No/Slow/Sporadic WAN FQDN connection with Cloudflare, Acme/LE, Namecheap

  • I need help, please. I'm at wit's end, but before I give up on pfsense, I thought I would run my issue by the experts.

    I had a working pfsense environment at a former residence (with working VPN, Ubiquity wifi, 3 VLans, half a dozen cameras, and port forward to various other devices) that I built after hours of reviewing posts on this site and others. I do not not have an IT background guy (so be gentle), but I try to research issues to understand what I am doing and then try, try, and try again until it works.

    I am now in a new residence with a completely different environment, and I tried to strip down pfsense to just what I needed (at least for now, so no more VLans or VPN) from the prior environment--which may have been a mistake.

    In any event, I have everything working in the new place, but one CRUCIAL thing: I can not access pfsense from outside my LAN. I have a valid SSL certificate via Acme/Lets Encrypt, Cloudflare for DNS for a domain hosted by NameCheap, DDNS working, and from a local computer, I can access the pfsense box (all green on the SSL front) via local IP or FQDN.

    I can ping both the WAN IP that Comcast gives me and the FQDN from outside the LAN, but when I try to access pfsense via the WAN (I have a bridged Comcast modem that give me two separate IPs), I usually get a 522 error from Cloudflare. On occasion, the page will load very very slowly (with a green SSL) and display (for lack of a better term) a non-gui interface with big black letters across the top that say "pfsense" and and a linear format--kind of like the old-school screen interfaces

    I have reviewed my firewall rules and even tested with "any to any" WAN and LAN rules, but there must be something blocking and I haven't a clue. I have whitelisted Cloudflare IPs, and as noted, have successfully obtained an SSL certificate. I have turned off (to test) my firewall.

    Any suggestions on how to narrow down the problem would be greatly appreciated. Thanks.

  • Netgate Administrator

    That kind of partial or non-loading sounds like a bit like an IP conflict or maybe a bad MTU. Though in both those cases you would see issues with outbound traffic also.

    Do you see this if you try to access pfSense by IP directly? Or just using the DDNS name?

    Did you have the same Comcast connection and equipment at the previous location?

    Really you need to run a packet capture on the WAN interface while you try to connect externally and see what is actually arriving on the WAN.


  • Thanks, Steve. I did some more checking, and while it is difficult to know what exactly I changed to make it work, I think I needed to add the domain name to the host name boxes on the DNS Server Settings in General Setup. That, plus a couple of changes in the Cloudflare set-up, solved the problem.

    Thanks for your input.

Log in to reply