Context

I wanted the pfSense WebGUI reachable remotely through Cloudflare Tunnel and Access without exposing it directly to the public internet.

Change

I moved the tunnel host into SERVERNETWORK and updated the origin to point at the pfSense SERVERNETWORK interface IP instead of the IoT-side address I had been testing against.

Result

The Cloudflare 502 disappeared as soon as the origin IP matched the actual VLAN and interface rules. The bigger lesson was that pfSense’s anti-lockout and interface-access behavior do not automatically translate across VLANs.

Next

  • Document which interface/IP each management service should use
  • Keep origin tests, like curl from the tunnel host, as a standard validation step