Problems accessing pfSense
-
Just encountered a similar situation. Not sure how to resolve:
- suddenly I cannot SSH over internet to my pfsense box
- I cannot access the WebUI from the internet
- I can RDP from the internet into only 1 PC behind my pfsense box
- From that PC, I can access my WebUI
- Snort shows no alerts or blocked IPs
If I reboot the pfsense box, everything is OK until SSH "crashes" the next time (have been seeing it happen more often than I'd like lately). Not sure how to troubleshoot this or where I might see logging info to trace the issue. I had hoped it was simply my internet IP being blocked. Even that IP is added to my whitelist within snort.
Any help would be much appreciated. Thanks.
-
This issue has been happened with an increased frequency. However it appears to happen only after more than one remote session is established with the Pfsense box. For example, 1-user connected to the Web GUI and 1-user logged into SSH, etc. Once it happens, the pfsense box is only accessible from within the LAN. It cannot be accessed via the WAN regardless of method (SSH, Web GUI HTTPS, etc.).
What causes this issue?
-
The command and its response (or URL and browser report) are nearly always more informative than the non-technical summary "can't access".
What causes this issue?
It is difficult to say without more information such as the error report from the application attempting the access.
-
Understood. Turns out, through some trial and error, it may have been due to a Snort-HTTP DOUBLE DECODING ATTACK. While I noticed this message in my SYSTEM LOG, it did not appear among the BLOCKED tab. Only visible among the ALERTS tab. I've since suppressed this alert rule and it seems to have restored external access to my pfsense box without requiring a reboot.
Will monitor my system since suppressing this rule to see whether it recurs in which case it may be attributed to snort (possibly).
I think the HTTP DOUBLE DECODING ATTACK may have been the cause as once I cleared it, I was able to access my Web GUI login page from multiple external systems originating from multiple different internet IP addresses (without clearing any blocked IPs from the snort blocked tab).