Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Remote Management

    Scheduled Pinned Locked Moved General pfSense Questions
    12 Posts 7 Posters 2.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D Offline
      dalbjerg
      last edited by

      this post it solved.

      1 Reply Last reply Reply Quote 0
      • DerelictD Offline
        Derelict LAYER 8 Netgate
        last edited by

        Are you appending :65432 to your URL?

        https://yourfirewallip:65432/

        You'll get a certificate error.  Click through it.

        That wide-open TCP rule on WAN is not what you want.  At least change the destination address to WAN address and the destination port to 65432. Even better change the source to the specific host you want to manage from.

        https://doc.pfsense.org/index.php/How_can_I_access_the_webGUI_from_the_WAN

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • D Offline
          doktornotor Banned
          last edited by

          1/ The destination should be WAN Address, not "Any".
          2/ Reset states after doing changes there.

          P.S. "I have now try to just allowed anything on TCP" is such a horrible idea that I'd rather not comment.
          P.P.S. You really should use a VPN or limit the access to known management IPs.

          1 Reply Last reply Reply Quote 0
          • DerelictD Offline
            Derelict LAYER 8 Netgate
            last edited by

            I really don't know how people screw this up.  It works for me every time.

            ![Screen Shot 2015-09-29 at 2.43.15 AM.png](/public/imported_attachments/1/Screen Shot 2015-09-29 at 2.43.15 AM.png)
            ![Screen Shot 2015-09-29 at 2.43.15 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-09-29 at 2.43.15 AM.png_thumb)
            ![Screen Shot 2015-09-29 at 2.44.15 AM.png](/public/imported_attachments/1/Screen Shot 2015-09-29 at 2.44.15 AM.png)
            ![Screen Shot 2015-09-29 at 2.44.15 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-09-29 at 2.44.15 AM.png_thumb)

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • C Offline
              chriva
              last edited by

              Hi,
              telnet form outside on port 65432 is working.
              Https from outside gets pachet retransmission.

              Hope this help.

              1 Reply Last reply Reply Quote 0
              • johnpozJ Offline
                johnpoz LAYER 8 Global Moderator
                last edited by

                ssh is working fine?? So you have that listening on 1222 it seems, I also see you have tcp 53 open for some not sure reason??  Atleast it refuses to do a recursive query..  So prob running unbound with ACL protecting you..

                I show this open
                Not shown: 65533 filtered ports
                PORT    STATE SERVICE VERSION
                53/tcp  open  domain  NLNet Labs Unbound
                1222/tcp open  ssh    OpenSSH 6.6.1_hpn13v11 (protocol 2.0)
                | ssh-hostkey:
                |  1024 0b:f4:66:da:05:6f:2c:e8:72:4b:47:74:20🇩🇪05:ef (DSA)
                |  2048 83:52:da:3e:2e:23:ac:db:fd:e6:45:95:c2:5c:08:b3 (RSA)
                |_  256 ff:3f:51:8c:34:37:da:ba:c0:45:69:ce:0a:93:cd:73 (ECDSA)

                So where exactly is this port suppose to be open for you remote webgui?

                I am with Derelict here I just really do not understand the issues, this is really clickity clickity done..

                You sure your not behind a NAT, and have not forwarded the port for your gui?  Post up your wan rules and your gui settings.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • DerelictD Offline
                  Derelict LAYER 8 Netgate
                  last edited by

                  [deleted - I see the change in ports]

                  Whatever is currently on 1222 is simply sending nothing in response.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • DerelictD Offline
                    Derelict LAYER 8 Netgate
                    last edited by

                    Nope.  Nothing.  You clicky-clicked something somewhere.  Who knows what.

                    Start over.

                    Backup your config, reset to "factory", do NOTHING but enable WAN access to the webgui and it'll work.

                    You can restore your config in 2 minutes if you want to go back.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ Offline
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      dude your not running webgui on 1222 that is ssh

                      SSH-2.0-OpenSSH_6.6.1_hpn13v11
                      Protocol mismatch.

                      There is something on 80, it sends syn,ack back but that is all!  I show it as
                      80/tcp open  http    lighttpd 1.4.35

                      edit: if I had to guess your redirecting to https that your ssh is running on.  What I would suggest is you start over, leave webgui running on 80.  Open just 80 to your wan address in your wan rules and then test it.  If that works then you can change to https on 443 and then open 443 on your wan.  If that works then you can try changing you ports.  I think your running into an issue where you think your changing your ports but not applied or whatever.

                      Lets see the output of say sockstat, you should see the ports that lighttpd is listening on

                      root    lighttpd  32225 11 tcp4  *:443                :
                      root    lighttpd  32225 12 tcp6  *:443                :
                      root    lighttpd  32225 13 tcp4  *:80                  :
                      root    lighttpd  32225 14 tcp6  *:80                  :

                      and you should also see the ports your sshd is listening on

                      root    sshd      18228 4  tcp6  *:22                  :
                      root    sshd      18228 5  tcp4  *:22                  :

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • F Offline
                        fragged
                        last edited by

                        1. Make an alias with ports 80,443 (you need both  as 80 redirects to 443 by default) and 1222
                        2. Add a rule with ipv4,proto tcp, source *, destination WAN address with the alias you made for ports
                        3. Profit

                        After you have demonstrated that things work as they should, limit source to a range of addresses you will be connecting from or better yet, setup a VPN.

                        This isn't exactly rocket surgery.

                        1 Reply Last reply Reply Quote 0
                        • M Offline
                          muswellhillbilly
                          last edited by

                          For the record, I have exactly this thing set up on my own system, except that I've limited the source IPs to just my own subset of addresses and the protocol is simply port 80. If you leave the listening port for the webgui alone (port 80), try setting up a firewall rule on the WAN as follows:

                          Proto: IPv4/TCP
                          Source: X.X.X.X/Y (your external IP addresses/subnet mask)
                          Port: *
                          Destination: *
                          Port: 80
                          Gateway: *
                          Queue: none
                          Schedule: (blank)
                          Description: 'Access from outside' (whatever takes your fancy)

                          If you can get that much to work then you can start making changes to your listening ports, etc. and amend your rule accordingly.

                          1 Reply Last reply Reply Quote 0
                          • johnpozJ Offline
                            johnpoz LAYER 8 Global Moderator
                            last edited by

                            dude this is really clickity clickity there is nothing special to do in pfsense to allow for remote webgui access.  It by default listens on all ports, you just have to enable wan rule to allow it.

                            You sure your not trying to redirect http to https?  Please post your firewall rules, your gui settings and your not behind a nat right??  You don't have any sort of vpn client access setup on pfsense do you?  Your not trying to route traffic through a vpn or anything.

                            The only thing required to enable remote webgui access is firewall rule on the wan to allow access to the port..  I currently show 53 and 80 open.. If your trying to redirect 80 to 443 its not showing open.

                            Please post the output of sockstat..  And your gui setup section – its just listed as http right??

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.