sshd via two ISP

[IPTRACE]

I have two ISP connected to server and run sshd daemon for two IPs. Unfortunately, I can connect only via first IP. I can ping from both IPs. Please look at my configs.

NETSTAT:

Proto Recv-Q Send-Q Local Address          Foreign Address        (state)
tcp4       0      0 A.B.C.D.22      *.*                    LISTEN
tcp4       0      0 E.F.G.H.22      *.*                    LISTEN

ROUTE fib 0:

Destination        Gateway            Flags     Netif Expire
default            A.B.C.C       UGS        igb0
E.F.G.0/24      link#2             U          igb1
E.F.G.H       link#2             UHS         lo0
A.B.C.D/32    link#1             U          igb0
A.B.C.D       link#1             UHS         lo0
127.0.0.1          link#7             UH          lo0

ROUTE fib 1:

Destination        Gateway            Flags     Netif Expire
default            E.F.G.G         UGS        igb1
E.F.G.0/24      link#2             U          igb1
A.B.C.D/32    link#1             U          igb0
127.0.0.1          link#7             UH          lo0

TCPDUMP to E.F.G.H:

[noparse]
listening on igb1, link-type EN10MB (Ethernet), capture size 262144 bytes
ethertype IPv4 (0x0800), length 66: W.X.Y.Z:34676 > E.F.G.H:22: Flags [S], seq 3091058599, win 8192, options [mss 1344,nop,wscale 8,nop,nop,sackOK], length 0
ethertype IPv4 (0x0800), length 58: E.F.G.H:22 > W.X.Y.Z:34676: Flags [S.], seq 3944135555, ack 3091058600, win 0, options [mss 1344], length 0
ethertype IPv4 (0x0800), length 60: W.X.Y.Z:34676 > E.F.G.H:22: Flags [.], ack 1, win 64512, length 0
ethertype IPv4 (0x0800), length 60: W.X.Y.Z:34676 > E.F.G.H:22: Flags [.], seq 1:2, ack 1, win 64512, length 1
ethertype IPv4 (0x0800), length 60: W.X.Y.Z:34676 > E.F.G.H:22: Flags [.], seq 1:2, ack 1, win 64512, length 1
ethertype IPv4 (0x0800), length 60: W.X.Y.Z:34676 > E.F.G.H:22: Flags [.], seq 1:2, ack 1, win 64512, length 1
ethertype IPv4 (0x0800), length 60: W.X.Y.Z:34676 > E.F.G.H:22: Flags [.], seq 1:2, ack 1, win 64512, length 1
ethertype IPv4 (0x0800), length 60: W.X.Y.Z:34676 > E.F.G.H:22: Flags [.], seq 1:2, ack 1, win 64512, length 1
ethertype IPv4 (0x0800), length 60: W.X.Y.Z:34676 > E.F.G.H:22: Flags [R.], seq 1, ack 1, win 0, length 0
ethertype IPv4 (0x0800), length 54: E.F.G.H:22 > W.X.Y.Z:34676: Flags [R.], seq 0, ack 1, win 0, length 0
[/noparse]

Is there a routing problem or sshd(8)?

 

[Abriel]

Problem is that sshd() is only runnig on first FIB

Make a copy :
/etc/ssh/sshd_config like:
/etc/ssh/sshd_config_re1

change:

ListenAddress to_your_second_IP

and run

/usr/sbin/setfib -F 1 /usr/sbin/sshd -f /etc/ssh/sshd_config_re1

Add this to /etc/rc.local to start on reboot.

 

[IPTRACE]

I did it before, once.
I tried again and the same behaviour.

 

[Abriel]

I found in my PF()

pass in log on re1 inet proto tcp from any to (re1) port = 22 rtable 1

 

[IPTRACE]

I already have such entries.

rdr on $ext_if proto tcp from { any, !<abc> } to $isp1_ip1 port 22 -> $isp1_ip1 port 22
rdr on $ext_if_2 proto tcp from { any, !<abc> } to $isp2_ip1 port 22 -> $isp2_ip1 port 22

pass in quick log (all) on $ext_if proto tcp from { any, !<abc> } to $isp1_ip1 port 22 rtable 0
pass in quick log (all) on $ext_if_2 proto tcp from { any, !<abc> } to $isp2_ip1 port 22 rtable 1

Please be informed that I have to use rdr because the following binat rules are working.

# Internet <-> fw1_IPT #
binat on $ext_if from $fw1_IPT to any -> $isp1_ip1

# Internet <-> fw2_IPT #
binat on $ext_if_2 from $fw2_IPT to any -> $isp2_ip1

 

[Abriel]

Last thought:
Are you connected with modem/router? First time I had problems with my ISP router, and port forwarding.

 

[IPTRACE]

With modem. Actually, the internet from the ISP2 works fine.