Problem with multi WAN and pfsense web configurator

Aadrem

@steveits I am sorry I wanted to say TCP port. I have changed the standard 443 and 80 to 1111 in System / Advanced/ Admin access so as to made more difficult to connect to my network for external users.

Here I show you what is happening Public IP access.png .

An external user with my public IP using the correct port is able to have access to my login page.
This happen only with secondary WANs.

If an external user tries to use my first static public IP and port, he is unable to access to my pfsense login page, but if he uses the IPs of my second WAN he is able to... that is what I cannot understand.

Here the Nat rules and firewall rules: wan multi ips.png Nat rules.png lan rules.png firewall rules WAN.png

I am sorry if I use incorrect words, I was using pfsense in a language different than english.

SteveITS

@aadrem said in Problem with multi WAN and pfsense web configurator:

changed the standard 443 and 80 to 1111 in System / Advanced/ Admin access

Ah, I understand now.

Do you have any Floating rules?

And to be clear when you say you are using your phone, the phone is not on a Wi-Fi connection? You're using cellular data?

Aadrem

@steveits Yes, I use my phone with cellular data and no, at the moment I do not have any Floating rule.

SteveITS

@aadrem The "second WAN" is WAN_MULTI_IP? That shouldn't even need a block rule for :1111 because the default is to deny access. That block rule has 0/0B indicating it has not been used.

WAN_SOLO_IP and WAN_ILIAD are two other IPs?

It seems like you're not connecting on WAN_MULTI_IP like you think, which doesn't make a lot of sense. I would be tempted to unplug WAN_MULTI_IP and see if you can still connect to that IP.

Aadrem

@steveits

Just a moment I will explain exactly what is happening
I have 3 modems:

The first is “WAN” that has only one static public IP address;
The second has an ethernet port with “WAN_SOLO_IP” that is a connection with only one static public IP address, and it has also another ethernet port with a pool of public static IP addresses “WAN_MULTI_IP”;
The third modem “WAN_ILIAD” is a modem that working with a sim card guarantee works as failover connection.

In my pfsense machine I have 5 ethernet ports:

One for the first modem;
Two for the second modem;
One for the third modem;
One for my switch (LAN connection).

The first and the third modem work perfectly, I am able to configure rules and let my web server to go online without any problem.

My failover connection works also perfectly when the primary connection died.

My only problem is with the second modem.
In order to manage the pool of IP addresses, I have created Virtual IP addresses in the Firewall sections so as to manage each one of them.

The problem is that using a web browser with an external connection e.g. with a mobile phone and its data connection, using one of the IP addresses of my second modem (the IP address of my WAN_SOLO_IP, or the Virtua IP addresses of my WAN_MULTI_IP) I am able to reach my pfsense page.
Obviously, it happens also if I try to reach these IP addresses from my WAN.

It looks like I use only my WAN (first modem connection) to go online, and this could be good, my purpose is to create a relation between my IP addresses and my Virtual Machine (Web Servers).

I hope that now could be clearest the problem that I have found.

If I unplug My WAN_MULTI_IP the problem disappears but also I less the possibility of use these IP addresses to reach my VM Web Servers.

SteveITS

If there are no floating rules, and no rule on WAN_MULTI_IP allowing access on port 1111, then by default the only network that can access one of those IPs should be LAN Net, due to the "allow LAN to any" rule.

You can display all rules in their raw form from the console or Diagnostics > Command in the Shell Execute box by running:

pfctl -f /tmp/rules.debug

(from https://docs.netgate.com/pfsense/en/latest/troubleshooting/firewall.html )

Aadrem

@steveits I am totally agreeing with you. I have checked the file rules.debug after having used the command pfctl -f /tmp/rules.debug but there is not anything strange in it.

I cannot understand why happens this problem because there is no rules that allow the access to my pfsense page from the public IP addresses.

Do you have any ideas? Do you think could be good to reinstall pfsense and configure it again?

SteveITS

@aadrem said in Problem with multi WAN and pfsense web configurator:

reinstall pfsense and configure it again

You can always download a backup of the config, reset to "factory defaults" and try again, and restore from backup if you run into issues.

Aadrem

@steveits I do not know what I exactly did, but now it is happening something different and strange.

If I use any device connected to internet (directly connected to the modem, or using a different connection), I am not able to visualise pfsense page.

If I try the same from a PC connected to PFsense I am able to visualize the PFsense page.

What I cannot understand is that I am putting in my web browser my public ip addresses, I cannot understand why from PC connected to PFsense I am able to reach it and from other pcs (e.g. connected to one of my modem with a bypass of PF sense I am not able to.

Do you have any ideas?

heper

@aadrem this is normal & expected behaviour

SteveITS

@aadrem said in Problem with multi WAN and pfsense web configurator:

I cannot understand why from PC connected to PFsense I am able to reach it

What @heper said. As I mentioned above, "by default the only network that can access one of those IPs should be LAN Net, due to the "allow LAN to any" rule." You can always create rules on LAN like:

allow to (this firewall) from management_PC_IP
block to (this firewall)