SSH not working from LAN.

[mikeb78]

I have a new installation with 20.7. Everything is setup with default settings. When attempting to execute ssh to opnsense, the connection fails. ssh_exchange_identification: Connection closed by remote host. Both client and opnsense are on the same subnet. LAN is functioning well with firewall access to WAN (Spectrum). OPT1 (2nd Subnet has not been tested yet.)

[almodovaris]

Things to try:

* disable checksum and segmentation offload (Interfaces / Settings);
* use real OpenSSH or Putty instead of third-party implementations.

[mikeb78]

interface/settings show CRC, LSO, and LRO are all disabled. I am currently using Putty Version 0.60. If there is anything else I can do, please let me know.

[chemlud]

System -> Settings -> Administration -> Secure Shell is enabled and LAN is in the "Listen Interfaces"?

[franco]

Friendly reminder: please don't use Listen Interfaces and not tell people you use it. Turn it off, make sure it works then or else there is another issue somewhere.


Cheers,
Franco

[agriff]

PuTTY 0.60 is ancient (released 2007-04-29) it won't support the latest ciphers. Hence failing during ssh_exchange_identification. Upgrade to a newer version and retry.

[hushcoden]

Friendly reminder: please don't use Listen Interfaces and not tell people you use it. Turn it off, make sure it works then or else there is another issue somewhere.


Cheers,
Franco

How do you turn that off? You can either leave the default which is All or choose an interface...

Thanks.

[franco]

"Recommended" is recommended, which actually turns off explicit listening.


Cheers,
Franco

[chemlud]

"Recommended" is recommended, which actually turns off explicit listening.


Cheers,
Franco

I read in the Info for the "Listen Ports"

Code Select Expand

Only accept connections from the selected interfaces. Leave empty to listen globally. Use with care.

I only listen on the interface I want to use for servicing the sense, never on WAN. What's wrong with that, can you point me at any piece of documentation?

[mikeb78]

For this particular instance chemlun was correct:

System -> Settings -> Administration -> Secure Shell is enabled and LAN is in the "Listen Interfaces"?

Thanks everyone for helping. On to the next configuration issue ....

[chemlud]

Only problem: Masta of disasta (aka Franco) recommends "Listen interfaces" to be left at "All (default)" for unexplained reasons... ;-)

[AdSchellevis]

The reason is very simple, when binding a service to interfaces that may change over time leads to the service in question not knowing about the change.

Some legacy components in the past tried to "solve" that by restarting the service on interface changes, which leads to a situation where in the end you're left with restarting (almost) every service on address changes. In an ideal world, every service is responsible for its own health and shouldn't need external triggers. (separation of concerns)

A common practice in these cases is (for any service) to listen on something that's guaranteed to be there (think of loopbacks and forwards) or to "any" address (which is our default) and let the firewall do it's work.

So long story short, if you're an experienced user your configuration choices might be slightly different, as a general practice best leave settings defaults for services in regards to interfaces, it's one of the most common causes for hard to track issues.

Best regards,

Ad

[franco]

Just to add to this. A service listening on any address is only reachable via LAN unless you start opening firewall ports on WAN/OPT or add port forwards.

If you disable the firewall it's dangerous for sure, but that is not the main use case here. ;)


Cheers,
Franco

[chemlud]

Thanks for taking the time for the detailed answer, highly appreciated and something learned... :-)