Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can access SSH via WAN but not HTTPS

    Scheduled Pinned Locked Moved Firewalling
    9 Posts 3 Posters 653 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • pitchforkP
      pitchfork
      last edited by pitchfork

      Under the same rule, I've given access to a single IP to 22 and 443.

      I can (off vpn) ssh into pfsense, but I cannot get to the web GUI.

      Disable DNS Rebinding Checks is unchecked
      Alternate Hostnames contains the FQDN I am using to access.

      I get Connection refused whether I use a FQDN or the public IP. Am I missing something here?

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by johnpoz

        @pitchfork said in Can access SSH via WAN but not HTTPS:

        Am I missing something here?

        hehee - yeah some actual info ;)

        I would not recommend opening up web gui of pfsense to the internet.. Your wanting to access the web gui after you vpn to pfsense.. That should pretty much be a given with nothing special to do..

        Once you vpn into pfsense, you would just hit the lan IP of pfsense to hit the gui, on the port your having the web gui listen on. I do this almost every single day from work ;)

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        pitchforkP 1 Reply Last reply Reply Quote 0
        • pitchforkP
          pitchfork @johnpoz
          last edited by

          @johnpoz

          i already have openvpn setup. the single IP ALLOW rule is relatively safe. ideally there'd be 2FA on it, but still...

          either way (even if I turn it off), I'd like to know which part I am missing. SSH is allowed from the IP, but not HTTPS

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            @pitchfork said in Can access SSH via WAN but not HTTPS:

            the single IP ALLOW rule is relatively safe

            No not really, unless you have it locked down to the source IP your coming from.

            If you have vpn into pfsense, and you can ssh to the lan IP.. Then you can hit the gui.. Unless you messed with your openvpn rules.

            I can not tell what you have done or not done, since you have not posted any actual details of any of it.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            pitchforkP 1 Reply Last reply Reply Quote 0
            • pitchforkP
              pitchfork @johnpoz
              last edited by

              @johnpoz said in Can access SSH via WAN but not HTTPS:

              @pitchfork said in Can access SSH via WAN but not HTTPS:

              the single IP ALLOW rule is relatively safe

              No not really, unless you have it locked down to the source IP your coming from.

              If you have vpn into pfsense, and you can ssh to the lan IP.. Then you can hit the gui.. Unless you messed with your openvpn rules.

              I can not tell what you have done or not done, since you have not posted any actual details of any of it.

              the single IP is the source IP i am coming from. vpn works fine.

              the rule is the same for SSH and HTTPS, both ports under the same alias. both require TCP and are restricted to IPv4. I am not sure what other detail could be needed, given that the rule is correct, since it works for SSH.

              thanks

              1 Reply Last reply Reply Quote 0
              • GertjanG
                Gertjan
                last edited by

                Is there an upstream router (to be setup also) ?

                No "help me" PM's please. Use the forum, the community will thank you.
                Edit : and where are the logs ??

                pitchforkP 1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  @pitchfork said in Can access SSH via WAN but not HTTPS:

                  I am not sure what other detail could be needed

                  A actual picture is worth 10,000 words.. One thing I can say for sure users always say X is correct, but problem is they didn't actually do X, they did Y, etc. etc.

                  If you have a single rule on pfsense wan that allows both ssh and https to your wan IP from your source, and ssh works. Then maybe https is not getting there to pfsense wan - simple sniff would show that.

                  Maybe your port is wrong for https, maybe you have it listening on 8443 for example.. Maybe you have rule above that blocks https? Maybe your alias is not actually correct?

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • pitchforkP
                    pitchfork @Gertjan
                    last edited by

                    @Gertjan nope, WAN has a public IP (box is at a DC)

                    1 Reply Last reply Reply Quote 0
                    • pitchforkP
                      pitchfork
                      last edited by

                      There was an auto rule created by NAT that redirected 443. That rule was below the pfSense Management Access rule, and I forgot that NAT rules are evaluated first.

                      I changed the pfsense port and it worked.

                      Thank you!

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.