PFSense behind static NAT cannot remotely administer
-
For various reasons I have a double NAT (PF Sense with the WAN on a local area network).
I have a routable IP like 1.2.3.4 that is statically assigned to the PFSense box.
I have 3 firewall rules allowing ICMP (ping), SSH, and HTTPS.
WAN is connected to 10.2.1.0 network
LAN is connected to 10.2.7.0 networkWhen I am on the 10.2.1.0 network the HTTPS interface works fine, when I call it from outside the network I am blocked (until I run pfctl -d).
Meanwhile SSH and ping work without issue remotely.
Any help is appreciated.
-
Look at the firewall log. See what is blocked. Make a rule to allow it.
-
Well, I pulled the logs and see this:
00:00:00.000000 rule 1/0(match): block in on xl0: 1.2.3.4.49684 > 10.2.7.2.443: tcp 28 [bad hdr length 0 - too short, < 20]
00:00:10.310552 rule 1/0(match): block in on xl0: 1.2.3.4.49685 > 10.2.7.2.443: tcp 32 [bad hdr length 0 - too short, < 20]
00:00:03.010462 rule 1/0(match): block in on xl0: 1.2.3.4.49685 > 10.2.7.2.443: tcp 32 [bad hdr length 0 - too short, < 20]I'm not sure what I should put in to allow this.
-
just click on the green arrow in the logs which creates a pass rule.
-
Never mind, I was looking at the wrong PFSense box I had a source limitation.
