pfsense – Enable SSH Access Through WAN on pfSense

firewallfreebsdfreebsd-portspfsense

We need to enable pfSense ssh (port 22) access through the WAN interface to perform certain configurations using pfSense's terminal/console/shell.

Actions already taken…

  • "Secure Shell (sshd)" has already been enabled via pfSense console option 14 14) Enable Secure Shell (sshd);
  • We run the command easyrule pass wan tcp any any 22 to allow access to ssh (port 22).
  • Using option 12 12) PHP shell + pfSense tools we execute the commands…
$config['system']['ssh']['enable'] = "enabled";
write_config();
exec

… ,…

$config['system']['enablesshd'] = "true";
write_config();
exec

… and…

playback enablesshd

;

Situation…

  • Using the option "Filter Logs" (10) we observed that calls to ssh (port 22) being blocked;
  • Turning off the firewall with the command pfctl -d we can access ssh (port 22) normally.

IMPORTANT: We need enable access to sshd (port 22) through pfSense's terminal/console/shell.

PLUS: We know that access can be allowed through the gui (http/web gui), but we need this initial access to be allowed through the pfSense terminal/console/shell.

NOTE: We know that allow access via ssh (port 22) on the WAN interface is not recommended, but initially it is necessary for us.

Thanks! =D

Best Answer

Below is the complete process to enable access to the pfSense's server sshd (ssh, port 22) from a private network...

Using option 8 ("8) Shell") turning off the firewall with the command...

pfctl -d

... and access pfSense server through the ssh (port 22)...

ssh root@<PFSENSE_SRV_IP>

... using the initial password "pfsense".

TIP: We recommend changing the initial password.

Using option 12 ("12) PHP shell + pfSense tools") perform the commands...

unset($config['interfaces']['wan']['blockpriv']);
write_config();
exec;

... and exit...

exit

Using option 8 ("8) Shell") again, add a rule to allow access through port 22 on the wan interface...

easyrule pass wan tcp any any 22

TIP: The "any any" parameters allow you to restrict the source IP and destination IP respectively.

NOTE: The above command will turn on the firewall (same as pfctl -e) and this will drop the ssh connection (port 22), but the ssh connection will be allowed.

PLUS: For more explanations about why private networks and loopback addresses are blocked by default on WAN here Block private networks - What does that do, what is it used for ? and here Address Allocation for Private Internets.

Thanks! =D

[Ref(s).: pfSense - Enable ssh (port 22) access through the WAN using terminal/console/shell ]

Related Topic