NAT Port Forwarding not working for SSH

Started by spfld, December 08, 2024, 02:46:07 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 08, 2024, 02:46:07 AM
I'm having a problem getting NAT port forwarding working for SSH, but a nearly identical rule (different target IP but on the same LAN, different ports) for Plex works without a problem.

Internet <-> (FiOS DHCP address) FiOS router (192.168.1.1) <-> (192.168.1.201) OPNsense (192.168.2.1) <-> (192.168.2.33) SSH server

The FiOS router has 192.168.1.201 set as the DMZ host so all Internet traffic is being sent there. This all worked using a previous Linux box as the firewall (same Internet client, same FiOS router, same SSH server, same IP addresses & ports, etc.); the only change is the upgrade to the OPNsense firewall, so I'm confident that the other pieces are working.

tcpdump on the ssh server does see the incoming connection
Code Select
# tcpdump -vv port 22
20:15:51.660109 IP (tos 0x0, ttl 50, id 28928, offset 0, flags [DF], proto TCP (6), length 60)
    remote.host.45618 > 192.168.2.33.ssh: Flags [S], cksum 0xcd3a (correct), seq 1454014126, win 64240, options [mss 1420,sackOK,TS val 1787846930 ecr 0,nop,wscale 7], length 0

but the remote ssh client immediately returns
Code Select
ssh: connect to host example.dyndns.com port 2222: No route to host

without even a moment's pause.

Firewall > Settings > Advanced > "Disable reply-to on WAN rules" does not seem to make a difference.

OPNsense NAT rule and firewall log entries attached.

Any suggestions are appreciated. I'm probably missing something simple as I learn OPNsense. Thanks in advance!
December 08, 2024, 09:26:29 AM #1
Try SSH with a port other than 22?
December 08, 2024, 09:57:36 AM #2
Disable the global "anti-lockout" rule.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
December 08, 2024, 07:20:53 PM #3
Quote from: bartjsmit on December 08, 2024, 09:26:29 AM
Try SSH with a port other than 22?

No difference if I have the SSH server listening on 2222 and port forward from 2222 to 2222.


Quote from: Patrick M. Hausen on December 08, 2024, 09:57:36 AM
Disable the global "anti-lockout" rule.

No difference here either, unfortunately.
December 08, 2024, 07:27:26 PM #4
Select FIOS Address instead of This Firewall.
December 08, 2024, 08:00:33 PM #5
Quote from: Bob.Dig on December 08, 2024, 07:27:26 PM
Select FIOS Address instead of This Firewall.

Tried but still getting the "No route to host" error from the SSH client.

(FWIW, "This Firewall" works with the Plex NAT.)
Print
Go Up Pages1
User actions