Home / server / Questions / 1066358
Accepted
Eduardo Lucio
Asked: 2021-06-11 15:25:29 +0800 CST

pfSense - Enable ssh (port 22) access through the WAN using terminal/console/shell

  • 772

We need to enable pfSense ssh (port 22) access through the WAN interface to perform certain configurations using pfSense's terminal/console/shell.

Actions already taken...

  • "Secure Shell (sshd)" has already been enabled via pfSense console option 14 14) Enable Secure Shell (sshd);
  • We run the command easyrule pass wan tcp any any 22 to allow access to ssh (port 22).
  • Using option 12 12) PHP shell + pfSense tools we execute the commands...
$config['system']['ssh']['enable'] = "enabled";
write_config();
exec

... ,...

$config['system']['enablesshd'] = "true";
write_config();
exec

... and...

playback enablesshd

;

Situation...

  • Using the option "Filter Logs" (10) we observed that calls to ssh (port 22) being blocked;
  • Turning off the firewall with the command pfctl -d we can access ssh (port 22) normally.

IMPORTANT: We need enable access to sshd (port 22) through pfSense's terminal/console/shell.

PLUS: We know that access can be allowed through the gui (http/web gui), but we need this initial access to be allowed through the pfSense terminal/console/shell.

NOTE: We know that allow access via ssh (port 22) on the WAN interface is not recommended, but initially it is necessary for us.

Thanks! =D

firewall freebsd pfsense freebsd-ports

1 Answers

  1. Best Answer

    Below is the complete process to enable access to the pfSense's server sshd (ssh, port 22) from a private network...

    Using option 8 ("8) Shell") turning off the firewall with the command...

    pfctl -d

    ... and access pfSense server through the ssh (port 22)...

    ssh root@<PFSENSE_SRV_IP>

    ... using the initial password "pfsense".

    TIP: We recommend changing the initial password.

    Using option 12 ("12) PHP shell + pfSense tools") perform the commands...

    unset($config['interfaces']['wan']['blockpriv']);
write_config();
exec;

    ... and exit...

    exit

    Using option 8 ("8) Shell") again, add a rule to allow access through port 22 on the wan interface...

    easyrule pass wan tcp any any 22

    TIP: The "any any" parameters allow you to restrict the source IP and destination IP respectively.

    NOTE: The above command will turn on the firewall (same as pfctl -e) and this will drop the ssh connection (port 22), but the ssh connection will be allowed.

    PLUS: For more explanations about why private networks and loopback addresses are blocked by default on WAN here Block private networks - What does that do, what is it used for ? and here Address Allocation for Private Internets.

    Thanks! =D

    [Ref(s).: pfSense - Enable ssh (port 22) access through the WAN using terminal/console/shell ]

    • 0