I Lost Access To WebGui After Port Forwarding....Please Help

R-Mana

sigh it's a Friday. This will be a lesson for me for the future, especially in making backups of the configuration.

So I added an IPSec VPN tunnel and the other side was able to connect fine. Then he asked to forward some ports and gave me a list. So I blindly added the ports to an alias and then saved the config. Next thing I know the GUI stops responding and am no longer able to login. For interface I chose IPSec. For destination I chose LAN net. For the redirect target IP I chose a single address on the LAN network. Then here's the stupid thing I did as these are the ports I put in the alias: 20-23, 443, 5800, 5900, 80, 8002, 6000-6020.

I have a sinking feeling that it's because I stupidly forwarded port 80 that I'm no longer able to access the GUI. Please enlighten me on what I did wrong and what I should've done to forward the required ports to the IPSec VPN tunnel.

Would disconnecting the existing device that I redirected to temporarily and connecting my computer as that IP address allow me to regain access to PFSense? Or am I a lost cause and have to reset the PFSense device?

If I have to reset it then is there a way to save my settings and disable the rule within that saved file?

viragomann

@R-Mana said in I Lost Access To WebGui After Port Forwarding....Please Help:

For interface I chose IPSec.
Please enlighten me on what I did wrong and what I should've done to forward the required ports to the IPSec VPN tunnel.

Not clear, what you did here. If you select IPSec for the interface in the port forwarding it just forwards traffic, which is coming in on the IPSec.
This should not lead into loosing access to the GUI at all.

Anyway it's recommended to change the port for the web GUI to something non-standard in System > Administration.

If I have to reset it then is there a way to save my settings and disable the rule within that saved file?

If you have access to the console, there is no need to reset the box after a misconfiguration.
In the console menu there is an option to go back to a former config version. pfSense saves each state automatically.

R-Mana

@viragomann Oh nice! So I can use the console to go back to the previous configuration. Phew! Gonna try that, thanks!

I have the GUI access port set to 8080, which was not one of the forwarded ports. So I have no idea how I lost access otherwise. I do know that the person on the other side is able to successfully complete his tasks after I forwarded the ports. Internet is working and our server is accessible to the outside world. Weird. Well I'll get back to you about this.

SteveITS

@R-Mana ^that, and just to expand a bit you should still be able to connect from LAN if that was allowed. I see you were using 8080 so I don't know why it wouldn't still work.

But also there's often not really a need to port forward from a VPN connection. They can be allowed to connection to the LAN device's IP directly via firewall rule.

If you had a copy of the config file and could put it on a USB stick you could get someone to plug it in:
https://docs.netgate.com/pfsense/en/latest/backup/restore-during-install.html#restore-using-the-external-configuration-locator-ecl
(note: not only during install)

R-Mana

@SteveITS This is what I thought as well. But when the other person wasn't able to do their tasks I assumed that I needed to port forward to the VPN. Perhaps I misunderstood and all I need to was to port forward to the WAN instead and see if he can still able to complete his checks and operations.

SteveITS

@R-Mana to the WAN/VPN or from it?

From WAN would allow the Internet unless you set a Source on the NAT rule.

The firewall on said LAN device (if any) needs to allow connections from the IPSec subnet.

stephenw10

May have just needed firewall rules opening.

But if the other side is a company that connects to a lot of other networks they will often have you use the public IP in the P2 to avoid conflicts. Sometimes in some translation In which case they would need forwards to connect in.

R-Mana

@stephenw10 Ok I'll keep that in mind.

So I was able to use the console to go to an earlier configuration, reboot, and I was able to get into the WebGUI. Proceeded to immediately make a backup configuration on file just in case. Phew! Thanks for that suggestion, and thank the Devs for having such a feature available. Truly a lifesaver!

Next meeting we're gonna take it slow and only forward the ports that he needs. Maybe he won't need all of them.