Putting pfSense Behind Cloudflare Access (And Breaking It Twice)

12/19/2025

Context

I wanted remote pfSense GUI access without exposing it publicly.

Change

Moved tunnel origin to the correct interface IP in SERVERNETWORK.

Result

502 resolved; learned anti-lockout doesn’t apply across VLANs.

Next

Document firewall/interface assumptions before changes.