@ptt and @johnpoz It worked. Thanks so much for all your help

@tomdesmet The answers is found online contredict eachother. Where do they do that? There is only one answer - you need a firewall rule to allow access to the port your gui is listening on. The gui listens on all addresses of pfsense, if you have a rule on the interface your coming into pfsense from that allows access to that port on any of the addresss of pfsense lan, wan, opt, etc.. You would be able to access the web gui from that network. What other possible answer could there be? What rules do you have on the opt interface? Do you have any rules in floating? What port is your gui listening on? Mine is using 8443..

@operations when you highlight a point on the graph does it show you the time? The bottom of the graph would be the minutes and seconds.. I have no idea what happens if you run the graph continually for a long period. [image: 1640350417942-graph.jpg] Could you show us an example of what your seeing, and what these friends are seeing..

open source does not mean that you can safely rename it for commercial purposes. . .

@tastleford OK... so, since posting this and getting zero reply... I have found a few other comments in other posts that no matter what your admin users will always be able to log in using the local database. Which does make sense to me. Our insurance company is telling us we have to have ALL admin accounts on all firewalls, switches and servers use MFA - not only externally but INTERNALLY as well.... which, I think is ridiculous! They did tell us however that if what we have is not compatible with MFA that we did not have to replace hardware to make it compatible. And.... there's no way I'm replacing all my firewalls! So that will be what I tell them. that they are not compatible.

@johnpoz I recovered the GUI Acces with generating new web configurator cert. Thanks. Now, I am having A communications error occurred while attempting to call XMLRPC method merge_installedpackages_section: @ 2021-12-14 08:52:20 and GUI access is not stable it is very often giving 504 gateway timeout error.

@avibarilan said in Web GUI behind NAT: i have a pfsense firewall connected to the isp and behind it another firewall that is connected from its wan port to the pfsense lan port. To pfSense LAN interface or any other? but from a client computer that behind the second firewall i cannot access the pfsense web ui. If your inner firewall is connected to pfSense LAN and you use default settings this should work though. Otherwise you will have to add a proper firewall rule for allowing it.

@jc1976 well I would think this thread is a good start. If it can gain some traction. Then you could put in a feature request on the pfsense redmine for your suggestedd changes/enhancements and reference this thread. https://redmine.pfsense.org/

Hello, I just wanted to add to this topic, since I was looking for the same info, and found another possible solution. Instead of trying to edit the config.xml with a regex/sed, it seems simpler to use the approach featured in this github repo. Use a php script and the built in functions for editing the config. Check out https://github.com/zxsecurity/pfsense-import-certificate You will need to install the script on each firewall, and then upload your certs, and then call the script. For centralized letsencrypt managment this seems like it could be a good approach. I have 30 firewalls and I don't really want each one running acme, I would rather run a central letsencrypt, and deploy the certs to each firewall.

@gertjan that work perfectly thank you. It's probably worth mentioning that after doing this PFsence gave me a "missing or expired csrf token" upon logging in. this was rectified by clearing all browser cache then resetting it through pfsense. There are many articles on carf so for future readers check them out.

@mluna said in Why Am I getting lots of http get from Android phone?: I'd like to know what does this mean, why is the phone sending too many requests to my router? Hi, I think you are infected with NSO, hahaha.... Okay it's just a bad joke do a packet capture towards to the phones in question to see more of what might be behind the "get"

All the errors were the same, not trusted. I ended up deleting all the certs and reinstalling all of them by downloading from each pfSense box and now they're fine again. Not sure what happened but happy it's fixed!