SSH errors on new freenas box

[nojohnny101]

hey everyone,
i am very excited as i have built and have running a new freenas box!! I am running the latest freenas 9.3.1 and can access everything i have dumped on it from my internal network at home. here is what i want to do but am having trouble with:

- remotely mount the share i have created where all my files on through the mac's find (which i believe uses AFP) through SSH using private and public key authentication only.

what i have done so far:
- given the freenas box a static IP address (ex: 10.0.1.32)
- setup port forwarding on my airport extreme to change the SSH port from the standard 22 to something else (ex: 1277)
- generate a public and private key on the client computer (with a passphrase)
- turned on SSH service on freenas box (unchecked "login as root with password", "allow password authentication", checked "allow TCP port forwarding"
- pasted the public key in the settings for the user account i'm using

i'm stuck at this point. when i try to ssh even though the terminal (wanted to test this way before trying in finder) i get a "connection refused error".

am i messing up the port forwarding or is there something wrong on the freenas box settings?

i really appreciate the help!

 

[SweetAndLow]

Unchecked all those boxes you checked especially the allow TCP port forwarding box. Then try to connect locally inside your network. After you can do that you can worry about forwarding a port from your router.

 

[nojohnny101]

thanks for the quick response!

i will uncheck "allow TCP port forwarding" but all the other ones are already unchecked. so you are saying to have nothing checked correct?

 

[nojohnny101]

ok i might be making a little progress. i have typed the following command into terminal:

ssh username@10.0.1.32:1277

and i get this error now: "could not resolve hostname 10.0.1.32:1277: nodename nor servname provided, or not known"

 

[SweetAndLow]

Ssh uses -p to use a non default port. Also when on your local network you probably want the default of 22. Only when accessing it remotely from outside your network will you use the non standard port.

 

[pirateghost]

Unless the ssh service on freenas is listening on that port, you shouldn't be specifying a port. However, your port parameter is wrong.

Code:

ssh -p 1277 user@ip.add.re.ss

 

[nojohnny101]

thank you for the continued help! i sincerely do appreciate it!

sweetandlow so you are saying that when i setup the public facing port for port 22 to be 1277, if i am connecting from home then i just still use port 22? here are my router settings for the port forwarding:
public UDP ports: 1277
public TCP ports: 1277
private IP address: 10.0.1.32
private UPD ports: 22
private TCP ports: 22

is that not correct?

pirateghost, it worked! so my ssh command was just not correct? i hope this still works though when i'm not on my internal network......

 

[pirateghost]

thank you for the continued help! i sincerely do appreciate it!

sweetandlow so you are saying that when i setup the public facing port for port 22 to be 1277, if i am connecting from home then i just still use port 22? here are my router settings for the port forwarding:
public UDP ports: 1277
public TCP ports: 1277
private IP address: 10.0.1.32
private UPD ports: 22
private TCP ports: 22

is that not correct?

pirateghost, it worked! so my ssh command was just not correct? i hope this still works though when i'm not on my internal network......

See how your forward says private port 22? That means that on your local network its still port 22.

 

[nojohnny101]

yes i do understand that, that makes sense. but then why did it work when i used the public facing port while connecting from my internal network. i guess that is like going outside one's network and then ssh back in?

 

[pirateghost]

yes i do understand that, that makes sense. but then why did it work when i used the public facing port while connecting from my internal network. i guess that is like going outside one's network and then ssh back in?

did you change the port ON freenas to be 1277?

If you are using an internal network address to connect from your internal network, your router never gets hit. so you could not have been going outside your network and back in, unless you were using a public IP address to connect to. and then your router would have to support hairpin nat...

 

[nojohnny101]

ok. yes i did changed the port on my freenas to 1277.

everything looks good then for accessing while away? last step is to get it to mount natively in finder in mac os x. i guess fuse and SSHFS is the way to go i am seeing? i'd prefer to not pay for a solution.

 

[pirateghost]

ok. yes i did changed the port on my freenas to 1277.

everything looks good then for accessing while away? last step is to get it to mount natively in finder in mac os x. i guess fuse and SSHFS is the way to go i am seeing? i'd prefer to not pay for a solution.

NO.

You changed the port on the FreeNAS to 1277. This means your port forward is useless. Change the FreeNAS back to default port 22. Then your forward will work.

 

[nojohnny101]

ooohhhh. thank you for sticking with me, i got it now. because by changing the NAS to what was essentially setup as the "public facing UDP & TCP port" of 1277, i was broadcasting that for someone running scripts looking for SSH running on 22?

 

[pirateghost]

ooohhhh. thank you for sticking with me, i got it now. because by changing the NAS to what was essentially setup as the "public facing UDP & TCP port" of 1277, i was broadcasting that for someone running scripts looking for SSH running on 22?

What?

No.

I don't think you grasp how a port forward works.

Your EXTERNAL port is 1277.
When CONNECTING to the EXTERNAL port of 1277, it should TRANSLATE to the INTERNAL address of the server on port 22 (based on your rule)

By changing your FreeNAS port to 1277, your rule was effectively worthless. It did nothing. It forwarded your EXTERNAL port 1277 to nothing, because you did not have a service running on port 22 on your server.

 

[nojohnny101]

ok. i just typed it wrong, that is what i understand. by "public facing UDP & TCP port" i thought that meant that same as "external". and by having the "external" port of 1277 and the freenas on 1277 as well, the forwarding wasn't even necessary.

i have read a lot on the debate of changing the default port for a ssh doesn't amount to a lot of extra security, and i get that. but is there really any benefit from just changing the freenas port to 1277 and then connecting to that externally rather than leaving it at 22 and port forwarding by connecting to 1277 externally. what i was trying to do is just prevent bot programs and scripts i have read about finding my freenas because i have read they normally don't scan higher because they expect to find ssh on 22.

 

[pirateghost]

and by having the "external" port of 1277 and the freenas on 1277 as well, the forwarding wasn't even necessary.

You are behind a NAT device. A forward is ALWAYS necessary if you want to access something behind a NAT.

but is there really any benefit from just changing the freenas port to 1277 and then connecting to that externally rather than leaving it at 22 and port forwarding by connecting to 1277 externally. what i was trying to do is just prevent bot programs and scripts i have read about finding my freenas because i have read they normally don't scan higher because they expect to find ssh on 22.

It is easier to leave the FreeNAS port at 22, because when you are accessing it locally, you do not need to specify a port number. If you use any other services that need to connect to ssh on your FreeNAS (on local network), it will expect the default port. Honestly, I don't see ANY reason to change the port on FreeNAS.

 

[nojohnny101]

gotcha pirateghost! thank you very much for your help!! reading other threads on here have been extremely helpful and funny enough, your name always pops up, a real sensei!!

i just called my brother who is in a different state and tried to get him to connect with the following code in terminal:
ssh -p 1277 username@10.0.1.32

and he keeps getting a timeout issue. then i started thinking, what really guides his computer all the way here to specific NAS sitting at my house? it seems like i am missing something in accessing remotely. i read about using a domain forwarding service but my understanding was that if you did a static IP, then you don't have to do that. is that correct?

 

[pirateghost]

gotcha pirateghost! thank you very much for your help!! reading other threads on here have been extremely helpful and funny enough, your name always pops up, a real sensei!!

i just called my brother who is in a different state and tried to get him to connect with the following code in terminal:
ssh -p 1277 username@10.0.1.32

and he keeps getting a timeout issue. then i started thinking, what really guides his computer all the way here to specific NAS sitting at my house? it seems like i am missing something in accessing remotely. i read about using a domain forwarding service but my understanding was that if you did a static IP, then you don't have to do that. is that correct?

10.0.1.32 is a non routeable address. It is not public. You need to have him connect to your PUBLIC IP address. If you don't know what it is, hit http://ipchicken.com and get it.


edit:
when people talk about a static IP there are multiple meanings. you want a static IP on your local network (your 10.0.1.32) so that it doesn't change after a server reboot/power outage/router reboot.

When people refer to an external static IP, they mean your public IP (provided by your ISP) that does not change. Typically your IP is dynamic on a home connection, and you could be reassigned a new IP at any time. This is why people use a dynamic DNS service to use a HOSTNAME instead of an IP to connect remotely. A dynamic DNS will simply update a DNS entry (public) to point to your current IP address (public).

You have an external IP (publicly assigned IP address by your ISP), and a private LAN subnet. Read up on how basic NAT works to understand this.

 

[nojohnny101]

thank you for the explanation. i understand doubt DNS services and such. i knew that 10.0.1.32 was an internal address (usually handled by the DHCP server but in this case i assigned the NAS a static one).

ok so you do need a static IP address (make it easier internally i suppose) and then the DNS service to keep a hostname attached to the changing public facing IP address for remote access. i'm not going to pay my ISP for a static IP address (i know those are only usually with business class internet and are expensive add ons)...

any recommendations for a DNS service. seems like DuckDNS is widely used.