How to enable ssh and remote web UI access from the console?

rcfa · Mar 23, 2022, 3:34 PM

I may be forced to walk a novice through re-installing pfSense onto a system at a remote location.

Once the basic installation is through, and the WAN interface configured, is there a way to configure from the console the opening up of ssh and web interface on the WAN, such that I can take over and do the rest of the configuration from afar?

I'm obviously familiar with how to enable it from the web interface, but that won't be an option, because I won't be able to access the pfSense unit from the LAN port, and LAN access won't be easily possible as it relies on VLANs, etc. so the hoops one needs to jump through are too complicated for a phone walk through.

chrcoluk · Mar 23, 2022, 3:58 PM

@rcfa I am not aware of a way to do it via supported methods.

The firewall rules are at /tmp/rules.debug. So could modify and load them in with pfctl, of course this will be temporary until 'any' change affecting the firewall causes pfSense to recreate the file.

The ssh and web server may also need reconfiguring, as I am not sure if poking a hole in the firewall is enough.

I do have remote instances of pfSense and did not have to do this, I just cannot remember what procedure I followed.

There is this documentation but its all via the GUI.

https://docs.netgate.com/pfsense/en/latest/recipes/remote-firewall-administration.html

rcfa · Mar 23, 2022, 4:21 PM

@chrcoluk Thanks, through the web UI is easy, but the web UI won't be accessible without temporarily reconfiguring some computer on the LAN, hooking it up directly to the pfSense unit (because the switch is configured vor VLANs), etc. all of which is beyond talking a novice through over the phone.

That's why I need a way to reconfigure from the Console CLI at least sufficiently enough to either get the web UI going, or to ssh in and be able to upload somehow a backed up configuration.

I wish, when re-installing, there were an option that opens the system to the WAN by default, exactly for such cases.
Getting someone to plug in a USB stick and get the system to boot is one thing, getting them to configure a pfSense unit, is an entirely different matter. So there should be a way to enable this from the console either during or post installation.

If anyone knows how to do it, that would be gold right about now...

chrcoluk · Mar 23, 2022, 4:27 PM

@rcfa Try the pf rules I suggested.

rules are stored at /tmp/rules.debug, then pfctl -f /tmp/rules.debug to load them in.

If that gets you in, make the first thing you do is add a rule that gives you WAN access, preferably locked to a static source IP or VPN.

AndyRH · Mar 23, 2022, 4:31 PM

@rcfa Perhaps you could locally configure a system with the rules you need then send the backup to the remote site and restore the pieces of the config you need. Should be easy enough to walk someone through a partial restore.

stephenw10 · Mar 24, 2022, 12:57 PM

You can just use the easyrule command to add WAN rules from your source IP.
https://docs.netgate.com/pfsense/en/latest/firewall/easyrule.html#easyrule-in-the-shell

Steve

Gertjan · Mar 24, 2022, 1:58 PM

@rcfa

How to enable ssh and remote web UI access from the console?

I saw that, and was ready to ...... wait :

@rcfa said in How to enable ssh and remote web UI access from the console?:

I may be forced to walk a novice through re-installing pfSense onto a system at a remote location.

Ok, I understand your question

If you manage to have pfSense installed on the system "by voice, over the phone", you gaining acess is just one step :

Have this rule added to the WAN firewall rule set :

Normally, when installed, there are no rules on the WAN interface.
Normally, when installed, the GUI port is TCP "80" - not https (443).
It might be wise not to use an existing config.xml file.

As soon as pfSense connects to the WAN and Internet, ask what the WAN IP is. If it's a RFC1918, bad luck, you have to add a NAT rule in the upstream (ISP) router.

As soon as you have acces to the GUI, you can :
Open SSH on WAN.
Or better : create a OpenVPN road warrior access. Assoon as this one works, remove the GUI http WAN firewall rule (keep the OpenVPN rule).

rcfa · Mar 26, 2022, 8:57 PM

@stephenw10 Just one more question, which I can't seem to find answered: what sort of wildcards does easyrule accept?
e.g.

easyrule pass wan any any any any

because I don't mind opening up the system completely, since it's only going for the time until the configuration backup is uploaded, so the chance of someone hacking the system in those 90 seconds is pretty low.

bingo600 · Mar 26, 2022, 7:45 AM

If it's a reinstall , and you have the "old config.xml"
You could just put it on a fat32 usb stick , insert it , and reboot ....

The only reason i'm not using that, is that i have to give the config.xml in cleartext to the remote person. And i'm reluctant to do that.

I tried to suggest some kind of simple way to save the config "encrypted/scrambled" with ie. the pfSense Netgate ID. Then the "box" could autodecrypt the config. And the config was not in total cleartext.

But my redmine "improvement suggestion" was rejected.

But if you trust the remote person , that could be a way to restore the "old config" wo. any remote interaction.

/Bingo

rcfa · Mar 26, 2022, 8:57 PM

@rcfa said in How to enable ssh and remote web UI access from the console?:

@stephenw10 Just one more question, which I can't seem to find answered: what sort of wildcards does easyrule accept?
e.g.
easyrule pass wan any any any any
because I don't mind opening up the system completely, since it's only going for the time until the configuration backup is uploaded, so the chance of someone hacking the system in those 90 seconds is pretty low.

OK, I tested it somewhere:
the "any" wildcards work.

Might be nice to mention that in the documentation...