Jump to content

False positive - pfsense router webgui

Go to solution Solved by ceckelberry,

Recommended Posts

browser guard is flagging and blocking my pfsense router's webgui interface on the local lan side when accessing it -  I can add to allow list and it is fine -- I have ran adguard and emsisoft blockers against it and they do not have the issue.. I believe it may be the lan ip that triggered it. 192.168.5.x range - It did not start till friday prior to that no issues so assuming it m ay be the latest update etc  -- my malwarebytes endpoint nebula products do no block it. 

I can either add to filter or just say ignore and it lets me through -  I know pfsense routers use self signed certs but in the past and on other  pfsense routers ( not using the same lan ip )  they are fine





Link to post

Thats the screen shot  I can continue or add to allow list -- its actually the router webgui thats being accessed -- I have checked router rebooted etc even rolled back to a previous config of the router and backup just to be sure

Also other webblockers dont flag it and neither does endpoint nebula as I mentioned


Edited by BobSoul
Link to post

Well after lots of testing it is only malwarebytes browser guard that does this -  ( latest version ) - no other browser guards have blocked it- From what I can tell it appears to be caused by the sshguard feature of the webgui which monitors for attempts to log in from untrusted sources or locations thats triggering the browser guard in combination with the specific lan ip

I know for a fact this router is not infected.... pfsense software is very good at preventing that and as I stated  ( rebooted and went backwards to an backup image of the router ) verified with netgate documentations etc  --  The combination of self signed certs and the sshguard appear to be triggering browser guard when in combination with the IP

Link to post

further info if i connect using the routers ( hostname and local domain ) it does not trigger the detection.. only when using the  IP -- so this would then appear to be a false detection based on the IP since its fine using the hostname and local domain of the router lan side

Link to post
  • Root Admin

Hello @BobSoul

Please try the following Browser Guard Reset

To do so:

  • Open Browser Guard 
  • On the top right, click the 3 vertical dots
  • Click "Support"
  • Click "Factory Reset"


If still an issue, then please get us some logs from Browser Guard

You can download the log from the Support page





Here is an example of the log naming to look for when uploading.



Thank you


Link to post

That fixed it .... I tested across 2 machines after factory reset and no further blocking issue - when using the LAN IP. ( made sure allow list was blank as well...  though I did that prior to testing with using the host name and domain name combo -which these routers use there own or you can use the network domain - which made a easy way to test for a real issue versus a false detection )

Link to post

Thanks - from what I can tell by the debug logs its the 5.1 that is hitting a match versus when using the host name of the router whihc they both load the same php pages and webgui in the same manner just different address.

Ive extensively scanned machines etc - they are all clean -- have other pfsense routers connected via ipsec tunnels as well that dont detect but they do not have the 5.1 ip. this started on friday afternoon prior to that no problem earlier in the day accessing ( until after update on the browser guard)


Just trying to give you as much info as possible



  • Like 1
Link to post

Malwarebytes Nebula scans and active web blocker so  clean as well - I just went through all the nebula logs etc for various machines and several scans on the machines I have been testing this on as well ( Emsisoft brower still sees it as fine as does adguard - default chrome protection only sees the self signed Cert and warns on that but that is normal and is documented by netgate pfsense as normal

  • Like 1
Link to post

Update info just incase its helpful - spoke with netgate themselves - the router is clean and they believe its the actual ip address itself with the 5.1 in that is triggering the error

based on this from the debug log 

{"@timestamp": "2023-04-17T22:21:27.277Z", "session": "1681770081858", "message": "ANY: Just matched '5.1' in database: spyware", "level": "INFO"}
{"@timestamp": "2023-04-17T22:21:27.277Z", "session": "1681770081858", "message": "OM: (PAGE_BLOCK) malware (spyware) match found on https://xxx.xxx.5.1:xxxx/ for https://xxx.xxx.5.1:xxxx/

changing the routers IP is not actually a quick option since it requires redoing an entire network of statics and other devices pools of address as well as IPsec tunnels and VPN connection profiles etc.


With out doing anything to the browser guard can change to using the hostsname.domain inplace of the ip and it does not get blocked

Edited by BobSoul
blocking the ips with xxxx to only highlight the 5.1
Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.