Accessing pfsense webGUI through WAN using public IP

  • Hi There,

    I'm trying to configure pfsense to access over the internet using its public IP but I'm unable to do so.

    From the ISP, pfsense is connected directly with an ETH cable and then contributed to LAN. However, I've created an alias with my other office's public IP's to avoid any further anonymous logins.

    Then I took a remote session to office, tried connecting which didn't workout, not even the ping. Further going forwards, I've added a to allow ICMP only that specified alias which I'm not able to but only on those IPs. However, still I'm struggling to access the GUI using the public IP.

    Any ideas as to why I cannot access?

  • You must set up a port forwarding rule allowing incoming traffic from internet toward pfSense IP and GUI port.
    I would suggest a VPN connection in lieu of the previous, opening that port in the public is not secure…

  • LAYER 8 Global Moderator

    Your behind a nat and did not forward it on the nat in front of pfsense.. Your isp is blocking the gui port?  You did not create a firewall rule on pfsense wan to allow access to the gui port?

    Should I go on?

    And as wolf666 already mentioned opening up web gui to public net is bad idea, not as bad if you lock it down to specific source.. But vpn would be better idea!!

  • I did not forward any ports and my ISP is not blocking ports.

    I created a firewall rule only allowing certain public IPs to ping and connect as they are unique to my office and they are only connected to certain servers.

    I do know opening up a web gui is a bad idea but I have not allowed it to access every but to certain public IPs which is working flawlessly when I do ping from that but not from other IPs.

    I will not let it allow to be open on public but it just for my reference, so that I know the set-up of this. :)

  • LAYER 8 Global Moderator

    Dude this really is 1 firewall rule..  What port is your webgui on??  So I have it on 443, but only on lan.. I have 443 on wan for openvpn.

    So I changed it to 8443 to show how simple this is… See attached.. And can also verify webgui listen on 8443 with simple command

    [2.2.4-RELEASE][root@pfSense.local.lan]/root: sockstat -L | grep :8443
    root    lighttpd  22140 11 tcp4  *:8443                :
    root    lighttpd  22140 12 tcp6  *:8443                :

    So I validate what port webgui is on..  I create a firewall rule on wan to allow access to that port on wan address.  I then hit it from remote site - get warned hey that ssl cert not trusted, I accept said cert and bing bang zoom I am at the webgui.

    If you are having issues with your rule please post it, if your using some alias to lock it down, that is wrong maybe.. Maybe you tried put in a source port vs dest port??  But without seeing what you did, its impossible to see what you did wrong..  Again this is 10 seconds to enable - if you are having issues your failing at the basics.. Wrong rule, wrong IP, behind a NAT, etc. etc..

    See lighttpd is listening on 8443..  I then create a firewall rule..

  • Wow!! what a mess I had done.

    After seeing your screen I realized that I had enabled HTTPS but did not specify the port.

    Also on firewall rule, I had specified the port on source which was also causing issue.

    Now its accessible on my office network but not from any other public IPs.

    Thank you for the heads up.

  • LAYER 8 Global Moderator

    "Wow!! what a mess I had done."

    Said to say this is like 99.9% of the issues people have.. When in firewall rules are source ports given - almost NEVER!!  Most applications use a random source port, there are only a couple of exceptions - dns with zone transfers can use 53 as source and as dest.  Any is almost allows the source port..

    Not paying attention to what port the service is actually listening on..

    Glad you got it sorted.. Hope this thread helps the next guy..  Most threads could be like 2 posts.. Post up your rules and what your trying to do and could point out where the mistake was made..  It's almost always a MESS ;)  Not understanding how the rules are evaluated, top down.  Not understanding that you put rules on interface traffic will enter pfsense, etc..

    Now what you should be doing is rethinking the whole idea of webgui open to the public net – I had mine open all of 10 seconds to get the screen shot.. And then OFF again to the public.  I admin pfsense and my network remotely via vpn access how any sane person would do it ;)

Log in to reply