Fixing a 502 on pfSense Behind Cloudflare Tunnel (VLAN Origin Gotcha)
Context
I wanted pfSense WebGUI accessible remotely without exposing it publicly, using Cloudflare Tunnel + Access.
Change
I ran the tunnel from SERVERNETWORK and updated the tunnel origin to use the pfSense SERVERNETWORK interface IP (instead of the IoT interface IP).
Result
The Cloudflare 502 disappeared immediately once the origin IP matched the VLAN/interface rules. The big lesson: pfSense’s “anti-lockout” and interface access behavior don’t automatically translate across VLANs.
Next
- Document which interface/IP each management service should use
- Keep “origin tests” (curl from the tunnel host) as a standard validation step