Problem with multi WAN and pfsense web configurator
-
Hello to everyone, I am writing here because of a strange problem with pfsense. I have two different internet connections:
- With only one static IP;
- With on one port a static IP and on other a pool of 5 IPs.
I have configured 3 different WAN:
- One for the first modem
- Two for the second modem
I have set both modem with a DMZ in order no to manage the traffic; in fact I want manage everything with pfsense.
For each WAN I have a different gateway and my default gateway is related to the first connection (1 ip only).
every time I try to reach one of the IPs of the second modem, I arrive to PFsense webconfigurator Login page. I have tried to configure some rules in the firewall section but pfsense seems to ignore them.
I have tried to change the pfsense webconfigurator door but if I add to my static IPs the port number, I still arriving to the web configurator. I have tried lots of configurations, but I cannot understand what is wrong with them.
Please is there anyone that have any ideas about?
-
@aadrem It sounds like you are trying to browse to one of the WAN IPs and seeing pfSense. Are you on the LAN or connecting over the Internet? If you are on the LAN you can use split DNS, or NAT reflection.
(if you are connecting over the Internet, highly suggest not allowing connections to the pfSense web interface so you don't get hacked)
-
@steveits I do not have problems with my LAN in fact I am able to see and login to pfsense; my problem is with WANs. When I use my public IPs they arrive always to my pfsense page.
I have tried to change the door but if I use my public IP e.g. XXX.XX.XX.XXX:1111 I am still arriving to pf sense page.
I have tried to block the door in the firewall section but I doesn't work.
I am a little scared because is extremely unsafe to have my pfsense page reachable by public IPs
-
@aadrem said in Problem with multi WAN and pfsense web configurator:
if I use my public IP e.g. XXX.XX.XX.XXX:1111 I am still arriving to pf sense page
OK but where are you when you do this?
Is port 1111 a NAT forward to a device on LAN?
-
@steveits I am in advanced configuration of pfsense and I add to TCP door "1111".
I do not configure any NAT forward for the door 1111 and that is what I cannot understand.
From my smartphone web browser if I use the public IP of my first WAN I am not able to reach pfsense (that is good).
If I use the public IPs of my second WAN I am able to reach pfsense (that is a big problem)
-
@aadrem I am not sure what you mean by "door"... port 1111 is not normally in use by pfSense.
Can you post your NAT rules? And firewall rules?
By default WAN has no rules so all incoming connections are denied.
If you are on LAN and browse to your own WANIP:443, you will connect to pfSense. This is because pfSense LAN has a default rule allowing from LAN to any. To block that, create a rule (above that one) on LAN to deny access from LAN_net to WANIP:443.
-
@steveits
I am sorry I wanted to say TCP port. I have changed the standard 443 and 80 to 1111 in System / Advanced/ Admin access so as to made more difficult to connect to my network for external users.Here I show you what is happening
.An external user with my public IP using the correct port is able to have access to my login page.
This happen only with secondary WANs.If an external user tries to use my first static public IP and port, he is unable to access to my pfsense login page, but if he uses the IPs of my second WAN he is able to... that is what I cannot understand.
Here the Nat rules and firewall rules:
I am sorry if I use incorrect words, I was using pfsense in a language different than english.
-
@aadrem said in Problem with multi WAN and pfsense web configurator:
changed the standard 443 and 80 to 1111 in System / Advanced/ Admin access
Ah, I understand now.
Do you have any Floating rules?
And to be clear when you say you are using your phone, the phone is not on a Wi-Fi connection? You're using cellular data?
-
@steveits Yes, I use my phone with cellular data and no, at the moment I do not have any Floating rule.
-
@aadrem The "second WAN" is WAN_MULTI_IP? That shouldn't even need a block rule for :1111 because the default is to deny access. That block rule has 0/0B indicating it has not been used.
WAN_SOLO_IP and WAN_ILIAD are two other IPs?
It seems like you're not connecting on WAN_MULTI_IP like you think, which doesn't make a lot of sense. I would be tempted to unplug WAN_MULTI_IP and see if you can still connect to that IP.
-
Just a moment I will explain exactly what is happening
I have 3 modems:- The first is โWANโ that has only one static public IP address;
- The second has an ethernet port with โWAN_SOLO_IPโ that is a connection with only one static public IP address, and it has also another ethernet port with a pool of public static IP addresses โWAN_MULTI_IPโ;
- The third modem โWAN_ILIADโ is a modem that working with a sim card guarantee works as failover connection.
In my pfsense machine I have 5 ethernet ports:
- One for the first modem;
- Two for the second modem;
- One for the third modem;
- One for my switch (LAN connection).
The first and the third modem work perfectly, I am able to configure rules and let my web server to go online without any problem.
My failover connection works also perfectly when the primary connection died.
My only problem is with the second modem.
In order to manage the pool of IP addresses, I have created Virtual IP addresses in the Firewall sections so as to manage each one of them.The problem is that using a web browser with an external connection e.g. with a mobile phone and its data connection, using one of the IP addresses of my second modem (the IP address of my WAN_SOLO_IP, or the Virtua IP addresses of my WAN_MULTI_IP) I am able to reach my pfsense page.
Obviously, it happens also if I try to reach these IP addresses from my WAN.It looks like I use only my WAN (first modem connection) to go online, and this could be good, my purpose is to create a relation between my IP addresses and my Virtual Machine (Web Servers).
I hope that now could be clearest the problem that I have found.
If I unplug My WAN_MULTI_IP the problem disappears but also I less the possibility of use these IP addresses to reach my VM Web Servers.
-
If there are no floating rules, and no rule on WAN_MULTI_IP allowing access on port 1111, then by default the only network that can access one of those IPs should be LAN Net, due to the "allow LAN to any" rule.
You can display all rules in their raw form from the console or Diagnostics > Command in the Shell Execute box by running:
pfctl -f /tmp/rules.debug
(from https://docs.netgate.com/pfsense/en/latest/troubleshooting/firewall.html )
-
@steveits I am totally agreeing with you. I have checked the file rules.debug after having used the command pfctl -f /tmp/rules.debug but there is not anything strange in it.
I cannot understand why happens this problem because there is no rules that allow the access to my pfsense page from the public IP addresses.
Do you have any ideas? Do you think could be good to reinstall pfsense and configure it again?
-
@aadrem said in Problem with multi WAN and pfsense web configurator:
reinstall pfsense and configure it again
You can always download a backup of the config, reset to "factory defaults" and try again, and restore from backup if you run into issues.
-
@steveits I do not know what I exactly did, but now it is happening something different and strange.
If I use any device connected to internet (directly connected to the modem, or using a different connection), I am not able to visualise pfsense page.
If I try the same from a PC connected to PFsense I am able to visualize the PFsense page.
What I cannot understand is that I am putting in my web browser my public ip addresses, I cannot understand why from PC connected to PFsense I am able to reach it and from other pcs (e.g. connected to one of my modem with a bypass of PF sense I am not able to.
Do you have any ideas?
-
@aadrem this is normal & expected behaviour
-
@aadrem said in Problem with multi WAN and pfsense web configurator:
I cannot understand why from PC connected to PFsense I am able to reach it
What @heper said. As I mentioned above, "by default the only network that can access one of those IPs should be LAN Net, due to the "allow LAN to any" rule." You can always create rules on LAN like:
allow to (this firewall) from management_PC_IP
block to (this firewall)