MultiWAN + admin traffic to pfSense GUI itself
I have a site (Site N) with two WAN connections:
Interface I've named WAN (with a 192.168.x.x address), which connects via a layer 2 bridge to one of our other locations (Site V also running pfSense) which in turn provides access to the Internet. This is marked as the default gateway on Site N pfSense. At Site V, NAT is applied to get to a publicly routable IP range.
Interface I've named ISP2, which is via a Comcast Business account. This has a publicly reachable IP address.
I have no problem setting up gateway groups to handle traffic originating from within the LAN side. If I use rule based routing, I can route specific ports of traffic out either via ISP2 or WAN and have no problem establishing a connection from a workstation within the LAN to public hosts.
My problem is reaching pfSense itself on both WAN connections. Whichever WAN I have marked as the default gateway, I have no problem connecting to. I just can't connect to the other one. So with my current configuration, from a workstation out on the Internet, I can communicate with the pfSense web GUI on the interface named WAN, but I can't communicate with the web GUI on the interface named ISP2, as the reply packets go out through the interface with the default gateway (WAN), not return on the interface where the incoming SYN packet came in (ISP2).
Do you really want to connect to pfSense GUI on WAN :o ?
This can be done, technically speaking but requires to very closely check your FW rules because, as there is, as far as I know, no mechanism to prevent brute force attack, opening admin GUI on WAN is very risky 8)
Why not rather configure VPN and access GUI from LAN once VPN is established?
I have the same problem with at least OpenVPN (namely, trying to communicate with the MultiWAN that isn't marked as the default gateway is a problem when coming from 'random arbitrary outside IP address')… but I consider HTTPS conceptually simpler than OpenVPN as well as reachable from more devices natively.
Is there a VPN protocol that properly will respond via the interface that the traffic came in on, rather than the default gateway? I didn't think this was a protocol level problem, but a routing issue - but I'm open to correction and enlightenment.
OpenVPN is even easier. i currently have 4 WAN interfaces and i can access OpenVPN from all of their external IPs. you just need the routes AND OpenVPN configured to accept connection on those ranges. I think the wizard has a place where you specify multiwan and which interfaces you want to use…
When it comes to set-up OpenVPN with multi-WAN, one option is to configure OpenVPN server to listen on localhost (127.0.0.1) and then configure forwarding rules so that requests reaching each gateway on port configured on OpenVPN server is redirected to 127.0.0.1
This allows to have one unique OpenVPN server configuration available from multiple gateways.
Difference between HTTPS and OpenVPN, when it comes to access pfSense GUI is that authentication in order to establish tunnel can be much stronger (and therefore more secure) than simple "login / password" requested by HTTP(S) web interface.
Keep in mind that you are exposing your FW to internet is you authorise (GUI) admin access from internet :o