Urgent help: pfsense login on WAN port!

  • Hi guys

    I desperately need urgent help please.

    I have the following setup…

    PfSense as router > another pfsense as load balancer > 2 VM's (web farm) running IIS 10.

    There are multiple websites on the VMs.
    Port Forward/NAT is enabled on the router pointing to the load balancer IP  (ports 80 and 443)
    The load balancer splits the traffic over 2 web servers.
    Both pfSense devices are listening on port 444 (as https) and not 443, to save confusion/conflicts.
    The WAN port should NOT have pfsense web GUI available at all, and is disabled.

    Here's the problem...
    SOME of my sites work  fine and show perfectly normal (from outside the network accessing via the WAN link).
    But some show the pfSense login!!!!  It even forwards my port 443 to 444!!!!  What the hell?  Nowhere do I have it set to do this, nor should the login be available to WAN clients!

    I can see this when accessing via the Google PageSpeed test for example. I see pfsense as the thumbnail/screenshot for one site, but not for other sites.

    I'm freaking out and need help asap please.


  • Change the port which pfSense is listening to on both machines. System > Advanced > Admin Access
    Also check "WebGUI redirect".

  • Rebel Alliance Developer Netgate

    Your browser could also have cached something, such as a redirect or HSTS or whatnot. So be sure to test it again using private browsing/incognito mode/etc.

    Otherwise, if you see the firewall GUI, that means whatever forwarding mechanism you configured did not match the traffic exactly, so it "fell through" and hit the GUI process. Though your rules would also have to allow that, which means you probably have WAN rules set way too permissive.

    To provide any more concrete help we'd need to know more about the firewall rules, NAT, LB Config, etc. at each step.

  • Thank you so much for replying guys.

    In the end I removed the Load Balancer router from the setup. Now I'm just using one of my VMs for IIS and one for SQL.

    I had everything set correctly in my opinion. Port redirection etc turned off.  Port was also running on a nonstandard port (444).

    I do believe browser caching was a problem, because even when I had completely fixed it I still had customers complaining they were not able to login to the website. When I asked them to send the URL to me I could clearly see it was redirecting to port 444.

    I've now completely blocked port 444 as the first WAN rule in the firewall. But how can I fix everyone's browser cache for that redirection problem?  If pfSense has set clients to bounce from 80>444, everyone will now be getting a 404 error (not good for business!)


Log in to reply