How To Remote Access Pfsense WebGui From Wan Via SSH Tunnel?
When pfsense is newly installed, by default, the access to WebGUI from the wan interface is blocked, in order to complete our configuration, we may temporarily allow this by using the pfsense shell option, and then type pfctl -d, this will temporarily disable the firewall rules, and allows access to the pfsense web interface using its wan address.
Also, keep in notice that we need to reissue this command with almost every change we make in the web GUI. To re-enable firewall rules, use pfctl -e.
In certain cases, we may need to enable pfsense remote management on a permanent basis, there are two methods commonly used to achieve this.
- Through the Use of a VPN. Here’s an easy tutorial on how to access pfsense using a VPN.
- Through the Use of SSH Tunneling.
For this tutorial, we will set up SSH Tunneling to remote access pfsense. Here is more for further assistance.
Setup SSH Tunnel On Pfsense
By default, SSH access is not enabled on the pfsense, so we need to enable it, first and later we need to allow it through firewall rules for wan access, so let’s do it step by step.
Log in to your pfsense firewall using your admin credentials and if you are using your pfsense default credentials such as username admin and password pfsense then do change the password to something strong.
In order to change the password, select from the top menu and go to System>User Manager and then select Users tab, then select pencil icon (Edit) for admin under Actions and then change the default password.
Assuming that the password is changed to something strong, let’s enable SSH access, for this, go to System>Advance then select the Admin Access tab and scroll down till you reach the Secure Shell section.
Enable Secure Shell by selecting the checkbox, rest, use the default values, and save the configuration.
It is recommended to allow only Strict Access to Pfsense Web Interface IP. For Strict Access, create a list of IP addresses that alone will be allowed to access the pfsense web Interface address from outside.
Having Problems? Here is more for further assistance.
Create ALlAS For Allowed WAN IP Addresses
For Strict Access, we need to create an Alias. An Alias just represents a group. It can be a group of IP addresses or multiple IP addresses which are grouped logically and named something meaningful, let’s say for example “Remote-Wan-IPs” is an ALIAS that contains different allowed wan IP addresses. Using ALIAS makes our configuration shorter and simpler.
Next, select Firewall–>Aliases, and then on the IP tab select Add. This will open ALlAS Page.
Now type the following to complete the Alias configuration.
Name : Enter Remote_WAN_IPs.
Description: Enter your desired logical explanation such as “Allowed wan IPs to access Management Interface“.
Type: Host(s) if you have just one wan IP to allow, if you have multiple IPs then choose Type: Networks.
Here is an example with Multiple Remote Wan IPs.
Now hit the Save button to finalize settings for an Alias.
Firewall Rule For Remote SSH Access
By default, pfsense uses a firewall rule called the Anti Lockout Rule that disables remote access to the pfsense web interface and also saves the user to be locked out of the firewall in case, if the firewall rules are misconfigured. In order to allow remote web access, we need to disable this rule.
To disable it, select from the top menu System>Advance, from the Admin Access Tab uncheck Disable webConfigurator anti-lockout rule.
Now as the final step to Remote Access configuration we need to create a firewall Pass rule along with using Alias in the allowed Source field as shown in the screenshot below.
To create a firewall rule, select from the top menu Firewall>Rules and then choose your WAN Interface and then select Add.
Here is an example configuration screenshot.
Here Action: is PASS as we want to allow SSH traffic from the remote WAN.
Interface: WAN, it will be our local WAN Interface.
Protocol: TCP as SSH use TCP port 22 by default.
Source: Single host or Alias, we will choose Remote_WAN_IPs as it will pop up when we will start typing the name for our Alias.
Destination: This Firewall (self), represents the Management IP Address for our firewall.
Once you are done typing your configuration details, hit the Save button to be done with the configuration.
Remote Access Pfsense From Windows10 Platform
Now we are done with SSH configuration on our pfsense firewall and before we try to open the pfsense web interface remotely, we need to test our new SSH configuration.
You can test this using any OS (Operating System) or a tool such as Putty. For putty read below, to test on windows, open the command prompt and type the following to initiate an SSH connection.
Type: ssh admin@”your pfsense wan IP address”
after you press enter, it will ask for your admin password so enter the password.
If everything goes correct then you will see the following screen which means that our SSH connection is a success.
Finally, it’s time to initiate an SSH tunnel from our Windows 10 machine, Press CTRL C to disconnect the previous connection and after this, just enter the following command to initiate a tunnel connection from your windows machine.
ssh -L 8888:localhost:443 admin@"your pfsense wan ip address"
Let me explain the above command a bit.
ssh: Initiating an ssh connection.
-L: Asking to initiate local port forwarding from pfsense with the address localhost (127.0.0.1) and port 443 (port used by pfsense), thus initiating an ssh connection to pfsense along with mapping localhost of pfsense to your machine’s localhost and pfsense port 443 to your machine port 8888.
After entering the password, If the connection is successful then just open a web browser on your windows machine and type https://localhost:8888. Make sure to use https://.
Having Problems? Here is more for further assistance.
Using Putty For SSH Remote Access
Putty is a good free tool that is commonly used to remote access servers and networking equipment either using SSH or Telnet, it also uses other methods to remote access a device. Download the Putty and type in the following settings
In the Host Name field Enter your Pfsense WAN Interface Public IP Address then Select SSH>Tunnels from the left Pane.
Now enter the following Configuration.
Here 8888 is our local windows machine port that is being mapped to pfsense port 443 and 127.0.0.1 is Pfsense Loopback address that is being mapped to our local machine loopback’s address. After selecting Add just Select Open.
Now type admin at the login as prompt, then type in your pfsense admin password, if all is well then you will see this screen after.
After this just open your browser and type in https:127.0.0.1:8888. Make sure you type https://.
And if you see the login page then you are successful in securely opening the pfsense web interface remotely. If not, then Here is more for further assistance.