Remote Management

dalbjerg

this post it solved.

Derelict

Are you appending :65432 to your URL?

https://yourfirewallip:65432/

You'll get a certificate error. Click through it.

That wide-open TCP rule on WAN is not what you want. At least change the destination address to WAN address and the destination port to 65432. Even better change the source to the specific host you want to manage from.

https://doc.pfsense.org/index.php/How_can_I_access_the_webGUI_from_the_WAN

doktornotor

1/ The destination should be WAN Address, not "Any".
2/ Reset states after doing changes there.

P.S. "I have now try to just allowed anything on TCP" is such a horrible idea that I'd rather not comment.
P.P.S. You really should use a VPN or limit the access to known management IPs.

Derelict

I really don't know how people screw this up. It works for me every time.

![Screen Shot 2015-09-29 at 2.43.15 AM.png](/public/imported_attachments/1/Screen Shot 2015-09-29 at 2.43.15 AM.png)
![Screen Shot 2015-09-29 at 2.43.15 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-09-29 at 2.43.15 AM.png_thumb)
![Screen Shot 2015-09-29 at 2.44.15 AM.png](/public/imported_attachments/1/Screen Shot 2015-09-29 at 2.44.15 AM.png)
![Screen Shot 2015-09-29 at 2.44.15 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-09-29 at 2.44.15 AM.png_thumb)

chriva

Hi,
telnet form outside on port 65432 is working.
Https from outside gets pachet retransmission.

Hope this help.

johnpoz

ssh is working fine?? So you have that listening on 1222 it seems, I also see you have tcp 53 open for some not sure reason?? Atleast it refuses to do a recursive query.. So prob running unbound with ACL protecting you..

I show this open
Not shown: 65533 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain NLNet Labs Unbound
1222/tcp open ssh OpenSSH 6.6.1_hpn13v11 (protocol 2.0)
| ssh-hostkey:
| 1024 0b:f4:66:da:05:6f:2c:e8:72:4b:47:74:2005:ef (DSA)
| 2048 83:52:da:3e:2e:23:ac:db:fd:e6:45:95:c2:5c:08:b3 (RSA)
|_ 256 ff:3f:51:8c:34:37:da:ba:c0:45:69:ce:0a:93:cd:73 (ECDSA)

So where exactly is this port suppose to be open for you remote webgui?

I am with Derelict here I just really do not understand the issues, this is really clickity clickity done..

You sure your not behind a NAT, and have not forwarded the port for your gui? Post up your wan rules and your gui settings.

Derelict

[deleted - I see the change in ports]

Whatever is currently on 1222 is simply sending nothing in response.

Derelict

Nope. Nothing. You clicky-clicked something somewhere. Who knows what.

Start over.

Backup your config, reset to "factory", do NOTHING but enable WAN access to the webgui and it'll work.

You can restore your config in 2 minutes if you want to go back.

johnpoz

dude your not running webgui on 1222 that is ssh

SSH-2.0-OpenSSH_6.6.1_hpn13v11
Protocol mismatch.

There is something on 80, it sends syn,ack back but that is all! I show it as
80/tcp open http lighttpd 1.4.35

edit: if I had to guess your redirecting to https that your ssh is running on. What I would suggest is you start over, leave webgui running on 80. Open just 80 to your wan address in your wan rules and then test it. If that works then you can change to https on 443 and then open 443 on your wan. If that works then you can try changing you ports. I think your running into an issue where you think your changing your ports but not applied or whatever.

Lets see the output of say sockstat, you should see the ports that lighttpd is listening on

root lighttpd 32225 11 tcp4 *:443 :
root lighttpd 32225 12 tcp6 *:443 :
root lighttpd 32225 13 tcp4 *:80 :
root lighttpd 32225 14 tcp6 *:80 :

and you should also see the ports your sshd is listening on

root sshd 18228 4 tcp6 *:22 :
root sshd 18228 5 tcp4 *:22 :

fragged

Make an alias with ports 80,443 (you need both as 80 redirects to 443 by default) and 1222
Add a rule with ipv4,proto tcp, source *, destination WAN address with the alias you made for ports
Profit

After you have demonstrated that things work as they should, limit source to a range of addresses you will be connecting from or better yet, setup a VPN.

This isn't exactly rocket surgery.

muswellhillbilly

For the record, I have exactly this thing set up on my own system, except that I've limited the source IPs to just my own subset of addresses and the protocol is simply port 80. If you leave the listening port for the webgui alone (port 80), try setting up a firewall rule on the WAN as follows:

Proto: IPv4/TCP
Source: X.X.X.X/Y (your external IP addresses/subnet mask)
Port: *
Destination: *
Port: 80
Gateway: *
Queue: none
Schedule: (blank)
Description: 'Access from outside' (whatever takes your fancy)

If you can get that much to work then you can start making changes to your listening ports, etc. and amend your rule accordingly.

johnpoz

dude this is really clickity clickity there is nothing special to do in pfsense to allow for remote webgui access. It by default listens on all ports, you just have to enable wan rule to allow it.

You sure your not trying to redirect http to https? Please post your firewall rules, your gui settings and your not behind a nat right?? You don't have any sort of vpn client access setup on pfsense do you? Your not trying to route traffic through a vpn or anything.

The only thing required to enable remote webgui access is firewall rule on the wan to allow access to the port.. I currently show 53 and 80 open.. If your trying to redirect 80 to 443 its not showing open.

Please post the output of sockstat.. And your gui setup section – its just listed as http right??