Help with WebGUI access on interface other than LAN

fearnight · Mar 28, 2021, 7:13 PM

WebGUI access works perfectly fine when connected on LAN.

I'm wanting a setup where no devices stay connected to LAN during normal use, and will only be connected through the OPT1-4 ports with the bare minimums allowed to pass the firewall rules.

I'm having trouble getting the OPT1 interface to be able to access the WebGUI. The WebGUI is running at 192.168.10.1:44350, the device I'm testing with is on OPT1 at 192.168.20.10.

Rules can be seen in the screenshot below. I've spent way too many hours trying to get this to work. All the tutorials I've seen, seems like these rules should work. The first rule can be seen passing via the logs. Trying to ping 192.168.10.1 (LAN) from 192.168.20.10 (OPT1 - PORTPRIVATE) results in a timeout.

Even though the rule passes, the GUI will still time out.

Hopefully this is enough information, let me know if you need more. Thanks.

johnpoz · Mar 28, 2021, 7:19 PM

Well a bit off topic, but your rule there to allow access to own subnet is pretty pointless. Pfsense has nothing to do with access to devices talking to each other on their own network.

What seems odd, while I see your firewall logs showing rule was allowed. How come the rule shows no hits.. that 0/0 shows not hits to the rule.

Are you doing something odd in outbound nats?

Are you doing anything with ips or proxy?

fearnight · Mar 28, 2021, 7:27 PM

@johnpoz I had been clearing the state tables trying to see if that changed anything. Must have happened between taking the screenshots. I just tried again and here is the state table on the Web GUI rule.

The "Own Subnet" rule was needed because my last rule would block any destination in any private subnet. It's a rule just for internet access only.

I have not changed anything in the NAT rules from the defaults. I was going to looking into that next.

johnpoz · Mar 28, 2021, 7:29 PM

@fearnight said in Help with WebGUI access on interface other than LAN:

The "Own Subnet" rule was needed because my last rule would block any destination in any private subnet.

No it wouldn't - again pfsense has ZERO to do with device on say 192.168.20/24 talking to another device on 192.168.20/24

Maybe you were seeing broadcast traffic that would be blocked? Because pfsense saw it, but it wouldn't be blocked to other devices on the network.

Well you can see syn sent, but nothing gotten back.. So 192.168.10.1 is pfsense lan IP? And again your not doing anything odd in outbound nats, your not trying to send traffic out some vpn via say a floating rule?

fearnight · Mar 28, 2021, 7:31 PM

@johnpoz

Yes, 192.168.10.1 is the LAN IP

Here are the outbound NAT rules

No floating rules or VPN set up yet.

johnpoz · Mar 28, 2021, 8:54 PM

Well than only leaves gui not listening on the port you think then...

Out of the box gui is working on all IPs..

Do you maybe have concurrent set to 1, see where I have a 2

You an see mine listening on the port I have set

[21.02-RELEASE][admin@sg4860.local.lan]/var/dhcpd/var/db: netstat -anL | grep .8443
tcp6  0/0/128                          *.8443                 
tcp4  0/0/128                          *.8443                 
[21.02-RELEASE][admin@sg4860.local.lan]/var/dhcpd/var/db:

And I can access it just fine fro one of my vlans. Here is me hitting it from my phone.

You can view the state

Since you show syn sent, but no answer.. dest didn't see the traffic or not listening on that port, etc.

fearnight · Mar 28, 2021, 9:36 PM

@johnpoz

Thanks. It must be something up with the PC on 192.168.20.

I just added the same rule to my 192.168.30 network, where my phone is at, and I can pull up the GUI fine on my phone.

Gertjan · Mar 29, 2021, 6:04 AM

@fearnight said in Help with WebGUI access on interface other than LAN:

It must be something up with the PC on 192.168.20.

DHCP ?
Or static settings with wrong gateway info ?

johnpoz · Mar 29, 2021, 10:55 AM

He was showing a state..

I would sniff the traffic.. But something odd going on if you sure your on the right port, etc.

Wrong mask maybe on the lan side? But from his outbound nat statements sure looks like just /24s

fearnight · Mar 29, 2021, 12:28 PM

I was up late last night trying everything to get this to work. Here is the latest:

I enabled the same LAN access rule to my 30 network (named PORTMAIN - OPT2 interface).

First testing with mobile device - PORTMAIN interface DHCP assigns Mobile device with an IP of 192.168.30.100. In the mobile browser I navigate to https://192.168.10.1:44350 -> pfSense Web GUI login displays fine. This confirms the firewall rule passed, the 30 network can communicate with the 10 network, the Web GUI port is correct, etc.

Then, I swapped my PC over to my 192.168.30 network by plugging in through this same router in AP mode that the mobile is on. Let's just call it W10PC (it's a Windows 10 PC).

PORTMAIN interface DHCP assigns an IP of 192.168.30.101 to W10PC. Internet access works on W10PC and I can ping other devices on 192.168.30 as expected.

Attempting to ping 192.168.10.1 - Request timed out. Navigating to same URL in browser as I did on mobile -> https://192.168.10.1:44350, timeout in browser. I have concurrent sessions set to 5 for testing as well. These are the exact same results as before when W10PC was plugged into the firewall on the OPT1 192.168.20 interface.

On W10PC, I've tried /release /renew /flushdns, completely rebooting the machine, etc. Software firewalls and antivirus completely disabled. No VPN connections turned on. Tried completely resetting firewall state tables. Rebooting pfSense firewall. Same results.

When W10PC is plugged into the LAN connection directly on my firewall, and assigned an IP on the 10 subnet, pinging 192.168.10.1 works fine, and the WebGUI works fine.

Are there any rules, blocks, or things to check in Windows 10 that would prevent connections to a separate private subnet? Anything else I can check? It seems at this point I can rule out the firewall blocking it, since the mobile device has no issue seeing the GUI on the 30 subnet.

johnpoz · Mar 29, 2021, 1:03 PM

so you can not even ping 192.168.10.1?

What about pfsense IP on 192.168.30.1 I take it? when its in the 20 network?

Set your rules to allow for that of course.

The other thing - which have seen before, are you using any vips, say for example pfblocker can setup a vip.

When using vip and that ! (negate/inverse) rule you have on the end.. There has been some weirdness. For testing.. Remove that !Private_ipv4s rule.. Change it to any.. And if you don't want to allow access to your other networks. Use an actual deny rule.. Say for example like this.

But for just pure testing.. Maybe just change to any any rule.. Until figure out what is going on with this pc and pinging/gui access..

Also what version of pfsense are you running?

Windows 10 that would prevent connections to a separate private subnet?

Yeah sure there are, the firewall of windows. But if that was the case you would never see the state created.

fearnight · Mar 29, 2021, 1:18 PM

@johnpoz

Any -> Any rule for testing

Showing local address at 192.168.20.10

192.168.20.1 ping success
192.168.30.1 ping success
192.168.10.1 ping timeout

pfSense version is 2.5.0-RELEASE

johnpoz · Mar 29, 2021, 1:36 PM

Very odd.. WTF??? Hmmmmmm

edit: And you have not floating rules - right.. Very strange for sure..

And the 30 network it works fine... Scratching my head to be honest...

Can you sniff the 20 interface, while you do this ping test to 10.1, what about pinging something else on the lan, that works like 10.X??

fearnight · Mar 29, 2021, 3:34 PM

Hope you are sitting down for this one because it gets even more odd. It also appears the problem has resolved itself.

I plugged in my laptop to the LAN interface to test a ping to a different device on the LAN like you said. So now W10PC is sitting on 192.168.20.10, laptop is 192.168.10.100. Magically, with my laptop connected, W10PC has no problems pinging the laptop, 192.168.10.1, or accessing the Web GUI from the 20 subnet. It's all working now.

My first guess was that the LAN link needed to be "up" with a device plugged in. So I unplugged the laptop. Ping to 192.168.10.1 still works. Cleared the state tables to force connection to be reestablished. Still works. Rebooted both W10PC and the firewall completely. Still works. Set my rules back to what they were before Any -> Any test. Still works.

So somehow the simple act of plugging a different device into LAN completely cleared up the problem. W10PC was the first and only device to be plugged in LAN since setup until now. Could be a bug? Can't explain it.

johnpoz · Mar 29, 2021, 5:11 PM

But I thought you accessed the gui from 30 network when it wasn't working from 20?

Yeah that is odd as shit - problem is, even is some sort of odd bug. If you can not replicate the problem it would be almost impossible to track down what could be the cause.

I would say it might have been something odd with your test pc, but you saw the state being created.. So it was sending data to the gateway.

At least its sorted.. But yeah weird shit!

fearnight · Mar 29, 2021, 5:27 PM

I was able to access the GUI from the 30 network only on my mobile phone. With the W10PC connected to the 30 network, it experienced the same timeout symptoms as on 20. This is the first time the W10PC has been able to access the GUI from anything other than the LAN 10 network and plugged directly in the physical LAN port.

Thanks for the help and giving me things to check. Hopefully it will work from now on. If the problem comes back, I'll try to replicate the issue, and report back the root cause if possible.