Professional Documents
Culture Documents
From PFSenseDocs
Jump to: navigation, search There are a few tricks you can use to get back into the WebGUI should you find your access removed.
Contents
1 Forgot Password 2 Forgotten Password with Locked Console 3 HTTP vs HTTPS confusion 4 Blocked access with firewall rules 5 Remotely Circumvent Firewall Lockout by Temporarily Changing the Firewall Rules 6 Remotely Circumvent Firewall Lockout With SSH Tunneling 7 Squid Took Over My HTTP Port!
Forgot Password
If you forgot the password for the system it can be reset easily with console access. Get to the physical console (Keyboard/Monitor, or Serial) and use option 3) to reset the WebGUI password.
Reboot the pfSense box Choose option 4 (Single User Mode) from the loader menu (The one with the ASCII pfSense logo) Press enter when prompted to start /bin/sh Remount the drive as rewritable: If you made multiple partitions/slices you may just want to mount everything: Run the built-in password reset command:
/etc/rc.initial.password
You should now be able to access the system with the default password (admin / pfsense)
Note: The ease of this process should serve as a reminder that anyone with physical access to your pfSense system can bypass basic security measures like password protecting the console. If you are password protecting the console to keep out anything more than accidental logins/lowknowledge users, you may want to rethink your security strategy.
http://pfsensebox:443 https://pfsensebox:80
If you need to reset this from the console, reset the LAN IP, enter the same IP, and it will prompt to reset the WebGUI back to HTTP.
Once you have regained the necessary access, turn the firewall back on by typing:
pfctl -e
Alternately, the loaded ruleset is left in /tmp/rules.debug. You can edit that to fix your connectivity issue and reload those rules like so:
pfctl -f /tmp/rules.debug
After that, do whatever work you need to do in the WebGUI to make the fix permanent. (From billm in this forum post) If you do not want to disable pf, but you still need to get in, you can run the following shell command to add an "allow all" rule on the WAN.
pfSsh.php playback enableallowallwan
This is VERY DANGEROUS to keep around, so once you have regained access to the GUI with proper rules, be sure to delete this "allow all" rule.
Fill out the options as shown, then click add. Once you connect and enter your username/password, you can access the WebGUI using your redirected local port.
Connect to the pfSense system console with ssh or physical access Start a shell, typically option 8 Terminate the squid process like so:
/usr/local/etc/rc.d/squid.sh stop
squid -k shutdown
or
killall -9 squid
Once the squid process is fully terminated, you should be able to regain access to the WebGUI. Be aware that you may need to work quickly, or repeat the shutdown command, as squid may be automatically restarted. Feel free to add your own tips and tricks to this list!