Remote Management



  • this post it solved.


  • LAYER 8 Netgate

    Are you appending :65432 to your URL?

    https://yourfirewallip:65432/

    You'll get a certificate error.  Click through it.

    That wide-open TCP rule on WAN is not what you want.  At least change the destination address to WAN address and the destination port to 65432. Even better change the source to the specific host you want to manage from.

    https://doc.pfsense.org/index.php/How_can_I_access_the_webGUI_from_the_WAN


  • Banned

    1/ The destination should be WAN Address, not "Any".
    2/ Reset states after doing changes there.

    P.S. "I have now try to just allowed anything on TCP" is such a horrible idea that I'd rather not comment.
    P.P.S. You really should use a VPN or limit the access to known management IPs.


  • LAYER 8 Netgate

    I really don't know how people screw this up.  It works for me every time.

    ![Screen Shot 2015-09-29 at 2.43.15 AM.png](/public/imported_attachments/1/Screen Shot 2015-09-29 at 2.43.15 AM.png)
    ![Screen Shot 2015-09-29 at 2.43.15 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-09-29 at 2.43.15 AM.png_thumb)
    ![Screen Shot 2015-09-29 at 2.44.15 AM.png](/public/imported_attachments/1/Screen Shot 2015-09-29 at 2.44.15 AM.png)
    ![Screen Shot 2015-09-29 at 2.44.15 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-09-29 at 2.44.15 AM.png_thumb)



  • Hi,
    telnet form outside on port 65432 is working.
    Https from outside gets pachet retransmission.

    Hope this help.


  • LAYER 8 Global Moderator

    ssh is working fine?? So you have that listening on 1222 it seems, I also see you have tcp 53 open for some not sure reason??  Atleast it refuses to do a recursive query..  So prob running unbound with ACL protecting you..

    I show this open
    Not shown: 65533 filtered ports
    PORT    STATE SERVICE VERSION
    53/tcp  open  domain  NLNet Labs Unbound
    1222/tcp open  ssh    OpenSSH 6.6.1_hpn13v11 (protocol 2.0)
    | ssh-hostkey:
    |  1024 0b:f4:66:da:05:6f:2c:e8:72:4b:47:74:20🇩🇪05:ef (DSA)
    |  2048 83:52:da:3e:2e:23:ac:db:fd:e6:45:95:c2:5c:08:b3 (RSA)
    |_  256 ff:3f:51:8c:34:37:da:ba:c0:45:69:ce:0a:93:cd:73 (ECDSA)

    So where exactly is this port suppose to be open for you remote webgui?

    I am with Derelict here I just really do not understand the issues, this is really clickity clickity done..

    You sure your not behind a NAT, and have not forwarded the port for your gui?  Post up your wan rules and your gui settings.


  • LAYER 8 Netgate

    [deleted - I see the change in ports]

    Whatever is currently on 1222 is simply sending nothing in response.


  • LAYER 8 Netgate

    Nope.  Nothing.  You clicky-clicked something somewhere.  Who knows what.

    Start over.

    Backup your config, reset to "factory", do NOTHING but enable WAN access to the webgui and it'll work.

    You can restore your config in 2 minutes if you want to go back.


  • LAYER 8 Global Moderator

    dude your not running webgui on 1222 that is ssh

    SSH-2.0-OpenSSH_6.6.1_hpn13v11
    Protocol mismatch.

    There is something on 80, it sends syn,ack back but that is all!  I show it as
    80/tcp open  http    lighttpd 1.4.35

    edit: if I had to guess your redirecting to https that your ssh is running on.  What I would suggest is you start over, leave webgui running on 80.  Open just 80 to your wan address in your wan rules and then test it.  If that works then you can change to https on 443 and then open 443 on your wan.  If that works then you can try changing you ports.  I think your running into an issue where you think your changing your ports but not applied or whatever.

    Lets see the output of say sockstat, you should see the ports that lighttpd is listening on

    root    lighttpd  32225 11 tcp4  *:443                :
    root    lighttpd  32225 12 tcp6  *:443                :
    root    lighttpd  32225 13 tcp4  *:80                  :
    root    lighttpd  32225 14 tcp6  *:80                  :

    and you should also see the ports your sshd is listening on

    root    sshd      18228 4  tcp6  *:22                  :
    root    sshd      18228 5  tcp4  *:22                  :



    1. Make an alias with ports 80,443 (you need both  as 80 redirects to 443 by default) and 1222
    2. Add a rule with ipv4,proto tcp, source *, destination WAN address with the alias you made for ports
    3. Profit

    After you have demonstrated that things work as they should, limit source to a range of addresses you will be connecting from or better yet, setup a VPN.

    This isn't exactly rocket surgery.



  • For the record, I have exactly this thing set up on my own system, except that I've limited the source IPs to just my own subset of addresses and the protocol is simply port 80. If you leave the listening port for the webgui alone (port 80), try setting up a firewall rule on the WAN as follows:

    Proto: IPv4/TCP
    Source: X.X.X.X/Y (your external IP addresses/subnet mask)
    Port: *
    Destination: *
    Port: 80
    Gateway: *
    Queue: none
    Schedule: (blank)
    Description: 'Access from outside' (whatever takes your fancy)

    If you can get that much to work then you can start making changes to your listening ports, etc. and amend your rule accordingly.


  • LAYER 8 Global Moderator

    dude this is really clickity clickity there is nothing special to do in pfsense to allow for remote webgui access.  It by default listens on all ports, you just have to enable wan rule to allow it.

    You sure your not trying to redirect http to https?  Please post your firewall rules, your gui settings and your not behind a nat right??  You don't have any sort of vpn client access setup on pfsense do you?  Your not trying to route traffic through a vpn or anything.

    The only thing required to enable remote webgui access is firewall rule on the wan to allow access to the port..  I currently show 53 and 80 open.. If your trying to redirect 80 to 443 its not showing open.

    Please post the output of sockstat..  And your gui setup section – its just listed as http right??


Log in to reply