Can access SSH via WAN but not HTTPS
-
Under the same rule, I've given access to a single IP to 22 and 443.
I can (off vpn) ssh into pfsense, but I cannot get to the web GUI.
Disable DNS Rebinding Checksis unchecked
Alternate Hostnamescontains the FQDN I am using to access.I get
Connection refusedwhether I use a FQDN or the public IP. Am I missing something here? -
@pitchfork said in Can access SSH via WAN but not HTTPS:
Am I missing something here?
hehee - yeah some actual info ;)
I would not recommend opening up web gui of pfsense to the internet.. Your wanting to access the web gui after you vpn to pfsense.. That should pretty much be a given with nothing special to do..
Once you vpn into pfsense, you would just hit the lan IP of pfsense to hit the gui, on the port your having the web gui listen on. I do this almost every single day from work ;)
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-2440 2.4.5p1 | 4x SG-3100 2.4.4p3 | SG-4860 21.05.1 -
i already have openvpn setup. the single IP ALLOW rule is relatively safe. ideally there'd be 2FA on it, but still...
either way (even if I turn it off), I'd like to know which part I am missing. SSH is allowed from the IP, but not HTTPS
-
@pitchfork said in Can access SSH via WAN but not HTTPS:
the single IP ALLOW rule is relatively safe
No not really, unless you have it locked down to the source IP your coming from.
If you have vpn into pfsense, and you can ssh to the lan IP.. Then you can hit the gui.. Unless you messed with your openvpn rules.
I can not tell what you have done or not done, since you have not posted any actual details of any of it.
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-2440 2.4.5p1 | 4x SG-3100 2.4.4p3 | SG-4860 21.05.1 -
@johnpoz said in Can access SSH via WAN but not HTTPS:
@pitchfork said in Can access SSH via WAN but not HTTPS:
the single IP ALLOW rule is relatively safe
No not really, unless you have it locked down to the source IP your coming from.
If you have vpn into pfsense, and you can ssh to the lan IP.. Then you can hit the gui.. Unless you messed with your openvpn rules.
I can not tell what you have done or not done, since you have not posted any actual details of any of it.
the single IP is the source IP i am coming from. vpn works fine.
the rule is the same for SSH and HTTPS, both ports under the same alias. both require TCP and are restricted to IPv4. I am not sure what other detail could be needed, given that the rule is correct, since it works for SSH.
thanks
-
Is there an upstream router (to be setup also) ?
No "help me" PM's please. Use the forum.
-
@pitchfork said in Can access SSH via WAN but not HTTPS:
I am not sure what other detail could be needed
A actual picture is worth 10,000 words.. One thing I can say for sure users always say X is correct, but problem is they didn't actually do X, they did Y, etc. etc.
If you have a single rule on pfsense wan that allows both ssh and https to your wan IP from your source, and ssh works. Then maybe https is not getting there to pfsense wan - simple sniff would show that.
Maybe your port is wrong for https, maybe you have it listening on 8443 for example.. Maybe you have rule above that blocks https? Maybe your alias is not actually correct?
-
@Gertjan nope, WAN has a public IP (box is at a DC)
-
There was an auto rule created by NAT that redirected 443. That rule was below the pfSense Management Access rule, and I forgot that NAT rules are evaluated first.
I changed the pfsense port and it worked.
Thank you!
