to DHCPv6 server on LAN"
pass in log quick on igb0 inet6 proto udp from {fe80::/10} to {(self)} port {546} label "allow access to DHCPv6 server on LAN"
pass out log quick on igb0 inet6 proto udp from {(self)} port {547} to {fe80::/10} label "allow access to DHCPv6 server on LAN"
pass in log on igb1 proto udp from {any} port {67} to {any} port {68} label "allow DHCP client on WAN"
pass out log on igb1 proto udp from {any} port {68} to {any} port {67} label "allow DHCP client on WAN"
pass in log quick on lo0 from {any} to {any} label "pass loopback"
pass out log from {any} to {any} keep state allow-opts label "let out anything from firewall host itself"
pass in log quick on igb0 proto tcp from {any} to {(self)} port {443 80} keep state label "anti-lockout rule"
pass out log route-to ( igb1 184.9.144.1 ) from {igb1} to {!(igb1:network)} keep state allow-opts label "let out anything from firewall host itself"
pass in quick on igb0 inet from {(igb0:network)} to {any} label "USER_RULE: Default allow LAN to any rule"
pass in quick on igb0 inet6 from {(igb0:network)} to {any} label "USER_RULE: Default allow LAN IPv6 to any rule"
pass in quick on igb1 reply-to ( igb1 184.9.144.1 ) inet proto tcp from {any} to {192.168.1.102} port {10022} label "USER_RULE: NAT "