Not able to access WebGUI from remote through WAN



  • I am trying to connect to my pfSense box from a remote location.  I setup the firewall rules at one point and had it working.  All of the sudden it is not working.  I am not sure what changed.  It may have changed after I setup my multiWAN load balancing, although I think I remember accessing it once after that.  I will post a screenshot of my firewall rule.  Maybe someone can tell me what is wrong?

    Is there something I am doing that is obviously wrong?  I have tried a lot of different options for the source and destination.



  • Never set a gateway like that on WAN rules. Otherwise looks fine.



  • I went into my firewall logs and saw that it was still blocking my access.  I clicked the little icon that says "Easy Rule - Pass this traffic".  It added the rule specifically for the Ip address of my remote system and IT DID allow me to access it.  Then I changed the source back to ANY and it is still allowing me access.  I think this may be a bug?  As I had setup an identical rule before but it for whatever reason kept blocking it….



  • Ok.  This is a bug for sure.  I go ahead and add the rule to allow this traffic by adding a rule in the normal way from the rules page.  It will not allow that traffic.  Then when I go to the firewall log and click the icon for the blocked entry it creates a rule, identical to what I manually create, and voilà, it stops blocking that traffic.  Should I report this some where as a bug?


  • Netgate

    It is not a bug.  You are doing it completely wrong.

    You want a firewall rule that passes traffic on WAN source any dest WAN address port tcp/8080.  You don't need to set a gateway, and you don't need the destination to be WAN net.

    ![Screen Shot 2014-11-28 at 11.00.35 PM.png](/public/imported_attachments/1/Screen Shot 2014-11-28 at 11.00.35 PM.png)
    ![Screen Shot 2014-11-28 at 11.00.35 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2014-11-28 at 11.00.35 PM.png_thumb)



  • I figured I would have to set the gateway as I have multiple gateways.  I tried Wan Net, Wan Address, everything.  Like I said the only time it works is when I go into the log and create the rule.  If I manually create an Identical rule it continues to block the traffic.  So disregaurd my screen shots, they are wrong anyway.


  • Netgate

    No.  All you have to do is put the firewall rule on the WAN interface you want to connect to.  Then use that interface address in the rule.  Then you have to be sure you're connecting to THAT interface's address.  You also have to be sure your browser is connecting http or https correctly.  If you want the redirect rule that sends connections from port 80 to your configured https port, you will also have to have a pass rule for port 80.

    If you want to connect to ANY WAN address then make a similar rule on all your WAN interfaces.

    Sounds like you might have gotten a little clicky and now it's impossible to know what you have unless you tell us or you reset to defaults and start over.



  • Again, disregaurd the screen shots I posted.  I manually make a rule to pass traffic for source any, destination wan address port 8080.  Does not allow the traffic.  When I go into the firewall log and add the rule with the icon for an "easy Rule" it will allow traffic.  The only difference with the easy rule is it uses the source IP in the rule but I change that to any afterwards and it continues to work.  Unless there is something I am missing when I manually create the rule but I don't think so.  I went over it option by option to compare… no differences other than what I stated above.  Either way it is working now... I just used the easy rul option and modified that and I have things working the way I want now.  I also left the gateway option to default and that does not seem to be causing any issues either, I was thinking it would have to always use the gateway that the request is coming from.

    And I do know I need to access it like this **https://**00.00.00.00:2020 and that wasn't the issue I was having.  I have the redirect option disabled.



  • Manually created this rule.  It is still blocking the access.  I made the rule and then hit the apply changes button.

    edit:  Just in case you want to point out the 8080 and 2020 discrepancy in my address bar its because I edited it to 8080 for the screen shot… didnt mean to expose the 2020... not a big security deal but I just didnt want to expose the real port number I was using....




  • So now that the previous manually created rule was not working I went into log.  Found the blocked entry and clicked easy rule icon and it created these:

    Then I have access. I do end up changing the source to any in the "easy rule" and destination from "single host or alias"(with the IP),  to "wan address" and leave blnk, even after making the change I still have access from this rule.  This is what I mean, I am missing something I think or it is a bug… maytbe it is not enabling the rules I am manually creating?




  • Just an update.  I manually created the rule again, applied the settings no go.  Then did the easy rule, and it allowed access.  Then modified easy rule to my liking, still had access.  So good so far.  Then I am still annoyed by this, I deleted the rules.  Manually created one on WAN interface, source any, destination wan address, port 2020.  Applied settings and no go.  wtf?

    So i started googling pfsense firewall rule bugs and found someone reporting a bug that may haver been similar at https://redmine.pfsense.org/issues/3083.

    I went to the Filter Reload status and hit reload.  Now everytime I manually create the rule it works like it is supposed to!  I just wanted to post this so the developers could look at it if they are interested.


  • Netgate

    I'll still go out on a limb and say you're not doing something right.  Firewall logs should show the blocked traffic when the rule is not working.  hovering over the block symbol will pop up which rule blocked it.

    That bug was resolved a year ago.

    Updated by Chris Buechler about 1 year ago

    Status changed from Feedback to Resolved



  • @Derelict:

    I'll still go out on a limb and say you're not doing something right.

    Yep, no question.

    @Derelict:

    That bug was resolved a year ago.

    Yeah that was resolved several releases ago, and was an extraordinarily rare edge case at that.



  • Ok, I am sure I was not doing anything wrong.  I tried several times just to verify.  I mean really when you add the rule manually there is what… one thing to change... il go check... yeah... destination and port.  Otherwise all default settings are all ok.  I am also still having issues with apinger nd I thought that was fixed?  Maybe I am on an old build?  It says I am on 2.1.5.  Don't know.  I will see if I can reproduce it again in a few weeks and ill put together a darn video. lol.  You think i would make this crap up??


  • Netgate

    Put your manual rule in place then post a screen shot of your WAN rules screen.  Also post a screenshot of your webConfigurator section of System: Advanced: Admin Access.

    If it is still not working please also include a screenshot of the blocks in the firewall log and a notation of which rule it says is doing the blocking.

    Get rid of any of the easy rules too for now.



  • Ok, I was in the process of starting this all over again.  So I deleted the rule.  I HAVE NO RULES under WAN.  And now I still have access to the admin interface from outside the local network.  So this proves that the rules are not updating as they should.  Anything in the logs I can show you for this??  Ill let you remote into one of my local PC's over a remote desktop connection if you would like to see for yourself.  You seem like a trusted member here.  I will do screen shots and stuff now as I think I will be able to reproduce the issues agaiun.



  • Geez… now I know the firewall rules are acting up.  I setup a rule to keep https traffic all on wan2 as a lot of web sites will not keep me authorized when the IP changes... so I was having that issue when I just tried to make a post now... went and disabled my https-wan2 rule and re-enabled it and NOW it finally updated the other rule to block admin access over WAN.  There is definatley something funny going on here.  I will keep playing and get screen shots together so someone else can reproduce it maybe...



  • Netgate

    You do know that when you change the rules you have to clear existing states if you want immediate effect right?

    How often is your IP address changing?

    Other people get that screen on this forum too.  It has nothing to do with firewall rules.  I think it happens when you have the login timeout set to -1 and some long period of time elapses, but that's just a guess on my part.  Clearing cookies for the forum fixes it.



  • Ok, ill try that.  Clearing my cookies.