@avibarilan said in Web GUI behind NAT:

i have a pfsense firewall connected to the isp and behind it another firewall that is connected from its wan port to the pfsense lan port.

To pfSense LAN interface or any other?

but from a client computer that behind the second firewall i cannot access the pfsense web ui.

If your inner firewall is connected to pfSense LAN and you use default settings this should work though.
Otherwise you will have to add a proper firewall rule for allowing it.

@jc1976 well I would think this thread is a good start. If it can gain some traction. Then you could put in a feature request on the pfsense redmine for your suggestedd changes/enhancements and reference this thread.

https://redmine.pfsense.org/

Hello, I just wanted to add to this topic, since I was looking for the same info, and found another possible solution.

Instead of trying to edit the config.xml with a regex/sed, it seems simpler to use the approach featured in this github repo. Use a php script and the built in functions for editing the config.

Check out
https://github.com/zxsecurity/pfsense-import-certificate

You will need to install the script on each firewall, and then upload your certs, and then call the script. For centralized letsencrypt managment this seems like it could be a good approach. I have 30 firewalls and I don't really want each one running acme, I would rather run a central letsencrypt, and deploy the certs to each firewall.

@gertjan that work perfectly thank you.

It's probably worth mentioning that after doing this PFsence gave me a "missing or expired csrf token" upon logging in. this was rectified by clearing all browser cache then resetting it through pfsense. There are many articles on carf so for future readers check them out.

@mluna said in Why Am I getting lots of http get from Android phone?:

I'd like to know what does this mean, why is the phone sending too many requests to my router?

Hi,

I think you are infected with NSO, hahaha.... 😉
Okay it's just a bad joke

do a packet capture towards to the phones in question to see more of what might be behind the "get"

All the errors were the same, not trusted.
I ended up deleting all the certs and reinstalling all of them by downloading from each pfSense box and now they're fine again.
Not sure what happened but happy it's fixed!

@gertjan

Yep - did exactly that and problem was fixed. Thanks!

@viragomann Thank you the additional server part was not clear to me. Probably read too quickly over it.
But thanks for clarification.

@thomasyang
I understand.
"webGUI" seems fine to me, as your question concerns the web based GUI.

If your looking for the perfect "security", make it a none issue.
Like : Make the WebGUI only accessible on the LAN interface.
Activate LAN type another interface (initially called OPT), and use a firewall rule to forbid any "local" web GUI access.
Remove all devices from the LAN port.

This way, the question is resolved, as the question became irrelevant.

The only web to admin the device is to connect physically a cable into the LAN port : the admin has to have physical access to (into) the device.

..... humm : a SG1000 only has two ports, which is rather minimalistic

Next best : Set up a OpenVPN if you need to connect to the webgui remotely.

also what version of pfsense - are you on new dev 2.6 snapshots?

@steveits Thank you.

@ofloo

These messages are shown the number of php session "begin" and "end" are not equal.
This should normally never happen.

Maybe a clue here ?

@johnpoz Thank you! , I'll try

@cduv Tested on 2.5.2 and it still works, though I found 90% to be more aesthetically pleasing.
Thank you for this, by the way, The limited screen usage for anything but the dashboard was slowly driving me nuts.

Using percentages for widths should be the default anyway, given the wide range of display resolutions available today. It also allows for a more flexible interface, though admittedly it can cause some headaches to get it right.