I have a weird situation happening when routing SSH traffic through VYOS. So i have 2 networks behind VYOS. 192.168.50.0/24 & 192.168.51.0/24. When attempting to connect to any device via SSH while traversing VYOS SSH sessions can not be established via putty. When i login to vyos and ssh via the CLI it works with no problems. No here is the kicker. If I try the same ssh traffic that doesn’t work when I’m connected outside of VYOS but use the telnet command to connect via port 22 I’m successfully able to connect.
Does anyone have any idea what could be causing this issue? Also, when running a tcpdump i can see the traffic reach the devices that sit behind vyos however a RST flag is sent.
I’m guessing NAT is ok as the traffic is making it to the destination host. Also, it works when i send a simple telnet command to the open port 22. I’m leaning more towards a firewall issue myself. Here is the running configuration for the firewall: It was my understanding that this firewall policy would allow ALL traffic.
Are you sure your traffic is making it through the NAT? Are you positive it isn’t landing on the VyOS itself? Have you applied that firewall to any interfaces? Can you post a complete config (with personal info, like public IP, redacted)
I’m positive it is making it through NAT as I am able to see the RST FLAG on the target machine when running a packet capture on the destination host.
The running config is posted below. This is all lab so the IP’s are harmless.
The question I have though is it possible that VYOS is intercepting the SSH port 22 traffic since it is also listening on port 22? I haven’t tested that theory but I guess I can once I am in front of my lab.
what is the command to specify a listen address. I thought that is what I have setup with the following syntax - [size=small][color=#ff3333][font=monospace, Courier]set service ssh port ‘22’[/font][/color][/size]
So I tried the command [color=#ff3333]set serv ssh listen-address[/color] and still had the same issue. So i changed the ssh port to something weird and was still unable to connect.
I’m sure it has to be a setting and/or command that can be run to stop the VYOS software from intercepting and responding to all SSH sessions traversing it.
Its almost like VYOS is performing a man in the middle attack. This only occurs during the exchanging of the certificate. If I telnet to the destination using port 22 instead of 23 it connects with no problem.
so the vyos router has an IP address of 10.1.1.250 and i’m testing from pc’s on the same network. However when i test from my wireless network of 172.16.1.1/24 it connects all the way through with no problem. at this point i’m confused.
Im open to trying anything as I have stated before this is a lab environment for learning purposes.
Thanks for all responses.
Quick Update - port 80 or 443 traffic along with SSH traffic does not work when traversing VYOS from outside.
I removed the /32 address. I was testing a theory.
My other thought is that VYOS is attempting to hide NAT the traffic coming from the other 2 interfaces behind the eth3 address.That is the only thing I can thing of at this point.
Based on your config you have NO NAT at all, and no firewall rules applied to any interfaces, so VyOS isn’t really doing anything with your traffic. VyOS isn’t nefariously doing anything, because you haven’t told it to do anything with your traffic.
Technically, I’m only using VYOS strictly for routing. All traffic coming from behind the VYOS should not be NAT’d at all so that should be ok. My packet captures show it making it to the devices behind VYOS. Would the black-hole possibly be the culprit that is sending the RST flag? as it is protecting private networks from entering what it considers to be the outside interface?
Update - Let me explain my setup.
10.1.1.1/24 = default GW - Internet
10.1.1.10 - Windows Server Running VmWare - Physically connected to network 10.1.1.1/24
10.1.1.11 - Assigned static IP to VYOS VMware image
192.168.1.1/24 Internal Interface assigned to VYOS
192.168.2.1/24 DMZ Interface assigned to VYOS
So I have a static route in my internal real 10.1.1.1/24 network that reads 192.168.2.1/24 gw 10.1.1.11
That way my 10.1.1.1 knows how to route traffic to the DMZ.
I can see the traffic reach reach the DMZ from my server at 10.1.1.10 however I see RST flags being sent when I attempt to connect.
I’m guessing VYOS is treating the traffic from my 10.1.1.1/24 as living on the VYOS interface since the configuration is set to 10.1.1.11/24 and causing a routing loop. I’m just guessing here.
I’ve created the following firewall rules on all interfaces -
[color=#ff3333]set firewall name Allow-All default-action ‘accept’[/color]
I’ve re-designed my network and started configuring VYOS from scratch just in case I did something crazy.
I know this is a pretty old topic but I’m curious to know if you ever figured it out. I’m seeing the same behavior on version1.3 and am struggling to make sense of it. Thanks.
