Remote Access to WebUI

pfguy

here are my settings .. it's still not working.
i just need remote access and do not worry much about security because the network has nothing really ..


pfguy

and my pfsense box is the gateway to internet .. it is NOT behind anything

doktornotor

@Gertjan:

First step :
Note down the LAN IP of you pfSense box. Typically, it is 192.168.1.1 - but you could have changed that.
Goto Firewall : NAT
Use these settings: (see image).

What's the point here in the NAT? Why don't you just allow access to WAN IP, and instead are trying to access the LAN IP via NAT?  ??? :o

@pfguy:

here are my settings .. it's still not working.

So which WAN screenshot of the 3 is valid? Why do you need two OpenVPNs to access "nothing really"? How are you accessing the GUI? You need to use the LAN interface IP if you are doing that via OpenVPN (strongly recommended) - not the WAN IP!

pfguy

i have removed all the openvpn .so the WAN without it is the current one now…

doktornotor

1/ Disable packet filtering on the firewall, try again.
2/ Does not work? Talk to your ISP.

johnpoz

I cannot ping the public IP from remote site.

Where is any rule on your wan that would allow ping? If pfsense is listening on 443 and your not behind a nat, ie pfsense has public IP.  And you go to say for example can you see me on 443 and it doesn't work then you have something blocking between you and there or your firewall rules are broken..

But if you want to ping your wan public IP - then you have to have a rule that says that.  As to the natting to the lan to get to the web gui - why would anyone do that?  If you want access to web gui via wan, then allow it.. But why not just vpn into your network and access it?

pfguy

i would love to use open VPN to manage to pfsense box remotely but it doesn't work so i thought just open it all up to remote admin it first while trying openVPN when i have time later. but even trying "open it all up" doesn't work for me !!

doktornotor

Well, if it does not work with firewall disabled, then pfSense is not the issue, as already suggested above…

Gertjan

@johnpoz:

….
As to the natting to the lan to get to the web gui - why would anyone do that?  If you want access to web gui via wan, then allow it..

:o
5 years …. and I always thought that the pfSEnse-GUI-web-server was only listing on the LAN interface.

pfguy

Well i talked to my isp and they confrimed that they dont block anything inc. Vpn connections. They said other customers can use it fine. No complains whatsoever. So it seems the probs is at the pfsense box.
Can anyone post a firewall rule to alllow remote admin? Thats all i need for now i dont care abt anything else.
Thanks

Gertjan

Well, it became even more easier now.

I activated GUI https access from WAN with this rule : (see first green rule in image)

No NAT needed  ;)

Have your WAN interface getting pinged from the outside ? See third rule.

Just a question : You do have an "Internet IP" (WAN) on your WAN interface, right ?! Something like 109.215.195.225.
What is in between the pfSEnse box and your ISP ?
How do you get your IP (DHCP ? pppoe ?)
What are your other firewall rules ?

pfguy

I have my Internet IP on my pfsense WAN indeed. The box got it from ISP via pppoe.
I have deleted everything on the firewall on both LAN and WAN ((Get remote access working first and then add them on 1 by 1 later if needed)
There is nothing bw my pfsense box and ISP.
the box connect to the ISP fiber cable and received IP from them.
The box act as a modem. I enter ISP username password on the wan interface on pfsense.

phil.davis

For testing, open everything:

1. Put a pass all rule on WAN (protocol any, source any, destination any…)
2. Ping the WAN IP from somewhere on the public internet, try to access port 80/443 from the public internet
3. Do some packet capture and see if anything is arriving of what you expect (there will likely be plenty of rubbish arriving from Russia...)
4. traceroute from the real internet to your public IP - see where it stops routing towards you.

Tell us the first couple of octets of you public IP - just to make sure it reall is a public IP.

This stuff really does work on pfSense.

pfguy

Sorry for the late update,
Its finally working for me!
The last post here reallt helped me!
"Put a pass on any any any"

Thats it! I was messing around with pass on this source to that dest..
Trying diff combos…at the end it drives me nuts!

Now i can take a breath becuz i dont have to travell like 45min to the site just to add a user.
I can explore open vpn in my spare time now.
Will it interfere with the firewall settings that i currently have now? Do i have to move the vpn rule above or below my current rule that allow remote management?

Thanks all forks, much appreciated.

phil.davis

"Pass any any" on WAN really is for a 10 minute test only! There will be "a million" things out on the public internet trying to access stuff. You really really need to get the correct rule in place for just the access you need/want.
It should be destination WAN address, port 443 (HTTPS) (or also port 80 which should redirect to 443).
Now you should put in a better rule, then disable the "pass any any" rule and make sure access is still working. If you get stuck sorting out what the rule should be, then post a screenshot of your best attempt and we can see what is wrong.

hda

Whenever possible restrict your Source(any) into Source((my) IP's which may remote-login to this box).

pfguy

Yess that will be my next action before i move to open vpn.
Thanks.