Cant reach web GUIs



  • Hi All.

    I ahve pfSense V2.2.1 set up and have set up a IPSec Tunnel from Site 1 (192.168.1.1/24) to Site 2 (192.168.2.1/24).  The two sites connect with no problems.

    I have also set up both firewalls to have a firewall rule on Firewall–>Rules-->IPSec - this allows all IPV4 traffic with no restrictions.

    I can connect to Site 1's pfSense Gui using the ip address and visa versa

    I have a VOIP server on 192.168.1.99 on site 1 which I can ping from site 2
    However, I cannot browse to 192.168.1.99 from site 2 (browser just says it is connecting) - I can browse to this address from site 1.

    This is the first time I have used pfSense for VPN (I have used basic Cisco home routers previously).  Am I missing anything obvious.

    Regards

    Mark.



  • Since you can ping, basic network connectivity must be OK. Sounds like what happens where there is a host firewall on the device in question that's only allowing access to its web interface from its local subnet.



  • I have been trying all options and I cant get this working… as I mention I can ping the clients on the remote host but can access them (I have a NAS drive on 192.168.3.5 which pings but wont allow access via browser even though it does on site).

    I have set a firewall IPSec rule on the 192.168.3.0 firewall as such...

    Proto  Source Port Destination Port Gateway Queue Schedule Description
    IPv4 *    *        *        *          *        *      none              IPSec  Traffic

    On my local firewall I have an Manual outbound rule of:
    Interface    Source            Source Port Destination    Destination Port    NAT Address    NAT Port  Static Port Description
    WAN      192.168.3.0/24      *                  *                        *            WAN address      *            NO            VPN



  • You're allowing everything there, so that's fine. It's the NAS itself is what I was referencing previously. Maybe it's missing a default gateway or has a wrong one configured, or it has a wrong subnet mask, or it has a built-in firewall on it that's blocking off-subnet traffic.



  • Thanks

    At least I know the firewall rules etc are set up correctly.

    The fault is consistent with accessing my NAS, my Voip Server and my Voip Phones, again all of them accessable from on site.

    • Also I proved overnight that I can access my NAS with OpenVpn

    Regards

    Mark



  • I wonder if this is a pointer to the root cause.

    I notice that I can both ping my router across the vpn and I can access its web gui across the vpn…I cant access a gui of anything else though

    Any further help would be appreciated as this is frustrating me now.

    Cheers

    Mark,



  • Packet capture on your LAN interface while trying to reach one of them, see if the traffic is going out.



  • Did you get anywhere with this? I have exactly the same issue.

    I've replace my router at site B with pfSense, added the IP Sec settings, and it connects to the site A router fine, and all traffic works (site A is an old IP Cop box). So pfSense - IP Cop over IP Sec, all fine, no issues, that's been stable for about a month.

    Now I'm trying to replace the main office, site A, IP Cop box with pfSense. I've added the IP Sec configuration and the firewall rules. From site B I can access everything at site A - config pages, drive share all work. From site A I can ping any address at site B, I can telnet into the NAS at site B, I can connect to my Mac Mini web server on HTTP and HTTPS (and VNC into the system), but the web config pages for 2 NAS devices & a printer won't respond at all and I can't connect to any of the shared drives at site B.

    As soon as I switch site A back to IP Cop it all works.

    All firewall rules are logging on both pfSense boxes and I've monitored the firewalls at both ends, the only traffic being blocked now is on the WAN interface.

    I have 2 other VPN connections to migrate connecting us to client networks for RDP access. When I tried those, again the basic connectivity seemed fine, RDP would connect and authenticate, but then the session would time out with a licensing error. Again, reconnect IP Cop and the connections work fine.

    Any pointer on what to look at next would be appreciated.



  • Do you have the gateway option set on your LAN rules? If that is the case, you need some negate rules (matching rules with no gateway set) before that one so VPN internal traffic gets properly routed.



  • Each LAN end has the Anti-Lockout Rule and two LAN rules I've added, one for IP4 and one for IP6.
    Currently on both sides I have:
    IP4* * * * * * none
    IP6* * * * * * none
    (LAN interface any protocol, any source, any destination, Log packets)

    I've had variations on these, specifying the Source as LAN etc, but no change in the symptoms
    I also tried the advanced option to allow packets with IP options to pass, no difference
    And I've set " Bypass firewall rules for traffic on the same interface ",

    Right now if I initiate a connection to the NAS control page I get the following in the firewall log:
    Site A: LAN  10.10.1.2:53801  10.10.123.5:5000 TCP:S
    Site B: IPsec 10.10.1.2:53801  10.10.123.5:5000 TCP:S

    But no return traffic at all
    I do see return traffic from other web servers inside the site B LAN and I see regular exchanges on port 53 for DNS transfers.



  • @AndyM:

    But no return traffic at all

    That indeed sounds like the root problem, which if you've confirmed with packet capture the traffic leaves the destination LAN and gets nothing in reply, is an issue with the NAS.



  • I went through that thought process too.
    But then why would the NAS function fine when the site A end of the VPN is the ipCop box?
    I'm more inclined to think, if it's not the firewall blocking the traffic, there's something wrong in the routing tables.



  • Hi Mark

    Did you resolve this issue? I am seeing something which sounds the same or similar to what you were experiencing.

    I have an IPSEC VPN between two pfSense firewalls, Site 1 is pfSense v2.2.0 and Site 2 is pfSense v2.2.4. I can't upgrade the firewall at Site 1 at the moment so I am stuck with v2.2.0 on this site.

    I have a Windows Terminal Server on Site 1 from which I am trying to manage a number of webGUIs on Site 2 (e.g. ILOs, the web interface of the local managed switch, the pfSense GUI, etc.). I have configured the VPN between the sites which is working and I am able to ping IP addresses on the remote network from the terminal server and can also SSH to both the switch and the pfSense firewall on their Site 2 local subnet IPs. However, I am getting connection reset messages from all of them when I try to access their webGUIs using HTTPS on the same IPs despite ports 80 and 443 being allowed in the same rules on both firewalls that allow port 22.

    The really odd thing is that for brief periods of time, no longer than 5 minutes, I am able to access the webGUIs but then I start getting connection resets again. These periods of connectivity are transient and happen without any configuration changes/reboots.

    If you did resolve your issue, it would be great to hear back to see if what you found matches my symptoms.

    Kind regards
    Ryan



  • I can recall not being able to access the webinterface of some TPLink (cheap) APs over an IPSec VPN once, the problem turned to be related to the MTU size. Had to play around with the MSS clamping value to get it to work.

    If this is the case, Wireshark captures would help a lot your troubleshooting


Log in to reply