Solved Newly installed FreeBSD can be ssh-ed within LAN but not from outside

[Kumo Isao]

Hello community,

I am a new FreeBSD user but being using Debian GNU/Linux for years. My quick question is about ssh from outside LAN to a newly installed FreeBSD machine.

The file /etc/rc.conf contains

sshd_enable="YES"

And I can ssh to the machine within LAN using

$ ssh -p 22 USER@192.168.X.XXX

But from outside if I use

$ ssh -p PORT_NUM USER@MY_IP

FreeBSD complains ssh: connect to host MY_IP port PORT_NUM: Connection refused. The PORT_NUM above has been set 'port forward' in router setting and tested working for Linux machines.

I tried modifying /etc/hosts.allow and added the line

sshd : .my_university.edu : allow

but it didn't work. Any suggestions?

Thanks.
KI

 

[scottro]

The obvious questions--do you have a firewall running? Is the FreeBSD machine listening on the PORT_NUM port?

 

[Kumo Isao]

The obvious questions--do you have a firewall running? Is the FreeBSD machine listening on the PORT_NUM port?

Thanks for your reply. You mean a firewall within the FreeBSD machine? or dedicated firewall?

I don't have a dedicated firewall. The FreeBSD machine is newly installed, I don't think the firewall is enabled? All I have in the /etc/rc.conf is as follows,

% cat /etc/rc.conf

hostname="HOST"
wlans_ath0="WAN"
ifconfig_wlan0="WPA  inet 192.168.X.XXX netmask 255.255.255.0"
defaultrouter="192.168.X.X"
local_unbound_enable="YES"
sshd_enable="YES"
ntpd_enable="YES"
powerd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
zfs_enable="YES"

I don't see anything related to https://www.freebsd.org/doc/handbook/firewalls-pf.html

And how to check if the machine is listening to PORT_NUM on FreeBSD? (Does it make sense to check PORT_NUM though? PORT_NUM has been set forwarded to the default 22 for the FreeBSD in router setting.)

Thanks.

 

[diizzy]

You can post the following output running this line from your FreeBSD box (you can obfuscate MAC addresses if you feel that's necessesary)?

ifconfig wlan0 && netstat -r && cat /etc/resolv.conf && ping ping.sunet.se

That'll show us the current network setup and also tell us if Internet connectivity is working properly.

 

[Kumo Isao]

You can post the following output running this line from your FreeBSD box (you can obfuscate MAC addresses if you feel that's necessesary)?

ifconfig wlan0 && netstat -r && cat /etc/resolv.conf && ping ping.sunet.se

That'll show us the current network setup and also tell us if Internet connectivity is working properly.

Thanks. I can certainly do that. I am sure internet is working.

% ifconfig wlan0
wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
   ether ETHERNET
   hwaddr HWADDR
   inet 192.168.X.XX netmask 0xffffff00 broadcast 192.168.X.XXX
   nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
   media: IEEE 802.11 Wireless Ethernet MCS mode 11na
   status: associated
   ssid SSID channel 64 (5320 MHz 11a ht/40-) bssid BSSID
   regdomain 106 indoor ecm authmode WPA2/802.11i privacy ON
   deftxkey UNDEF AES-CCM 2:128-bit AES-CCM 3:128-bit txpower 30 bmiss 7
   mcastrate 6 mgmtrate 6 scanvalid 60 ampdulimit 64k ampdudensity 4
   shortgi wme burst roaming MANUAL
   groups: wlan

% netstat -r
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            192.168.X.1        UGS       wlan0
localhost          link#3             UH          lo0
192.168.X.0/24     link#4             U         wlan0
192.168.X.XXX      link#4             UHS         lo0

% cat /etc/resolv.conf

# nameserver 192.168.X.254
# nameserver 8.8.8.8
nameserver 127.0.0.1
options edns0

ping google.com
PING google.com (216.58.216.110): 56 data bytes
64 bytes from 216.58.216.110: icmp_seq=0 ttl=52 time=31.324 ms
64 bytes from 216.58.216.110: icmp_seq=1 ttl=52 time=30.842 ms

 

[scottro]

To see if it's listening on a particular port you can do netstat -an |grep <port_number> (or grep LISTEN and see if the port's included.)

By firewall, yes, I meant did you have a FreeBSD firewall running, but judging from your rc.conf, you don't.

 

[ShelLuser]

And I can ssh to the machine within LAN using

$ ssh -p 22 USER@192.168.X.XXX

But from outside if I use

$ ssh -p PORT_NUM USER@MY_IP

FreeBSD complains ssh: connect to host MY_IP port PORT_NUM: Connection refused.

Which FreeBSD complains? Because this is not the error message you'd get on the server, making me believe that you're trying to connect to a FreeBSD server from a FreeBSD (or Linux?) client and are now relaying that particular error message from the client.

My guess: you didn't enable port forwarding in your router. If you can connect to the SSH daemon from within your LAN then this proves that sshd is running normally. You could check using sockstat -4l on the server but I don't think that's necessary.

Instead check your router.

(edit)

As a side note: if you have issues where you think the server (or one of its services) may be causing issues then always check /etc/messages and/or (in the case of SSH): /var/log/auth.log. The latter will contain any server-sided issues with the SSH daemon.

(edit2)

PS: if you're connecting to the default SSH port (22) then you don't need to specify this using the -p parameter. It doesn't hurt, but it's easier if you don't

 

[Kumo Isao]

To see if it's listening on a particular port you can do netstat -an |grep <port_number> (or grep LISTEN and see if the port's included.)

By firewall, yes, I meant did you have a FreeBSD firewall running, but judging from your rc.conf, you don't.

Thanks for letting me know how to check listening port.

Which FreeBSD complains? Because this is not the error message you'd get on the server, making me believe that you're trying to connect to a FreeBSD server from a FreeBSD (or Linux?) client and are now relaying that particular error message from the client.

My guess: you didn't enable port forwarding in your router. If you can connect to the SSH daemon from within your LAN then this proves that sshd is running normally. You could check using sockstat -4l on the server but I don't think that's necessary.

Instead check your router.

(edit)

As a side note: if you have issues where you think the server (or one of its services) may be causing issues then always check /etc/messages and/or (in the case of SSH): /var/log/auth.log. The latter will contain any server-sided issues with the SSH daemon.

(edit2)

PS: if you're connecting to the default SSH port (22) then you don't need to specify this using the -p parameter. It doesn't hurt, but it's easier if you don't

Good catch for my wording about complaint from FreeBSD. I meant I tried to ssh-ed from a Linux machine to FreeBSD server. The message ssh: connect to host MY_IP port PORT_NUM: Connection refused was from the terminal of Linux machine.

The port forwarding setting for FreeBSD on my router is the same as the ones I set for Linux boxes. My Linux boxes can be ssh-ed within and outside LAN without problems. I assume the same port forwarding setting should work for FreeBSD as well. (But it seems not the case if I cannot figure out the solution to this problem?)

The reason why I used -p 22 was to indicate to you guys that I used the default setting. I didn't change /etc/ssh/sshd_config.

I don't have /etc/messages and the file /var/log/auth.log only shows the past successful connections. It didn't show anything like 'Connection refused'.

I am literally running out of ideas.

 

[Eric A. Borisch]

You’ve double checked your port forwarding rules? You need to port forward from PORT_NUM (what you will connect to on the external IP address from outside) to BSD_BOX:22. Does the system providing the port forwarding require an “apply” after “save” for the rules to go live? (Restarting a service vs. saving the config file.)

I wish I could say I’ve never screwed up on a “simple” port forwarding, but alas...

 

[Eric A. Borisch]

Depending on the router’s firewall software, you may also need to explicitly allow the incoming connection to PORT_NUM (in addition to the forwarding rule.)

 

[Kumo Isao]

You’ve double checked your port forwarding rules? You need to port forward from PORT_NUM (what you will connect to on the external IP address from outside) to BSD_BOX:22. Does the system providing the port forwarding require an “apply” after “save” for the rules to go live? (Restarting a service vs. saving the config file.)

I wish I could say I’ve never screwed up on a “simple” port forwarding, but alas...

... Oh my goodness.. I rebooted the router then it worked. Thank you so much.

Thank you all who commented.