diff --git a/src/opnsense/mvc/app/models/OPNsense/Core/ACL.php b/src/opnsense/mvc/app/models/OPNsense/Core/ACL.php
index 42b740749..1532366f7 100644
--- a/src/opnsense/mvc/app/models/OPNsense/Core/ACL.php
+++ b/src/opnsense/mvc/app/models/OPNsense/Core/ACL.php
@@ -183,7 +183,13 @@ class ACL
      */
     private function urlMatch($url, $urlmask)
     {
-        $match =  str_replace(array(".", "*","?"), array("\.", ".*","\?"), $urlmask);
+        /* "." and "?" have no effect on match, but "*" is a wildcard */
+        $match = str_replace(array('.', '*','?'), array('\.', '.*','\?'), $urlmask);
+        /* if pattern ends with '/.*' optionally match for flat URL mask */
+        $match = preg_replace('@/\.\*$@', '(/.*)?', $match);
+        /* remove client side pattern from given URL */
+        $url = preg_replace('@#.*$@', '', $url);
+
         $result = preg_match("@^/{$match}$@", "{$url}");
         if ($result) {
             return true;
@@ -285,7 +291,8 @@ class ACL
                 if ($pattern == "*") {
                     return "index.php";
                 } elseif (!empty($pattern)) {
-                    return str_replace('*', '', $pattern);
+                    /* remove wildcard and optional trailing slashes */
+                    return preg_replace('@/?\*$@', '', $pattern);
                 }
                 break;
             }