Trouble accessing pfSense Web GUI through IPsec tunnel

zied.elouaer · Nov 20, 2012, 2:03 PM

Hi guys,

I am connecting two remote sites with pfSense firewalls through an IPsec tunnel. All communication between the two sites works fine. Except one problem: I can't access one of the firewall #1 GUI from the site #2 (firewall #2 is accessible from site #1). Note that I can ping the firewall and access it via SSH, only the web GUI doesn't work. The URL's form is https://x.x.x.x:7799. Of course this web interface is accessible from the local network.

Does anyone have a clue on that? Thanks

zied.elouaer · Nov 20, 2012, 4:44 PM

Note also that I checked the firewall logs and there's no blocked traffic related to this issue. Any thoughts?

wallabybob · Nov 20, 2012, 8:21 PM

@zied.elouaer:

only the web GUI doesn't work.

What does the browser report when you attempt access?

zied.elouaer · Nov 20, 2012, 8:19 PM

It remains loading infinitely ???

wallabybob · Nov 20, 2012, 8:52 PM

@zied.elouaer:

only the web GUI doesn't work. The URL's form is https://x.x.x.x:7799.

The remote web server is listening on port 7799? Or you have an appropriate port forward setup so port 7799 gets mapped to the appropriate web server port? I realise you wrote
@zied.elouaer:

Of course this web interface is accessible from the local network.

but on what port?

When things like this don't work I find it helpful to work from the basics up using packet capture:
1. When the browser access is attempted does the access attempt have the correct does the connect packet have the correct destination IP address, destination TCP port,and source IP address? (for example, a browser "feature" might force https to port 443).
2. Does the connect attempt arrive at the destination system with correct destination IP address, destination TCP port,and source IP address?
3. Do firewall rules allow the access? ("block" firewall rules might not have logging enabled)
4. Is the target web server listening on the appropriate port?
etc.

zied.elouaer · Nov 20, 2012, 9:31 PM

First, the server is listening on port 7799 and when I access it from the local network I do it on port 7799.

for your questions 3 and 4 the answer is yes (and the firewall does have logging enabled for block rules)

For your 1st and 2nd questions, I did not try that yet, can you tell me how to do it on pfSense?

Thanks again.

wallabybob · Nov 20, 2012, 10:06 PM

I have never done packet capture on a tunnel interface. I presume it will show data before tunnel encapsulation.

FreeBSD utility tcpdump can be used in a pfSense shell session. You can read the man page at http://www.freebsd.org/cgi/man.cgi?query=tcpdump&apropos=0&sektion=0&manpath=FreeBSD+8.3-RELEASE&arch=default&format=html

Packet capture can also be done through the pfSense web GUI Diagnostics -> Packet Capture

Both methods allow the use of filters to select traffic to report.

zied.elouaer · Nov 21, 2012, 9:53 AM

I did check the tcpdump output on both firewalls. The packets are transmitted with the right source/destination addresses and ports and also arrive correctly to the other side. Packets are seen in both direction (i.e. from and to both firerwalls).

That's really confusing, I don't see why it's not working. ???

zied.elouaer · Nov 21, 2012, 10:10 AM

ps: I also tried accessing from different browsers and different computers with Linux and Windows, and the result is always the same.