Remote Access to WebUI

  • Hi,
    I've searched for remote access topics in the forum but none were related to my question so I think I have to post it here (mod pls move to the correct sub forum since im still finding my way around here).
    I've got a pfsense box up and running, everything is fine. The box provide captive portal to authenticate users who purchase drinks in a store, there is requirements for security. I need to have remote access admin from time to time so I decided to open it all up and despite doing exactly all the steps in this guide
    (I understand it is not recommended but for now i just need remote access working first before i move to OpenVPN when I have more time).

    I still could not get it working.
    I cannot ping the public IP from remote site.
    I cannot connect to the webUI from the remote site by typing: https://xx.xx.xx.xx (xx as my public IP given to me from ISP).
    Could anyone help me pls ?

  • Banned

    No, not without seeing the WAN rules.

  • First step :
    Note down the LAN IP of you pfSense box. Typically, it is - but you could have changed that.
    Goto Firewall : NAT
    Use these settings: (see image).

    The access will be HTPPS  - so think about activating HTTPS access here System: Advanced: Admin Access

    Then: CHECK your Firewall : Rules page. The auto-added related firewall rule to your new NAT entry is at the bottom. If you already have your own 'block' rules above this rule, move the rule upwards.

    Works for me. I have access to the GUI from the Internet now.

    PS: one more thing: more and more people try to put pfSense behind another router. Just to apply to the famous "Why do it the easy way if more difficult exists ?".
    If this is your case, keep in mind that you should also add a NAT rule on that router.

  • here are my settings .. it's still not working.
    i just need remote access and do not worry much about security because the network has nothing really ..

    ![Screen Shot 2015-05-10 at 5.22.48 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-05-10 at 5.22.48 PM.png_thumb)
    ![Screen Shot 2015-05-10 at 5.22.48 PM.png](/public/imported_attachments/1/Screen Shot 2015-05-10 at 5.22.48 PM.png)
    ![Screen Shot 2015-05-10 at 5.24.48 PM.png](/public/imported_attachments/1/Screen Shot 2015-05-10 at 5.24.48 PM.png)
    ![Screen Shot 2015-05-10 at 5.24.48 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-05-10 at 5.24.48 PM.png_thumb)
    ![Screen Shot 2015-05-10 at 5.24.40 PM.png](/public/imported_attachments/1/Screen Shot 2015-05-10 at 5.24.40 PM.png)
    ![Screen Shot 2015-05-10 at 5.24.40 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-05-10 at 5.24.40 PM.png_thumb)
    ![Screen Shot 2015-05-10 at 5.24.29 PM.png](/public/imported_attachments/1/Screen Shot 2015-05-10 at 5.24.29 PM.png)
    ![Screen Shot 2015-05-10 at 5.24.29 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-05-10 at 5.24.29 PM.png_thumb)
    ![Screen Shot 2015-05-10 at 5.24.08 PM.png](/public/imported_attachments/1/Screen Shot 2015-05-10 at 5.24.08 PM.png)
    ![Screen Shot 2015-05-10 at 5.24.08 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-05-10 at 5.24.08 PM.png_thumb)
    ![Screen Shot 2015-05-10 at 5.23.09 PM.png](/public/imported_attachments/1/Screen Shot 2015-05-10 at 5.23.09 PM.png)
    ![Screen Shot 2015-05-10 at 5.23.09 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-05-10 at 5.23.09 PM.png_thumb)

  • and my pfsense box is the gateway to internet .. it is NOT behind anything

  • Banned


    First step :
    Note down the LAN IP of you pfSense box. Typically, it is - but you could have changed that.
    Goto Firewall : NAT
    Use these settings: (see image).

    What's the point here in the NAT? Why don't you just allow access to WAN IP, and instead are trying to access the LAN IP via NAT?  ??? :o


    here are my settings .. it's still not working.

    So which WAN screenshot of the 3 is valid? Why do you need two OpenVPNs to access "nothing really"? How are you accessing the GUI? You need to use the LAN interface IP if you are doing that via OpenVPN (strongly recommended) - not the WAN IP!

  • i have removed all the openvpn .so the WAN without it is the current one now…

  • Banned

    1/ Disable packet filtering on the firewall, try again.
    2/ Does not work? Talk to your ISP.

  • LAYER 8 Global Moderator

    I cannot ping the public IP from remote site.

    Where is any rule on your wan that would allow ping? If pfsense is listening on 443 and your not behind a nat, ie pfsense has public IP.  And you go to say for example can you see me on 443 and it doesn't work then you have something blocking between you and there or your firewall rules are broken..

    But if you want to ping your wan public IP - then you have to have a rule that says that.  As to the natting to the lan to get to the web gui - why would anyone do that?  If you want access to web gui via wan, then allow it.. But why not just vpn into your network and access it?

  • i would love to use open VPN to manage to pfsense box remotely but it doesn't work so i thought just open it all up to remote admin it first while trying openVPN when i have time later. but even trying "open it all up" doesn't work for me !!

  • Banned

    Well, if it does not work with firewall disabled, then pfSense is not the issue, as already suggested above…

  • @johnpoz:

    As to the natting to the lan to get to the web gui - why would anyone do that?  If you want access to web gui via wan, then allow it..

    5 years …. and I always thought that the pfSEnse-GUI-web-server was only listing on the LAN interface.

  • Well i talked to my isp and they confrimed that they dont block anything inc. Vpn connections. They said other customers can use it fine. No complains whatsoever. So it seems the probs is at the pfsense box.
    Can anyone post a firewall rule to alllow remote admin? Thats all i need for now i dont care abt anything else.

  • Well, it became even more easier now.

    I activated GUI https access from WAN with this rule : (see first green rule in image)

    No NAT needed  ;)

    Have your WAN interface getting pinged from the outside ? See third rule.

    Just a question : You do have an "Internet IP" (WAN) on your WAN interface, right ?! Something like
    What is in between the pfSEnse box and your ISP ?
    How do you get your IP (DHCP ? pppoe ?)
    What are your other firewall rules ?

  • I have my Internet IP on my pfsense WAN indeed. The box got it from ISP via pppoe.
    I have deleted everything on the firewall on both LAN and WAN ((Get remote access working first and then add them on 1 by 1 later if needed)
    There is nothing bw my pfsense box and ISP.
    the box connect to the ISP fiber cable and received IP from them.
    The box act as a modem. I enter ISP username password on the wan interface on pfsense.

  • For testing, open everything:

    1. Put a pass all rule on WAN (protocol any, source any, destination any…)
    2. Ping the WAN IP from somewhere on the public internet, try to access port 80/443 from the public internet
    3. Do some packet capture and see if anything is arriving of what you expect (there will likely be plenty of rubbish arriving from Russia...)
    4. traceroute from the real internet to your public IP - see where it stops routing towards you.

    Tell us the first couple of octets of you public IP - just to make sure it reall is a public IP.

    This stuff really does work on pfSense.

  • Sorry for the late update,
    Its finally working for me!
    The last post here reallt helped me!
    "Put a pass on any any any"

    Thats it! I was messing around with pass on this source to that dest..
    Trying diff combos…at the end it drives me nuts!

    Now i can take a breath becuz i dont have to travell like 45min to the site just to add a user.
    I can explore open vpn in my spare time now.
    Will it interfere with the firewall settings that i currently have now? Do i have to move the vpn rule above or below my current rule that allow remote management?

    Thanks all forks, much appreciated.

  • "Pass any any" on WAN really is for a 10 minute test only! There will be "a million" things out on the public internet trying to access stuff. You really really need to get the correct rule in place for just the access you need/want.
    It should be destination WAN address, port 443 (HTTPS) (or also port 80 which should redirect to 443).
    Now you should put in a better rule, then disable the "pass any any" rule and make sure access is still working. If you get stuck sorting out what the rule should be, then post a screenshot of your best attempt and we can see what is wrong.

  • Whenever possible restrict your Source(any) into Source((my) IP's which may remote-login to this box).

  • Yess that will be my next action before i move to open vpn.

Log in to reply