PFSense behind static NAT cannot remotely administer



  • For various reasons I have a double NAT (PF Sense with the WAN on a local area network).

    I have a routable IP like 1.2.3.4 that is statically assigned to the PFSense box.

    I have 3 firewall rules allowing ICMP (ping), SSH, and HTTPS.

    WAN is connected to 10.2.1.0 network
    LAN is connected to 10.2.7.0 network

    When I am on the 10.2.1.0 network the HTTPS interface works fine, when I call it from outside the network I am blocked (until I run pfctl -d).

    Meanwhile SSH and ping work without issue remotely.

    Any help is appreciated.


  • Rebel Alliance Developer Netgate

    Look at the firewall log. See what is blocked. Make a rule to allow it.



  • Well, I pulled the logs and see this:

    00:00:00.000000 rule 1/0(match): block in on xl0: 1.2.3.4.49684 > 10.2.7.2.443:  tcp 28 [bad hdr length 0 - too short, < 20]
    00:00:10.310552 rule 1/0(match): block in on xl0: 1.2.3.4.49685 > 10.2.7.2.443:  tcp 32 [bad hdr length 0 - too short, < 20]
    00:00:03.010462 rule 1/0(match): block in on xl0: 1.2.3.4.49685 > 10.2.7.2.443:  tcp 32 [bad hdr length 0 - too short, < 20]

    I'm not sure what I should put in to allow this.



  • just click on the green arrow in the logs which creates a pass rule.



  • Never mind, I was looking at the wrong PFSense box I had a source limitation.


Locked