PFSense behind static NAT cannot remotely administer
For various reasons I have a double NAT (PF Sense with the WAN on a local area network).
I have a routable IP like 220.127.116.11 that is statically assigned to the PFSense box.
I have 3 firewall rules allowing ICMP (ping), SSH, and HTTPS.
WAN is connected to 10.2.1.0 network
LAN is connected to 10.2.7.0 network
When I am on the 10.2.1.0 network the HTTPS interface works fine, when I call it from outside the network I am blocked (until I run pfctl -d).
Meanwhile SSH and ping work without issue remotely.
Any help is appreciated.
Look at the firewall log. See what is blocked. Make a rule to allow it.
Well, I pulled the logs and see this:
00:00:00.000000 rule 1/0(match): block in on xl0: 18.104.22.168.49684 > 10.2.7.2.443: tcp 28 [bad hdr length 0 - too short, < 20]
00:00:10.310552 rule 1/0(match): block in on xl0: 22.214.171.124.49685 > 10.2.7.2.443: tcp 32 [bad hdr length 0 - too short, < 20]
00:00:03.010462 rule 1/0(match): block in on xl0: 126.96.36.199.49685 > 10.2.7.2.443: tcp 32 [bad hdr length 0 - too short, < 20]
I'm not sure what I should put in to allow this.
Nachtfalke last edited by
just click on the green arrow in the logs which creates a pass rule.
Never mind, I was looking at the wrong PFSense box I had a source limitation.