I locked myself out of the WebGUI, help!

From PFSenseDocs
Jump to: navigation, search There are a few tricks you can use to get back into the WebGUI should you find your access removed.

Contents

1 Forgot Password 2 Forgotten Password with Locked Console 3 HTTP vs HTTPS confusion 4 Blocked access with firewall rules 5 Remotely Circumvent Firewall Lockout by Temporarily Changing the Firewall Rules 6 Remotely Circumvent Firewall Lockout With SSH Tunneling 7 Squid Took Over My HTTP Port!

Forgot Password
If you forgot the password for the system it can be reset easily with console access. Get to the physical console (Keyboard/Monitor, or Serial) and use option 3) to reset the WebGUI password.

Forgotten Password with Locked Console

If the console is password protected and you do not know the password, all is not lost. It will take a couple reboots to accomplish, but it can be fixed with physical access to the console:

Reboot the pfSense box Choose option 4 (Single User Mode) from the loader menu (The one with the ASCII pfSense logo) Press enter when prompted to start /bin/sh Remount the drive as rewritable: If you made multiple partitions/slices you may just want to mount everything: Run the built-in password reset command:

/sbin/mount -o rw / /sbin/mount -a -t ufs

/etc/rc.initial.password

Follow the prompts to reset the password Reboot

You should now be able to access the system with the default password (admin / pfsense)
Note: The ease of this process should serve as a reminder that anyone with physical access to your pfSense system can bypass basic security measures like password protecting the console. If you are password protecting the console to keep out anything more than accidental logins/lowknowledge users, you may want to rethink your security strategy.

HTTP vs HTTPS confusion

Ensure you are connecting with the proper protocol, either HTTP or HTTPS. Starting with pfSense 2.0, the default WebGUI protocol is HTTPS. If one doesn't work, try the other. You may find that you need to try the opposite protocol on the others port, like so:

http://pfsensebox:443 https://pfsensebox:80

If you need to reset this from the console, reset the LAN IP, enter the same IP, and it will prompt to reset the WebGUI back to HTTP.

Blocked access with firewall rules

If you blocked yourself out of the WebGUI remotely with a firewall rule, there may still be hope. This shouldn't happen from the LAN as there should be an anti-lockout rule that maintains access to the WebGUI from that interface. Having to walk someone on-site through fixing the rule is better than losing everything!

Remotely Circumvent Firewall Lockout by Temporarily Changing the Firewall Rules

You could (very temporarily) disable firewall rules by typing:
pfctl -d

Once you have regained the necessary access, turn the firewall back on by typing:
pfctl -e

Alternately, the loaded ruleset is left in /tmp/rules.debug. You can edit that to fix your connectivity issue and reload those rules like so:

pfctl -f /tmp/rules.debug

After that, do whatever work you need to do in the WebGUI to make the fix permanent. (From billm in this forum post) If you do not want to disable pf, but you still need to get in, you can run the following shell command to add an "allow all" rule on the WAN.
pfSsh.php playback enableallowallwan

This is VERY DANGEROUS to keep around, so once you have regained access to the GUI with proper rules, be sure to delete this "allow all" rule.

Remotely Circumvent Firewall Lockout With SSH Tunneling

If you blocked access to the WebGUI remotely (which is smart to do, anyhow) but you still have access with SSH, then there is a relatively easy way to get in: SSH Tunneling. If the WebGUI is on port 80, set your client to forward local port 80 (or 8080, or whatever) to remote port "localhost:80", then point your browser to http://localhost:80 (or whichever local port you chose.) If your WebGUI is on another port, use that instead. Obviously, if you are using https you will still need to use https to access the WebGUI this way. Here is how to setup a port 80 tunnel in PuTTY:

Fill out the options as shown, then click add. Once you connect and enter your username/password, you can access the WebGUI using your redirected local port.

Squid Took Over My HTTP Port!

If you accidentally configure squid to use the same port as the WebGUI, and then cannot get back in to fix the configuration, you may need to fix it as follows:

Connect to the pfSense system console with ssh or physical access Start a shell, typically option 8 Terminate the squid process like so:

/usr/local/etc/rc.d/squid.sh stop

If that doesn't work, try it this way:

squid -k shutdown

or
killall -9 squid

Once the squid process is fully terminated, you should be able to regain access to the WebGUI. Be aware that you may need to work quickly, or repeat the shutdown command, as squid may be automatically restarted. Feel free to add your own tips and tricks to this list!