18.7.3 can't acces from WAN to ssh

[badwestguy]

Hello OPNsense,


I recently decided to install opnsense as a firewall in my organization.

Before installing it as a main device, I decided to test its virtual version. Installed on one of the servers, indicated two virtual network adapters:
wan (dncp4) - 192.168.88.120/24 - received from my current router.
lan (static) - 10.10.1.1/24 - here works dhcp server


I created another virtual device (ubuntu 18.04) and connected it to the same network adapter.

After that, I turned on ssh on both network adapters (wan, lan), added rules for access, allowed the connection for root.

However, I have access only from the side of lan (from virtual ubuntu). The router remains unavailable from the wan network.


Configs here:

[marjohn56]

Not a good idea to expose the SSH port to the WAN for obvious reasons. If you want to remote into the firewall you're always better off using a VPN.

[qinohe]

@ marjohn56, while I do agree to you that VPN is stronger, it probably don't matter now since he's behind a second router and could be for testing only

@ badwestguy,

You don't have option 'Block private networks' enabled on the WAN interface?

Greetings, mark

[badwestguy]

Thanks for answer, @marjohn56!


Yes, I know about the risks of using ssh at wan.


Now I want to configure web interface of the system (OPNsense) for using it in feature.
The main idea - edit files from wan port with sftp and ssh access.
Of course, I can doing it from PCs in LAN segment, but all this PC is virtual and it's not comfortable to work with OPNsense GUI from virtual PC with VNC.


Any idea how to connect from WAN to SSH?

[marjohn56]

Yes, use OpnVPN, then you can SSH into the LAN side of OPNsense without any issues.

[badwestguy]

@ badwestguy,

You don't have option 'Block private networks' enabled on the WAN interface?

Greetings, mark

Both "Block private networks" and "Block bogon networks" is disabled.

Yes, use OpnVPN, then you can SSH into the LAN side of OPNsense without any issues.

It's much more harder to configure OpenVPN than only use ssh from WAN 

[marjohn56]

It takes all of 5 minutes to configure OpenVPN using the wizard, it's taken you longer than that already!

[fabian]

Your WAN is RFC1918 which is NOT routed to the public internet. You are probably behind a carrier grade nat which makes it impossible to reach your device via the internet or you are behind a home router which needs a port forward to make it work.

[badwestguy]

Your WAN is RFC1918 which is NOT routed to the public internet. You are probably behind a carrier grade nat which makes it impossible to reach your device via the internet or you are behind a home router which needs a port forward to make it work.

Yes, I know. This OPNsense installed on my server behind router.

It's IP - 192.168.88.120, my laptops IP - 192.168.88.85.
I want to connect from my laptop to OPNsense server with SSH.
All firewall rules is good (in my mind), all other settings is good (in my mind), but... I can't.


Any idea?

It takes all of 5 minutes to configure OpenVPN using the wizard, it's taken you longer than that already!

Maybe it's good idea, but I want to connect via ssh, and not try everything in order to access from outside.

OPNsense is able to resolve the connection over ssh from the WAN network?

[franco]

Enable checkbox "Disable Reply-to" under Firewall: Settings: Advanced.


Cheers,
Franco

[badwestguy]

Enable checkbox "Disable Reply-to" under Firewall: Settings: Advanced.

Thank you so much, Franco! It's help.


Maybe OPNsense team can add this to the manuals?

[franco]

It's a complex set of preconditions where documentation doesn't work because you'll only find it if you know what you're looking for. :/

We made the GUI a bit more intuitive with https://github.com/opnsense/core/issues/2458 avoiding to set gateways for WAN saying they are only required in multi-WAN scenarios. If you go to WAN and set the gateway back to "Auto-detect" that will likely fix it too.


Cheers,
Franco