Help with WebGUI access on interface other than LAN
-
Well a bit off topic, but your rule there to allow access to own subnet is pretty pointless. Pfsense has nothing to do with access to devices talking to each other on their own network.
What seems odd, while I see your firewall logs showing rule was allowed. How come the rule shows no hits.. that 0/0 shows not hits to the rule.
Are you doing something odd in outbound nats?
Are you doing anything with ips or proxy?
-
@johnpoz I had been clearing the state tables trying to see if that changed anything. Must have happened between taking the screenshots. I just tried again and here is the state table on the Web GUI rule.
The "Own Subnet" rule was needed because my last rule would block any destination in any private subnet. It's a rule just for internet access only.
I have not changed anything in the NAT rules from the defaults. I was going to looking into that next.
-
@fearnight said in Help with WebGUI access on interface other than LAN:
The "Own Subnet" rule was needed because my last rule would block any destination in any private subnet.
No it wouldn't - again pfsense has ZERO to do with device on say 192.168.20/24 talking to another device on 192.168.20/24
Maybe you were seeing broadcast traffic that would be blocked? Because pfsense saw it, but it wouldn't be blocked to other devices on the network.
Well you can see syn sent, but nothing gotten back.. So 192.168.10.1 is pfsense lan IP? And again your not doing anything odd in outbound nats, your not trying to send traffic out some vpn via say a floating rule?
-
Yes, 192.168.10.1 is the LAN IP
Here are the outbound NAT rules
No floating rules or VPN set up yet.
-
Well than only leaves gui not listening on the port you think then...
Out of the box gui is working on all IPs..
Do you maybe have concurrent set to 1, see where I have a 2
You an see mine listening on the port I have set
[21.02-RELEASE][admin@sg4860.local.lan]/var/dhcpd/var/db: netstat -anL | grep .8443 tcp6 0/0/128 *.8443 tcp4 0/0/128 *.8443 [21.02-RELEASE][admin@sg4860.local.lan]/var/dhcpd/var/db:And I can access it just fine fro one of my vlans. Here is me hitting it from my phone.
You can view the state
Since you show syn sent, but no answer.. dest didn't see the traffic or not listening on that port, etc.
-
Thanks. It must be something up with the PC on 192.168.20.
I just added the same rule to my 192.168.30 network, where my phone is at, and I can pull up the GUI fine on my phone.
-
@fearnight said in Help with WebGUI access on interface other than LAN:
It must be something up with the PC on 192.168.20.
DHCP ?
Or static settings with wrong gateway info ? -
He was showing a state..
I would sniff the traffic.. But something odd going on if you sure your on the right port, etc.
Wrong mask maybe on the lan side? But from his outbound nat statements sure looks like just /24s
-
I was up late last night trying everything to get this to work. Here is the latest:
I enabled the same LAN access rule to my 30 network (named PORTMAIN - OPT2 interface).
First testing with mobile device - PORTMAIN interface DHCP assigns Mobile device with an IP of 192.168.30.100. In the mobile browser I navigate to https://192.168.10.1:44350 -> pfSense Web GUI login displays fine. This confirms the firewall rule passed, the 30 network can communicate with the 10 network, the Web GUI port is correct, etc.
Then, I swapped my PC over to my 192.168.30 network by plugging in through this same router in AP mode that the mobile is on. Let's just call it W10PC (it's a Windows 10 PC).
PORTMAIN interface DHCP assigns an IP of 192.168.30.101 to W10PC. Internet access works on W10PC and I can ping other devices on 192.168.30 as expected.
Attempting to ping 192.168.10.1 - Request timed out. Navigating to same URL in browser as I did on mobile -> https://192.168.10.1:44350, timeout in browser. I have concurrent sessions set to 5 for testing as well. These are the exact same results as before when W10PC was plugged into the firewall on the OPT1 192.168.20 interface.
On W10PC, I've tried /release /renew /flushdns, completely rebooting the machine, etc. Software firewalls and antivirus completely disabled. No VPN connections turned on. Tried completely resetting firewall state tables. Rebooting pfSense firewall. Same results.
When W10PC is plugged into the LAN connection directly on my firewall, and assigned an IP on the 10 subnet, pinging 192.168.10.1 works fine, and the WebGUI works fine.
Are there any rules, blocks, or things to check in Windows 10 that would prevent connections to a separate private subnet? Anything else I can check? It seems at this point I can rule out the firewall blocking it, since the mobile device has no issue seeing the GUI on the 30 subnet.
-
so you can not even ping 192.168.10.1?
What about pfsense IP on 192.168.30.1 I take it? when its in the 20 network?
Set your rules to allow for that of course.
The other thing - which have seen before, are you using any vips, say for example pfblocker can setup a vip.
When using vip and that ! (negate/inverse) rule you have on the end.. There has been some weirdness. For testing.. Remove that !Private_ipv4s rule.. Change it to any.. And if you don't want to allow access to your other networks. Use an actual deny rule.. Say for example like this.
But for just pure testing.. Maybe just change to any any rule.. Until figure out what is going on with this pc and pinging/gui access..
Also what version of pfsense are you running?
Windows 10 that would prevent connections to a separate private subnet?
Yeah sure there are, the firewall of windows. But if that was the case you would never see the state created.
-
Any -> Any rule for testing
Showing local address at 192.168.20.10
192.168.20.1 ping success
192.168.30.1 ping success
192.168.10.1 ping timeout
pfSense version is 2.5.0-RELEASE
-
Very odd.. WTF??? Hmmmmmm
edit: And you have not floating rules - right.. Very strange for sure..
And the 30 network it works fine... Scratching my head to be honest...
Can you sniff the 20 interface, while you do this ping test to 10.1, what about pinging something else on the lan, that works like 10.X??
-
Hope you are sitting down for this one because it gets even more odd. It also appears the problem has resolved itself.
I plugged in my laptop to the LAN interface to test a ping to a different device on the LAN like you said. So now W10PC is sitting on 192.168.20.10, laptop is 192.168.10.100. Magically, with my laptop connected, W10PC has no problems pinging the laptop, 192.168.10.1, or accessing the Web GUI from the 20 subnet. It's all working now.
My first guess was that the LAN link needed to be "up" with a device plugged in. So I unplugged the laptop. Ping to 192.168.10.1 still works. Cleared the state tables to force connection to be reestablished. Still works. Rebooted both W10PC and the firewall completely. Still works. Set my rules back to what they were before Any -> Any test. Still works.
So somehow the simple act of plugging a different device into LAN completely cleared up the problem. W10PC was the first and only device to be plugged in LAN since setup until now. Could be a bug? Can't explain it.
-
But I thought you accessed the gui from 30 network when it wasn't working from 20?
Yeah that is odd as shit - problem is, even is some sort of odd bug. If you can not replicate the problem it would be almost impossible to track down what could be the cause.
I would say it might have been something odd with your test pc, but you saw the state being created.. So it was sending data to the gateway.
At least its sorted.. But yeah weird shit!
-
I was able to access the GUI from the 30 network only on my mobile phone. With the W10PC connected to the 30 network, it experienced the same timeout symptoms as on 20. This is the first time the W10PC has been able to access the GUI from anything other than the LAN 10 network and plugged directly in the physical LAN port.
Thanks for the help and giving me things to check. Hopefully it will work from now on. If the problem comes back, I'll try to replicate the issue, and report back the root cause if possible.
