Context
I wanted remote access to the pfSense WebGUI without exposing it directly to the internet.
Change
I moved the Cloudflare Tunnel origin to the correct pfSense interface IP in
SERVERNETWORK.
Result
The 502 disappeared immediately. The more important lesson was that
anti-lockout behavior does not magically carry across VLANs just because the
service is still pfSense.
Next
Document firewall and interface assumptions before making remote-management changes.