Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Trouble accessing pfSense Web Interface when WAN is down

    Scheduled Pinned Locked Moved General pfSense Questions
    10 Posts 3 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      milindhvijay
      last edited by

      I've got two internet connections, and when both go down, I'm am unable to access the pfSense web interface. Strangely, SSH also stops working. Even a reboot doesn't seem to resolve the issue.
      My network setup involves three VLANs - one for my main PC, another for servers, and the last one for Wi-Fi. Here's the kicker: the web GUI sometimes works, but only when I'm accessing it from my main PC VLAN.

      Any ideas or suggestions on how to troubleshoot and fix this would be greatly appreciated.

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @milindhvijay
        last edited by johnpoz

        @milindhvijay internet connection being up or not would have nothing to do with lan side access. Now the gui can be very sluggish if dns is not working..

        But ssh should have no sort of issue, can you ping pfsense IP?

        Do you have pfsense to kill states when internet goes down? Do you have gateway setup in your rules - where skipping rules could cause you not to have access.

        rules.jpg

        So on your lan what are your rules? Do you have any floating rules? By default the anti-lockout rule should allow you access to your gui and ssh no matter what.

        But generally speaking, your wan being down should not be causing access from lan to be hindered.. Now without dns (ie wan down) the gui can be very sluggish to respond - it likes to do its checks as its loading..

        How are you trying to access? via some fqdn (dns being down could prevent this) or just IP?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        M 1 Reply Last reply Reply Quote 1
        • M
          milindhvijay @johnpoz
          last edited by

          @johnpoz

          Yes, I have set it to kill states for all gateways which are down.

          2097a0fc-58bc-4460-9b0f-ab066619bf18-image.png

          I do not have anything in Floating tab except for pfblockerNG and QoS. Both FQDN and IP wouldn't work.

          I have seen posts online with the same issue and the only workaround was meddling with fetching of EULA.

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @milindhvijay
            last edited by johnpoz

            @milindhvijay said in Trouble accessing pfSense Web Interface when WAN is down:

            meddling with fetching of EULA.

            What? Can you link to such a resource?

            You have it set to kill all states when gateways fail - so you would have to create a new state to connect to the gui after internet goes down, because all existing states would be killed.. Turn that off.. Or create a new session to connect after your internet goes down.

            Do you have a rule with a gateway in it on your lan side? Your setting there would not create a rule if the gateway is down.. Can you post up your lan side rules please.

            Your not running vlans on the physical interface are you - if the physical interface goes down, then any vlans on it would also be down

            Here didn't really want to shut down my real internet, but I killed my pfsense VM gateway access - see how it shows offline.. So to pfsense that internet connection is offline.. And ping never went away.. I started that ping before I shutdown the gateway, didn't loose a packet.

            offline1.jpg

            In a typical setup pfsense wan going down, or gateway offline has zero to do with lan side interfaces. So either you have rules that are going away, or you are killing states? And need to restart a connection from your client or your whole physical interface is showing down? And your vlans on that interface because its actually down would not work..

            edit: here I turned off the wan in pfsense, and still have access to the gui, didn't loose single ping to the lan IP.. ssh to it still works

            dead1.jpg

            ssh1.jpg

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            M 1 Reply Last reply Reply Quote 0
            • stephenw10S
              stephenw10 Netgate Administrator
              last edited by

              @johnpoz said in Trouble accessing pfSense Web Interface when WAN is down:

              What? Can you link to such a resource?

              There are some posts suggesting a host override for ews.netgate.com which means the check for updated license terms will timeout immediately instead of potentially delaying loading the dashboard. But I don;t recommend that. And in most cases it does nothing useful anyway.

              Steve

              johnpozJ 1 Reply Last reply Reply Quote 1
              • johnpozJ
                johnpoz LAYER 8 Global Moderator @stephenw10
                last edited by johnpoz

                @stephenw10 said in Trouble accessing pfSense Web Interface when WAN is down:

                There are some posts suggesting a host override for ews.netgate.com

                So users without a clue suggesting borked shit to fix their lack of understanding ;) yeah very typical of "help" on the internet hahahah

                While that might remove the few seconds of delay dns not working and having to time out.. I concur its a not a good idea ;)

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • M
                  milindhvijay @johnpoz
                  last edited by

                  @johnpoz I set kill states for gateways which are down because previously had some issues with failovers.

                  I have 3 VLANs and I thought the Anti-Lockout rule on LAN would suffice for all other VLANs as well. Right now I added a new rule on wifi vlan and I can access GUI when both WANs are down (PON Loss)
                  d849f25d-4682-467e-8b5c-b607b4985b7b-Screenshot 2023-12-03 at 12.08.27 AM.png

                  @stephenw10 Thanks both of you.

                  johnpozJ 1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator @milindhvijay
                    last edited by

                    @milindhvijay still not understanding what the issue is exactly.. Your wan being down has nothing to do with vlans routing between each other.. Pfsense can route between devices connected to it be the "wan" is there or not..

                    The lock out for lan is only for "lan" that would be a pretty shitty rule if set on the lan, and it allowed any network device on any network of pfsense to talk to the gui..

                    Wan being down should only be problematic is if you had rules that had a gateway set in them.. Then pfsense can either not use that rule if the gateway is down, or create the rule without the gateway being used..

                    Did you have such rules - not exactly sure how policy routing to one of your gateways would even get you to your lan IP for the gui, where you accessing the public IP to get to the gui?

                    I have to assume you doing some sort of gateway settings in you rules since you mention you have 2 wans, to leverage load balancing this is normally done by setting the gateway as the group that has the wans in them, etc..

                    So I have to think something related to that is what was causing you your problem.. Creating a rule that allows what you want without policy based routing, ie not gateway set would remove any settings for pfsense to change the rules that have gateways set, etc.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    M 1 Reply Last reply Reply Quote 0
                    • M
                      milindhvijay @johnpoz
                      last edited by

                      @johnpoz Here are all my Firewall Rules.

                      Floating:
                      0cdf8d3a-14a5-422b-8e29-17cb6becad89-image.png

                      LAN:
                      7a62309e-5a9b-4e85-a441-d7b0c618aef0-image.png

                      VLAN 10 (ADMIN):
                      I had this highlighted rule which explains why I was able to access GUI from this VLAN when both WAN is down.

                      4675e1ea-447c-460c-bcf6-a122f3a98e5f-image.png

                      VLAN 30 (WiFi):
                      Before adding the highlighted, I could not access GUI when WAN was down.

                      2bb9f2d6-c060-47db-8953-57d0c8fe021c-image.png

                      johnpozJ 1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator @milindhvijay
                        last edited by johnpoz

                        @milindhvijay So like I was say if you have a rule using a gateway, which you have. And you have it set to NOT create rules when gateway is down.. Before you had no rules that would allow access to the IP on your admin vlan.

                        exactly.jpg

                        So when your gateway goes down, per your settings that last rule there with the gateway set as "default_failover" would not be there.. So until you added that rule you have highlighted what rule if you remove that last one since you are telling it not to create rules when a gateway is down would of allowed you access to pfsense gui on any IP?

                        If that rule you created is to allow access to web gui, why would you say lan subnets. Why would you not just allow access to the admin interface address?

                        But yeah your rules from before you added completely explains why yes if your wan(s) were down you would not be able to access web gui or even ssh.. Because you had no rules that allowed it when your gateway(s) are down.

                        I brought this up in my first post..

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.