open source does not mean that you can safely rename it for commercial purposes. . .

@tastleford OK... so, since posting this and getting zero reply... I have found a few other comments in other posts that no matter what your admin users will always be able to log in using the local database. Which does make sense to me. Our insurance company is telling us we have to have ALL admin accounts on all firewalls, switches and servers use MFA - not only externally but INTERNALLY as well.... which, I think is ridiculous! They did tell us however that if what we have is not compatible with MFA that we did not have to replace hardware to make it compatible. And.... there's no way I'm replacing all my firewalls! So that will be what I tell them. that they are not compatible.

@johnpoz I recovered the GUI Acces with generating new web configurator cert. Thanks.

Now, I am having A communications error occurred while attempting to call XMLRPC method merge_installedpackages_section: @ 2021-12-14 08:52:20 and GUI access is not stable it is very often giving 504 gateway timeout error.

@avibarilan said in Web GUI behind NAT:

i have a pfsense firewall connected to the isp and behind it another firewall that is connected from its wan port to the pfsense lan port.

To pfSense LAN interface or any other?

but from a client computer that behind the second firewall i cannot access the pfsense web ui.

If your inner firewall is connected to pfSense LAN and you use default settings this should work though.
Otherwise you will have to add a proper firewall rule for allowing it.

@jc1976 well I would think this thread is a good start. If it can gain some traction. Then you could put in a feature request on the pfsense redmine for your suggestedd changes/enhancements and reference this thread.

https://redmine.pfsense.org/

Hello, I just wanted to add to this topic, since I was looking for the same info, and found another possible solution.

Instead of trying to edit the config.xml with a regex/sed, it seems simpler to use the approach featured in this github repo. Use a php script and the built in functions for editing the config.

Check out
https://github.com/zxsecurity/pfsense-import-certificate

You will need to install the script on each firewall, and then upload your certs, and then call the script. For centralized letsencrypt managment this seems like it could be a good approach. I have 30 firewalls and I don't really want each one running acme, I would rather run a central letsencrypt, and deploy the certs to each firewall.

@gertjan that work perfectly thank you.

It's probably worth mentioning that after doing this PFsence gave me a "missing or expired csrf token" upon logging in. this was rectified by clearing all browser cache then resetting it through pfsense. There are many articles on carf so for future readers check them out.

@mluna said in Why Am I getting lots of http get from Android phone?:

I'd like to know what does this mean, why is the phone sending too many requests to my router?

Hi,

I think you are infected with NSO, hahaha.... 😉
Okay it's just a bad joke

do a packet capture towards to the phones in question to see more of what might be behind the "get"

All the errors were the same, not trusted.
I ended up deleting all the certs and reinstalling all of them by downloading from each pfSense box and now they're fine again.
Not sure what happened but happy it's fixed!

@gertjan

Yep - did exactly that and problem was fixed. Thanks!

@viragomann Thank you the additional server part was not clear to me. Probably read too quickly over it.
But thanks for clarification.

@thomasyang
I understand.
"webGUI" seems fine to me, as your question concerns the web based GUI.

If your looking for the perfect "security", make it a none issue.
Like : Make the WebGUI only accessible on the LAN interface.
Activate LAN type another interface (initially called OPT), and use a firewall rule to forbid any "local" web GUI access.
Remove all devices from the LAN port.

This way, the question is resolved, as the question became irrelevant.

The only web to admin the device is to connect physically a cable into the LAN port : the admin has to have physical access to (into) the device.

..... humm : a SG1000 only has two ports, which is rather minimalistic

Next best : Set up a OpenVPN if you need to connect to the webgui remotely.

also what version of pfsense - are you on new dev 2.6 snapshots?