Issue accessing GUI

Beno44

Hi,

I am currently unable to access my PFSense box via the GUI.

The last modification I did was to change the NAT to manual outbound following NAT issues with VoIP (change of provider). That works now very well but no GUI access and no OpenVPN access either.

I restarted the box before and the GUI was then accessible, left and now I can't access it again.

Any suggestions?

Tks
Ben

luckman212

@beno44 use a console cable ... option 15 ... restore recent config (before NAT change)

once you're back in, post screenshots of your NAT rules (before & after) so we can try to help.

stephenw10

Yup, rolling back the config is probably best there since setting manual NAT should not prevent you access it via a non-NATed connection. So something else is in play there.

Also see: https://docs.netgate.com/pfsense/en/latest/troubleshooting/locked-out.html

Steve

Beno44

Thank you @stephenw10 & @luckman212

I took the box back to my office and for some reason I haven't lost connection. That's rather strange. Anyhow, I have enabled SSH so should be able to get access to it.

Attached is the NAT Outbound screenshot if you see anything odd.

Tks a lot for spending some time on this.
Ben

luckman212

@beno44 Your main LAN->WAN outbound NAT rule (for the 192.168.65.0 net, the 3rd one up from the bottom) looks incorrect to me. It should not be set to static port.

Do you need to use Manual NAT mode? Unless you really have a good reason for that, I suggest sticking to Hybrid or Automatic mode.

Beno44

Thank you @luckman212

I have a new VoIP provider and not having static port prevents the VoIP to work correctly. I read somewhere that this would fix the issue. Since having this rule phones are working perfectly fine, not so much the access for some reason. Any other suggestions?

luckman212

@beno44 Yes- make a separate VLAN for your phones (ideally) and/or make your NAT rules more explicit to target only the traffic that actually NEEDS to have a static source port. That's likely just udp/5060. Your VoIP provider should have some documentation on what ports they use.

stephenw10

Yes, that's good advice. I would put outbound NAT in hybrid mode and add a single rule that catches the VoIP traffic with static source ports only. That could be by an alias of the VoIP devices as source for example.

Steve

Beno44

@stephenw10

luckman212

@beno44 that rule you made has a few problems that I can see:

• it needs to be higher up, otherwise the rules above it will match first and it will have no effect
• I doubt if you want the source port to be set to 5060. Source ports are usually randomized, the dport should be enough unless your VoIP provider has a very odd setup
• source of "any" is probably wrong too. I would make it match the LAN subnet that your phones are sitting on

Beno44

@beno44 There wasn't much right...Tks again so much ;o)

luckman212

@beno44 Looking much better!

stephenw10

Yup, that should work.

Personally I would use hybrid mode and allow pfSense to manage all the other rules.
In full manual mode you need to add rules your self should you add another subnet anywhere and it's all too easy to forget that.

Steve

Beno44

Hey, @stephenw10

Everything is now working fine, thank god for that.

Don't have any issue trying the hybrid outbound but not too sure how to go about it. When I select Hybrid the exact same rules as manual outbound are showing.

luckman212

@beno44 That's normal. The nice thing with hybrid is, if you change your LAN from 192.168.65.0/24 to e.g. 172.18.30.0/24, the NAT rules will automatically update. In manual mode, you'd need to remember to change them yourself.

johnpoz

@beno44 said in Issue accessing GUI:

When I select Hybrid the exact same rules as manual outbound are showing.

No not really, all the rules would be in 1 rule.. Not all those individual rules..

To be honest doing full manual would require some very specific needs.. That I am actually having a hard time coming up with ;)

Hybrid is almost always the best method.

stephenw10

When you set outbound NAT mode to manual all the auto-added rules are created as manual rules to start with so you still have connectivity.
When you go to Hybrid mode those manual rules are not removed but the auto rules are also applied. You will see most are duplicated. You can remove all the manual rules except the VoIP rule you added as the auto rules now cover that.

Steve