Remote access via wan2



  • Hello All,

    pfSense-1.2.3-RELEASE
    squid
    squidGuard

    Would like to know why I can not access the pfSense machine remotely, via the second wan on a multi-wan load balanced, fail over setup. I have set up three pfSense machines at three of our school buildings and have setup in the FW rules to allow remote access. I can of course access each one of them remotely fine via the primary wan IP public address but can not via the second public wan IP address. I even unhooked the 'primary' wan connection to see if this changed the routes to allow remote access and still no access via WAN2
    pfSense is working great for our needs by the way. Thanks to all of the pfSense devs!!!

    Take Care,
    Barry



  • Just like with the primary WAN interface, you would need to create an allow on the secondary WAN interface to allow access to the webGUI.  All the usual rules about not making the webGUI accessible to the wide world apply, but the process is exactly the same.  On WAN2, simply create a rule allowing traffic from whatever IP address you want to allow to remotely manage your pfSense installation to the WAN2 IP address, destination port whatever you have the webGUI listening on (usually tcp 443).

    This will only not work if you are NATing inbound traffic on that interface to some server inside your network on that specific port (ie: running a web server off that same IP/port).  Otherwise it should work fine and will work regardless of your load balancing configuration.



  • submicron,

    Thank you much for the good explanation. I simply forgot to do the "allow"/ pass  on port 80 on the second wan just as you had explained! Works like a charm now from wan2 as well.
    I know being able to GUI into the pfSense interface publicly is not a good idea,but I run into a few times were the primary wan goes down and web browsing stops at school on account of using squid/squidguard.
    It is usually our primary wan that goes down if either of the two wans on account of being a wireless corsortium for this wan connection. They have towers go down with major lightning.
    This setup affords me the opportunity to get into the wan2 from home and shutoff squid temporarily. Like today we had a nasty lightning storm as soon as I left school. I was hosed not being able to get into the second wan public ip.
    I tried doing the procedure with one of the teachers a couple weeks back,there undoing things over the phone and it was nerve racking to say the least!
    If we were not using squid/squidguard this would not even be necessary of course.
    Now I am good to go in this scenario,,thanks to your help!

    thanks again,
    Barry



  • A couple of potential solutions to your problem that I might recommend:

    Instead of opening the webGUI to all comers, use the OpenVPN mobile client config and run an instance on each interface so you can securely access your internal network from either WAN.  This would be a much more secure way to get into your network.

    Consider moving your squid/squidGuard instance to a stand-alone box in your network.  This will keep you from having to disable your caching/filtering manually when things go offline.  Instead you'll have a solution that'll handle your failover scenario as seamlessly as your pfSense box.



  • @submicron

    out of curiosity, since he has more than 1 pfsense box, is it actually possible to load squid/ squidguard on the other box and have them sync together to get pass this issue?



  • Not in the way that you'd want.  It would be a major management nightmare and wouldn't work quite like you'd expect.  Better to throw a squid (or other filtering box) into the DMZ and send all connections through it.


Log in to reply