Accessing Web Gui over IPSEC
I've done this hundreds of times in the past without thinking about it but now my brain hurts.
I have just set up a couple of pfSense 2.0.1 boxes (on DELL R210 servers) for a customer.
We have an IPSEC tunnel between each of them and to us. The tunnels work fine and full communication between sites works OK. However, when I log into the pfSense WebGui on a remote site over the IPSEC tunnel, I get the logon page but after entering the username and password it reports 'Username or Password incorrect'.
I've checked the usual CAPs lock etc.
Tried different browsers and different computers.
Firewall rule is in place on the remote pfSense allowing traffic over IPSEC
Logging on to the same WebGui from a machine on the local LAN works perfectly.
These are clean installs with a basic configuration. There are no NAT or firewall rules added other than default LAN/WAN rules.
The only thing I can think of that might be different to the other hundreds of installs we have done is that this is the amd64 version of pfSense rather than the i386 version.
Any suggestions on a fix?
Uncheck blocking private IPs and see if it gets better.
I've tried that but I'm afraid it still doesn't work.
Are you sure you're hitting the firewall you think you're hitting?
If you couldn't reach the GUI at all I might suspect that an IPsec issue might be at play, but if you hit the GUI and get a denied login, that makes me think you're actually getting directed to one of the other firewalls somehow. Have you tried logging into that firewall with the credentials for one of the others?
Also if it's pfSense all around, you may find that OpenVPN is more stable/easy to work with in the long run, but that wouldn't be related to this issue.
OK, I'm Dumb!
The remote site's lan subnet is 192.168.1.0/24 and I could access all devices on that network. Remote PF sense LAN is 192.168.1.1
Months ago, on my local pfSense I set up a test network for the client with the same subnet and assigned 192.168.1.1 to a spare nic on my pf sense. I then promptly forgot I had done that!
So I was actually trying to log into my own firewall.
Interesting though that 192.168.1.1 was hitting my firewall but all other requests to 192.168.1.0/24 go over the ipsec tunnel to the remote site, even though the subnet is configured on the local firewall.
Sorry for wasting your time guys.