0

I get a connection time out when I try to ssh into a machine inside a pfSense firewall network. The computer I am connecting from is on the same subnet as the pfSense firewall. That is my computer's IP is 192.168.0.6 and the pfSense WAN IP is 192.168.0.2.

I have set up the following port forwarding rules: 

If   Proto    Src. addr   Src. ports   Dest. addr    Dest. ports    NAT IP          NAT Ports
WAN  TCP/UDP  *           *            WAN address   22 (SSH)       192.168.1.104   22 (SSH)

pfSense's LAN IP is 192.168.1.1 and the machine I am trying to connect to, it's IP is 192.168.1.104.

I followed the port forwarding set up instructions and the diagnostic instructions and I still cannot connect. I am certain that the machine I am connecting into is accepting ssh connections as I can successfully ssh into the machine from other computers on the pfSense subnet. The machine can also ping WAN IPs.

This is what I get when trying to ssh:

$ ssh -vvv user@192.168.0.2
OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to 192.168.0.2 [192.168.0.2] port 22.
debug1: connect to address 192.168.0.2 port 22: Connection timed out
ssh: connect to host 192.168.0.2 port 22: Connection timed out

When I look into Diagnostics > States I have the following output:

WAN  tcp  192.168.1.104:22 (192.168.0.2:22) <- 192.168.0.6:50216    SYN_SENT:ESTABLISHED    
LAN  tcp  192.168.0.6:50216 -> 192.168.1.104:22                     ESTABLISHED:SYN_SENT

Any ideas on how to resolve this?

Update:

Output of route -n:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0

And the output of lsof -i

$ sudo lsof -i
COMMAND  PID USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
dhclient 305 root    5u  IPv4 2985970      0t0  UDP *:bootpc 
dhclient 305 root   20u  IPv4 2946178      0t0  UDP *:24095 
dhclient 305 root   21u  IPv6 2946179      0t0  UDP *:26177 
sshd     400 root    3u  IPv4 2997518      0t0  TCP *:ssh (LISTEN)
sshd     400 root    4u  IPv6 2997520      0t0  TCP *:ssh (LISTEN)
Greg
  • 1,557
  • 5
  • 24
  • 35
  • Can you provide the output of `lsof -i` and `route -n` executed as root on 192.168.1.104 a few seconds after you try the incoming ssh (before the timeout, which I assume happens quite a few seconds afterwards)? I'm thinking that the return packets don't follow the correct route. – Law29 Dec 13 '15 at 11:48
  • Updated the post with the output of those two commands. – Greg Dec 13 '15 at 12:44
  • The pfSense firewall is the default router of the internal host, that's as it should be. However, did you take the `lsof -i` a few seconds after starting the ssh from the outside? If you did, then it's not arriving at the internal host; not good. You write that you have followed the diagnostics at https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting and if all the rest is OK then the most useful would be the tcpdump on the pfSense internal port. – Law29 Dec 13 '15 at 16:17
  • It was the NIC failing on the machine. Switched the cable over to a different one and it works fine now. – Greg Dec 14 '15 at 00:05

0 Answers0