Mangled SSH connections on WAN side

Started by Caluka, February 26, 2022, 06:44:11 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 26, 2022, 06:44:11 PM Last Edit: February 26, 2022, 08:25:02 PM by Caluka
Hello, I'm currently trying to migrate from PFSense and I have found a big roadblock that I haven't been able to troubleshoot. I'm not able to get SSH connections working from WAN side of OPNSense. At first the connection seems to be working fine but after login is accepted it just freezes.



I get the same behavior trying to connect directly to OPNSense via SSH or Port Forwarding to a server inside the LAN. This issue also persists on a fresh install of OPNSense.

Running ssh with -vvv flag gets unresponsive after the following text:

Quotedebug3: send packet: type 98
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768

Which after a while turns into:
Quoteclient_loop: send disconnect: Broken pipe

auth.log seems to indicate the login was successful, so that's definitively not the issue:


Opening packet capture seems to reveal "Incomplete Data" as reported by Wireshark, however my networking technical skills are not good enough to diagnose the cause or a possible solution to this problem.



OPNSense is running on a proxmox instance with two virtualized bridges, one to the interface connected to the router and the other one as a isolated network between vms.

Any help is greatly appreciated.
February 27, 2022, 01:22:36 AM #1
Can you post more of your interfaces/firewall config?

Are you sure there isn't some sort of asymmetric routing?

When you say "proxmox bridges" do you mean you have 2 vnics on the vm attached to proxmox bridges?  If so, what are the subnets on the pfsense vm?
February 27, 2022, 02:00:48 AM #2
Quote from: 5SpeedFun on February 27, 2022, 01:22:36 AM
Can you post more of your interfaces/firewall config?

Firewall after original deployment problem is just default rules + WAN allow any to any that I set up when trying to figure out whats going on with SSH (reinstalled and added just that rule to be sure).

Interfaces:



Quote from: 5SpeedFun on February 27, 2022, 01:22:36 AM
Are you sure there isn't some sort of asymmetric routing?

Not that I can tell. Right now its just the ISP router connected to PVE host.

Quote from: 5SpeedFun on February 27, 2022, 01:22:36 AM
When you say "proxmox bridges" do you mean you have 2 vnics on the vm attached to proxmox bridges?  If so, what are the subnets on the pfsense vm?

OPNSense has 2 virtio nics (both are bridges). One is a bridge to the physical port going to the ISP provided router and the other is just a internal bridge meant for connectivity between guest vms. The idea is to have opnsense between this guest vm LAN and the real network.

February 28, 2022, 03:22:47 AM #3
Tried with OPNSense 21.7.1 and changing virtio with e1000 in proxmox, still same outcome. Is this something worth being posted as bug in github for revision?, I feel this is a pretty basic setup and I have no idea why its not working with out of the box defaults.
Completely ran out of ideas by now.
Print
Go Up Pages1
User actions