Can access SSH via WAN but not HTTPS

pitchfork

Under the same rule, I've given access to a single IP to 22 and 443.

I can (off vpn) ssh into pfsense, but I cannot get to the web GUI.

Disable DNS Rebinding Checks is unchecked
Alternate Hostnames contains the FQDN I am using to access.

I get Connection refused whether I use a FQDN or the public IP. Am I missing something here?

johnpoz

@pitchfork said in Can access SSH via WAN but not HTTPS:

Am I missing something here?

hehee - yeah some actual info ;)

I would not recommend opening up web gui of pfsense to the internet.. Your wanting to access the web gui after you vpn to pfsense.. That should pretty much be a given with nothing special to do..

Once you vpn into pfsense, you would just hit the lan IP of pfsense to hit the gui, on the port your having the web gui listen on. I do this almost every single day from work ;)

pitchfork

@johnpoz

i already have openvpn setup. the single IP ALLOW rule is relatively safe. ideally there'd be 2FA on it, but still...

either way (even if I turn it off), I'd like to know which part I am missing. SSH is allowed from the IP, but not HTTPS

johnpoz

@pitchfork said in Can access SSH via WAN but not HTTPS:

the single IP ALLOW rule is relatively safe

No not really, unless you have it locked down to the source IP your coming from.

If you have vpn into pfsense, and you can ssh to the lan IP.. Then you can hit the gui.. Unless you messed with your openvpn rules.

I can not tell what you have done or not done, since you have not posted any actual details of any of it.

pitchfork

@johnpoz said in Can access SSH via WAN but not HTTPS:

@pitchfork said in Can access SSH via WAN but not HTTPS:

the single IP ALLOW rule is relatively safe

No not really, unless you have it locked down to the source IP your coming from.

If you have vpn into pfsense, and you can ssh to the lan IP.. Then you can hit the gui.. Unless you messed with your openvpn rules.

I can not tell what you have done or not done, since you have not posted any actual details of any of it.

the single IP is the source IP i am coming from. vpn works fine.

the rule is the same for SSH and HTTPS, both ports under the same alias. both require TCP and are restricted to IPv4. I am not sure what other detail could be needed, given that the rule is correct, since it works for SSH.

thanks

Gertjan

Is there an upstream router (to be setup also) ?

johnpoz

@pitchfork said in Can access SSH via WAN but not HTTPS:

I am not sure what other detail could be needed

A actual picture is worth 10,000 words.. One thing I can say for sure users always say X is correct, but problem is they didn't actually do X, they did Y, etc. etc.

If you have a single rule on pfsense wan that allows both ssh and https to your wan IP from your source, and ssh works. Then maybe https is not getting there to pfsense wan - simple sniff would show that.

Maybe your port is wrong for https, maybe you have it listening on 8443 for example.. Maybe you have rule above that blocks https? Maybe your alias is not actually correct?

pitchfork

@Gertjan nope, WAN has a public IP (box is at a DC)

pitchfork

There was an auto rule created by NAT that redirected 443. That rule was below the pfSense Management Access rule, and I forgot that NAT rules are evaluated first.

I changed the pfsense port and it worked.

Thank you!