Join Log in
Score:0
Eduardo Lucio avatar Server

pfSense - Enable ssh (port 22) access through the WAN using terminal/console/shell

in flag
Eduardo Lucio

We need to enable pfSense ssh (port 22) access through the WAN interface to perform certain configurations using pfSense's terminal/console/shell.

Actions already taken...

  • "Secure Shell (sshd)" has already been enabled via pfSense console option 14 14) Enable Secure Shell (sshd);
  • We run the command easyrule pass wan tcp any any 22 to allow access to ssh (port 22).
  • Using option 12 12) PHP shell + pfSense tools we execute the commands...
$config['system']['ssh']['enable'] = "enabled";
write_config();
exec

... ,...

$config['system']['enablesshd'] = "true";
write_config();
exec

... and...

playback enablesshd

;

Situation...

  • Using the option "Filter Logs" (10) we observed that calls to ssh (port 22) being blocked;
  • Turning off the firewall with the command pfctl -d we can access ssh (port 22) normally.

IMPORTANT: We need enable access to sshd (port 22) through pfSense's terminal/console/shell.

PLUS: We know that access can be allowed through the gui (http/web gui), but we need this initial access to be allowed through the pfSense terminal/console/shell.

NOTE: We know that allow access via ssh (port 22) on the WAN interface is not recommended, but initially it is necessary for us.

Thanks! =D

2069
1 + 1
ru flag
BeowulfNode42
Maybe a hint, The sshd daemon needs to be configured to listen on all interfaces, and not just the LAN. I see with netstat -ln that ours is only listening on the LAN IP. I'm not sure where or how to make it listen on all interfaces, but it's not just starting the daemon, and opening the port in the firewall is required.
1
Reply
Score:0
Eduardo Lucio avatar Server
in flag
Eduardo Lucio

Below is the complete process to enable access to the pfSense's server sshd (ssh, port 22) from a private network...

Using option 8 ("8) Shell") turning off the firewall with the command...

pfctl -d

... and access pfSense server through the ssh (port 22)...

ssh root@<PFSENSE_SRV_IP>

... using the initial password "pfsense".

TIP: We recommend changing the initial password.

Using option 12 ("12) PHP shell + pfSense tools") perform the commands...

unset($config['interfaces']['wan']['blockpriv']);
write_config();
exec;

... and exit...

exit

Using option 8 ("8) Shell") again, add a rule to allow access through port 22 on the wan interface...

easyrule pass wan tcp any any 22

TIP: The "any any" parameters allow you to restrict the source IP and destination IP respectively.

NOTE: The above command will turn on the firewall (same as pfctl -e) and this will drop the ssh connection (port 22), but the ssh connection will be allowed.

PLUS: For more explanations about why private networks and loopback addresses are blocked by default on WAN here Block private networks - What does that do, what is it used for ? and here Address Allocation for Private Internets.

Thanks! =D

[Ref(s).: pfSense - Enable ssh (port 22) access through the WAN using terminal/console/shell ]

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.