Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login
    Introducing Netgate Nexus: Multi-Instance Management at Your Fingertips.

    pfblocker is blocking my own PFsense web interface from clients on my network

    Scheduled Pinned Locked Moved Firewalling
    9 Posts 4 Posters 326 Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R Offline
      rocklander
      last edited by rocklander

      tried from my PC and the error below appears
      9f9f3b16-e6ac-4961-91aa-2240f4977daa-image.png

      unsure why exactly. it appears to be a similar issue to here:
      https://forum.netgate.com/topic/152480/local-lan-traffic-blocked
      but I don't see what the resolution was?

      been using pfsesne for years with no real dramas
      only thing I can think of that may have thrown things into an uneasy state:
      recently got a starlink as a secondary/backup ISP.
      I have a spare pfsense hardware that I have configured up with same IP address and ranges.
      as part of testing I connected these clients to the starlink network (via the 'other' pfsense unit).
      starlink and other pfsense is now powered off.. has been for a few days, but this is the first time I've tried connecting to the web interface of my normal (prod) pfsense since that was set up.
      I just tested on my phone (which never connected to web interface of other pfsense, but may have some arp cache maybe.. from using it as a gateway?)
      also tested on a third laptop client.. same issue

      I do have ssh access.. but not sure how to clear/disable what it is I need to get access back to the web interface.
      can still surf web fine.. just cannot control the pfsense via web

      SteveITSS 1 Reply Last reply Reply Quote 0
      • SteveITSS Offline
        SteveITS Rebel Alliance @rocklander
        last edited by

        @rocklander if you’re seeing the pfB block page on the LAN IP that would mean pfB’s web server was configured to listen on LAN:443 (and/or 80) thus nginx can’t. Typically pfB listens on a dummy virtual IP set on localhost.

        Can you use ssh to revert to a configuration file from before that?

        To upgrade, select your branch in System/Update/Update Settings. When upgrading, allow 10-15 minutes to reboot, or more depending on packages, CPU, and/or disk speed.
        Only install packages for your version of pfSense.
        Upvote 👍 helpful posts!

        R 1 Reply Last reply Reply Quote 0
        • R Offline
          rocklander @SteveITS
          last edited by

          @SteveITS
          thanks. yes I have ssh to the shell and have tried reverting to a (much) earlier config.
          that also really confused me as to why it was still failing after that restore :-/

          GertjanG 1 Reply Last reply Reply Quote 0
          • GertjanG Offline
            Gertjan @rocklander
            last edited by Gertjan

            @rocklander

            Normally - by default :

            f38400f4-977c-40f9-87b9-4a5ce63d431f-image.png

            this can't happen, as the pfBlocker 'DNSBL' web server listens to :
            ( all default setting ) :

            cee214a7-865b-4612-9284-eb9a4ecd0932-image.png

            The "pfBlocker 'DNSBL' web server" listens on port 80 and 443, but only on 127.0.0.1, and that's a interface you can't reach from LAN.

            Before : (changed recently) : pfBlockerng created a "Virtual IP", the shown "10.10.10.1" which is reachable on every LAN interface, and this IP is redirected to the "127.0.0.1".

            These days - if your pfSense is recent (what version are you suing ?) then you have to create a VIP yourself first - here :

            8552c005-710a-48cb-ad69-4b733547f71f-image.png

            and use (assign) that one into the pfBLockerng DNSBL settings.

            Btw : You use an IP = 10.0.9.254 (=pfSEnse)in your browser and that is not a host name, so no DNS is needed to access it, so the DNSBL part (of pfBlockerng) isn't even used.
            pfBlockerng can can block IP addresses and networks, but that has nothing to do with the "pfBlocker 'DNSBL' web server".

            You've ssh access : here is 'what I would do' :
            Get the pid of the DNSBL web server :

            [26.03-RELEASE][root@pfSense.bhf.tld]/root: ps aux | grep light
root    88483   0.0  0.3  23540  11008  -  S    Wed04       0:11.53 /usr/local/sbin/lighttpd_pfb -f /var/unbound/pfb_dnsbl_lighty.conf

            so, for me :

            kill 88483

            Then, back to the main ssh menu, and restart the pfSense GUI with option 11.
            Now you should be able to access the pfSense GUI.
            Review your pfBlocker DSNSBL web server settings.

            No "help me" PM's please. Use the forum, the community will thank you.

            R 1 Reply Last reply Reply Quote 0
            • R Offline
              rocklander @Gertjan
              last edited by rocklander

              @Gertjan said in pfblocker is blocking my own PFsense web interface from clients on my network:

              @rocklander

              Normally - by default :

              f38400f4-977c-40f9-87b9-4a5ce63d431f-image.png

              this can't happen, as the pfBlocker 'DNSBL' web server listens to :
              ( all default setting ) :

              cee214a7-865b-4612-9284-eb9a4ecd0932-image.png

              The "pfBlocker 'DNSBL' web server" listens on port 80 and 443, but only on 127.0.0.1, and that's a interface you can't reach from LAN.

              Before : (changed recently) : pfBlockerng created a "Virtual IP", the shown "10.10.10.1" which is reachable on every LAN interface, and this IP is redirected to the "127.0.0.1".

              These days - if your pfSense is recent (what version are you suing ?) then you have to create a VIP yourself first - here :

              8552c005-710a-48cb-ad69-4b733547f71f-image.png

              and use (assign) that one into the pfBLockerng DNSBL settings.

              Btw : You use an IP = 10.0.9.124 in your brower and that is not a host name, so no DNS is needed to access it, so the DNSBL part (of pfBlockerng) isn't even used.
              pfBlockerng can can block IP addresses and networks, but that has nothing to do with the "pfBlocker 'DNSBL' web server".

              You've ssh access : here is 'what I would do' :
              Get the pid of the DNSBL web server :

              [26.03-RELEASE][root@pfSense.bhf.tld]/root: ps aux | grep light
root    88483   0.0  0.3  23540  11008  -  S    Wed04       0:11.53 /usr/local/sbin/lighttpd_pfb -f /var/unbound/pfb_dnsbl_lighty.conf

              so, for me :

              kill 88483

              Then, back to the main ssh menu, and restart the pfSense GUI with option 11.
              Now you should be able to access the pfSEnse GUI.
              Review your pfBlocker DSNSBL web server settings.

              thanks for this.. attempted to do same, but it seems the process may be dying and restarting with a new PID each time.. feels like it's pretty unhappy .. is there a way I can disable it in startuup (unsure if it's init.d or something else)?
              c7796502-a39e-462c-8299-3574e61fa57b-image.png

              R GertjanG 2 Replies Last reply Reply Quote 0
              • R Offline
                rocklander @rocklander
                last edited by

                said in pfblocker is blocking my own PFsense web interface from clients on my network:

                @Gertjan said in pfblocker is blocking my own PFsense web interface from clients on my network:

                @rocklander

                Normally - by default :

                f38400f4-977c-40f9-87b9-4a5ce63d431f-image.png

                this can't happen, as the pfBlocker 'DNSBL' web server listens to :
                ( all default setting ) :

                cee214a7-865b-4612-9284-eb9a4ecd0932-image.png

                The "pfBlocker 'DNSBL' web server" listens on port 80 and 443, but only on 127.0.0.1, and that's a interface you can't reach from LAN.

                Before : (changed recently) : pfBlockerng created a "Virtual IP", the shown "10.10.10.1" which is reachable on every LAN interface, and this IP is redirected to the "127.0.0.1".

                These days - if your pfSense is recent (what version are you suing ?) then you have to create a VIP yourself first - here :

                8552c005-710a-48cb-ad69-4b733547f71f-image.png

                and use (assign) that one into the pfBLockerng DNSBL settings.

                Btw : You use an IP = 10.0.9.124 in your brower and that is not a host name, so no DNS is needed to access it, so the DNSBL part (of pfBlockerng) isn't even used.
                pfBlockerng can can block IP addresses and networks, but that has nothing to do with the "pfBlocker 'DNSBL' web server".

                You've ssh access : here is 'what I would do' :
                Get the pid of the DNSBL web server :

                [26.03-RELEASE][root@pfSense.bhf.tld]/root: ps aux | grep light
root    88483   0.0  0.3  23540  11008  -  S    Wed04       0:11.53 /usr/local/sbin/lighttpd_pfb -f /var/unbound/pfb_dnsbl_lighty.conf

                so, for me :

                kill 88483

                Then, back to the main ssh menu, and restart the pfSense GUI with option 11.
                Now you should be able to access the pfSEnse GUI.
                Review your pfBlocker DSNSBL web server settings.

                thanks for this.. attempted to do same, but it seems the process may be dying and restarting with a new PID each time.. feels like it's pretty unhappy .. is there a way I can disable it in startuup (unsure if it's init.d or something else)?
                c7796502-a39e-462c-8299-3574e61fa57b-image.png

                further update.. I managed to find an even earlier config to restore.. this has given me console back. thanks for all the assists and advice folks.. I'll see what I can break next.

                johnpozJ 1 Reply Last reply Reply Quote 0
                • johnpozJ Online
                  johnpoz LAYER 8 Global Moderator @rocklander
                  last edited by

                  @rocklander that is not the pid of the process running you were looking for with light, that is just the pid of your command you just ran.

                  example

                  [26.03-RELEASE][admin@sg4860.home.arpa]/root: ps aux | grep light
root    23444   0.0  0.0   14196   3036  0  S+   07:12       0:00.00 grep light
[26.03-RELEASE][admin@sg4860.home.arpa]/root: ps aux | grep lshjldfjsdf
root    26923   0.0  0.0   14196   3040  0  S+   07:12       0:00.00 grep lshjldfjsdf
[26.03-RELEASE][admin@sg4860.home.arpa]/root: ps aux | grep nginx
root     2626   0.0  0.9  163140  72344  -  I    07:20       0:08.56 php-fpm: pool nginx (php-fpm)
root     8315   0.0  0.8  154752  64384  -  I    07:22       0:04.42 php-fpm: pool nginx (php-fpm)
root    14467   0.0  0.8  156800  68640  -  I    Sat05       0:13.71 php-fpm: pool nginx (php-fpm)
root    28530   0.0  0.7  125692  58284  -  I    12:29       0:01.53 php-fpm: pool nginx (php-fpm)
root    28596   0.0  0.9  165196  74060  -  I    Sat05       0:26.19 php-fpm: pool nginx (php-fpm)
root    49597   0.0  0.8  127740  62684  -  I    12:28       0:02.87 php-fpm: pool nginx (php-fpm)
root    77033   0.0  0.9  164932  73536  -  I    07:21       0:18.64 php-fpm: pool nginx (php-fpm)
root    93389   0.0  0.1   35140  11896  -  Is    2Apr26     0:00.00 nginx: master process /usr/local/sbin/nginx -c /var/etc/nginx-webConfigurator.conf (nginx)
root    93518   0.0  0.2   37700  14192  -  I     2Apr26     0:10.44 nginx: worker process (nginx)
root    93806   0.0  0.2   37700  14076  -  I     2Apr26     0:05.44 nginx: worker process (nginx)
root    75998   0.0  0.0   14196   3028  0  S+   07:13       0:00.00 grep nginx
[26.03-RELEASE][admin@sg4860.home.arpa]/root:

                  Notice nothing found with light or gibberish with the grep.. but if I look for something actually running it lists all the processes and their pids, notice at the bottom it also shows my command pid 75998

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 26.03 | Lab VMs 2.8.1, 26.03

                  1 Reply Last reply Reply Quote 0
                  • GertjanG Offline
                    Gertjan @rocklander
                    last edited by

                    @rocklander
                    Euh ... oh .. lol

                    When you execute a

                    ps aux | grep light

                    you execute two things : first the "ps aux", this will list all current system process.
                    Instead of looking up the right process, and knowing that pfBlockerng uses a web server that isn't 'nginx' but "/usr/local/sbin/lighttpd_pfb" = lighttpd_pfb I add the 'pipe and then grep 'light'.
                    My example shows clearly that for me, it showed a result.
                    There is also a second result, a process with 'grep' on the same command line :
                    That's the grep command itself itself with the 'light' text a paramter.
                    Disregard this one, as that is not the pfblocker's web server.
                    Trying to kill a process that has already finish, that doesn't work out.

                    I have to think about this one, as things are strange :
                    You have the "pfblockerng dnsbl web server" running.
                    But it isn't shown in the process list ....

                    Ok -- happy enough, Johnpoz didn't found that line (=process neither.
                    So, question : for the "pfblocker's web server" to be started by pfBlokcerng, you have to use (actived) DNSBL first :

                    a9427dfe-d9c4-478a-891a-052002d0be62-image.png

                    and with this one stopped :

                    18768e31-f021-4371-8f50-71597928f61f-image.png

                    I don't find the "pfblockerng dnsbl web server" neither = it's gone.
                    But in that case you can't access/get/see this :

                    8a0771ad-b314-4c0f-896b-b860f12c18a1-image.png

                    .....

                    No "help me" PM's please. Use the forum, the community will thank you.

                    johnpozJ 1 Reply Last reply Reply Quote 0
                    • johnpozJ Online
                      johnpoz LAYER 8 Global Moderator @Gertjan
                      last edited by johnpoz

                      @Gertjan yeah I don't run dnsbl service, I just use pfblocker for alias creation that I use in my own rules.

                      Just wanted to explain what he was seeing with this ps command, it didn't find anything via his grep

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 26.03 | Lab VMs 2.8.1, 26.03

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2026 Rubicon Communications LLC (Netgate). All rights reserved.