open source does not mean that you can safely rename it for commercial purposes. . .

@tastleford OK... so, since posting this and getting zero reply... I have found a few other comments in other posts that no matter what your admin users will always be able to log in using the local database. Which does make sense to me. Our insurance company is telling us we have to have ALL admin accounts on all firewalls, switches and servers use MFA - not only externally but INTERNALLY as well.... which, I think is ridiculous! They did tell us however that if what we have is not compatible with MFA that we did not have to replace hardware to make it compatible. And.... there's no way I'm replacing all my firewalls! So that will be what I tell them. that they are not compatible.

@johnpoz I recovered the GUI Acces with generating new web configurator cert. Thanks.

Now, I am having A communications error occurred while attempting to call XMLRPC method merge_installedpackages_section: @ 2021-12-14 08:52:20 and GUI access is not stable it is very often giving 504 gateway timeout error.

@avibarilan said in Web GUI behind NAT:

i have a pfsense firewall connected to the isp and behind it another firewall that is connected from its wan port to the pfsense lan port.

To pfSense LAN interface or any other?

but from a client computer that behind the second firewall i cannot access the pfsense web ui.

If your inner firewall is connected to pfSense LAN and you use default settings this should work though.
Otherwise you will have to add a proper firewall rule for allowing it.

@jc1976 well I would think this thread is a good start. If it can gain some traction. Then you could put in a feature request on the pfsense redmine for your suggestedd changes/enhancements and reference this thread.

https://redmine.pfsense.org/

Hello, I just wanted to add to this topic, since I was looking for the same info, and found another possible solution.

Instead of trying to edit the config.xml with a regex/sed, it seems simpler to use the approach featured in this github repo. Use a php script and the built in functions for editing the config.

Check out
https://github.com/zxsecurity/pfsense-import-certificate

You will need to install the script on each firewall, and then upload your certs, and then call the script. For centralized letsencrypt managment this seems like it could be a good approach. I have 30 firewalls and I don't really want each one running acme, I would rather run a central letsencrypt, and deploy the certs to each firewall.

@gertjan that work perfectly thank you.

It's probably worth mentioning that after doing this PFsence gave me a "missing or expired csrf token" upon logging in. this was rectified by clearing all browser cache then resetting it through pfsense. There are many articles on carf so for future readers check them out.

@mluna said in Why Am I getting lots of http get from Android phone?:

I'd like to know what does this mean, why is the phone sending too many requests to my router?

Hi,

I think you are infected with NSO, hahaha.... 😉
Okay it's just a bad joke

do a packet capture towards to the phones in question to see more of what might be behind the "get"

All the errors were the same, not trusted.
I ended up deleting all the certs and reinstalling all of them by downloading from each pfSense box and now they're fine again.
Not sure what happened but happy it's fixed!

@gertjan

Yep - did exactly that and problem was fixed. Thanks!

@viragomann Thank you the additional server part was not clear to me. Probably read too quickly over it.
But thanks for clarification.

@thomasyang
I understand.
"webGUI" seems fine to me, as your question concerns the web based GUI.

If your looking for the perfect "security", make it a none issue.
Like : Make the WebGUI only accessible on the LAN interface.
Activate LAN type another interface (initially called OPT), and use a firewall rule to forbid any "local" web GUI access.
Remove all devices from the LAN port.

This way, the question is resolved, as the question became irrelevant.

The only web to admin the device is to connect physically a cable into the LAN port : the admin has to have physical access to (into) the device.

..... humm : a SG1000 only has two ports, which is rather minimalistic

Next best : Set up a OpenVPN if you need to connect to the webgui remotely.

also what version of pfsense - are you on new dev 2.6 snapshots?

@steveits Thank you.

@ofloo

These messages are shown the number of php session "begin" and "end" are not equal.
This should normally never happen.

Maybe a clue here ?

@johnpoz Thank you! , I'll try

@cduv Tested on 2.5.2 and it still works, though I found 90% to be more aesthetically pleasing.
Thank you for this, by the way, The limited screen usage for anything but the dashboard was slowly driving me nuts.

Using percentages for widths should be the default anyway, given the wide range of display resolutions available today. It also allows for a more flexible interface, though admittedly it can cause some headaches to get it right.

Clarified. Thanks for the detailed explanation guys.
Nice evening ☺

@f-meunier seems more like a browser caching problem maybe? If you at first had accessed it via the lan IP?

There should be nothing different be it the browser accesses it via the wan IP or the lan IP.

That being said - access from the wan/internet to the gui is normally a bad idea.. Unless you can lock it down to specific source IP or network.. Say from your work IP/Network or something.

Bad idea to expose the gui to the public internet.. If you need/want to access pfsense web gui while your remote - via a vpn connection is far better method.

I do access some of works pfsense boxes via the wan, locked down to my home IP as the only source. And I have not noticed any issues using firefox. They are not yet on 2.5.2 because of lack of access to facility, and risk in updating when nobody could be on site to correct if something went wrong.. But I do have test 2.5.2 setup here, that I could access via its wan IP vs its lan IP.. If you could give some specific example of what your seeing so I could try and duplicate it. But again - there would be no difference accessing it via the wan or lan IP. If wan rules allowed the access.

@johnpoz
Yeah, that's an option of course. I was thinking of this and reread the part "from WAN public IP" twice and toke it as "from WAN interface".

Also not sure if he added a rule for allowing TCP 443 to WAN to forward it to a server behind. In this case it would be a good advice to change the web configurators port to any other.

@johnpoz its on live with squid running.

@adrianoebm said in SG1100 - Can´t login webGUI sometimes after 21.05.1 upgrade.:

CPU is always at 100% too in the web GUI

Did you follow the suggestions in your thread about that?

@steveits Thank you!

It's a known issue and fixed on 2.6.0/21.09 snapshots

Hello Steve,
Thanks, it’s working now. Seems, missed several backups in between! that’s fine to us as it resumed to normal.