• 0

pfsense, disable webgui on WAN


Question

Slacker    6

I know that I'm not the greatest at this stuff. Normally I'm impressed with pfsense, but I've got an issue that I can't quite figure out. Right now, for some reason, I can access the webgui for my pfsense box from my WAN port, something that I do not want since my WAN port is exposed to the internet. I changed the default webgui part to 88, and created a rule to block all WAN traffic to port 88 but still I can access it by typing in the wan ip address and port into the web browser. Here's a screenshot of the firewall rules. The first rule should allow ssh traffic from the WAN port (internet) to a specific device on my network. The second rule should block any WAN traffic to port 88. The first rule works properly, the second does not. I think that there's a conflict somewhere... any ideas? Thanks.

post-5498-0-63048900-1361905924.jpg

Link to post
Share on other sites

4 answers to this question

Recommended Posts

  • 0
+BudMan    3,748

the web gui would not be open to the public wan IP.. You should not need a specific rule! By default ALL unsolicited traffic to wan is blocked by default.

You sure your accessing it via wan and not the lan?

How do you have your pfsense setup in your network.. Is the wan on the public NET!! or is it behind a nat already? On a work call currently, but as soon as finishes will take a look at the pfsense config to allow it to happen.

Also what version are you running? 2.0.2, 2.1? 2.0.3 ?

I just checked mine and its not open to public - are you accessing it via a nat reflection or something. Since you have changed the port, have you check the Disable webConfigurator redirect rule option the advanced settings.

post-14624-0-48686900-1361910054.png

What I think could be happening is you have the antilockout rule running on your lan. and then hitting it maybe via nat reflection?

BTW: Such a question is better suited for the pfsense forums, very responsive people there! Me being one of them ;) Just use a different nick there.

Link to post
Share on other sites
  • 0
Slacker    6

You are correct, it was NAT reflection that was allowing me to access the webgui; canyouseeme shows the port as closed.

However, now I have another problem. I have a NAT rule to forward traffic on port 22 to a local IP address, and it automatically created the needed firewall rule as you can see in the screenshot on the original post, but canyouseeme shows port 22 as closed. Here's the NAT redirect rule:

If WAN TCP

SRC addr = *

SRC ports = *

DEST addr = WAN address

DEST ports = 22

NAT IP = (IP address of device I want external access to)

NAT ports = 22

I have deleted the firewall rule to block traffic on port 88, but have left the rule to allow traffic on port 22

the pfsense box WAN port is connected to internet, no other NAT device on the network.

I'm running pfsense 2.0.2

Link to post
Share on other sites
  • 0
Slacker    6

Nevermind. I jumped too quickly. It all works as expected. Thanks much! It was all in the NAT reflection.

Link to post
Share on other sites
  • 0
+BudMan    3,748

glad you got it all sorted.. I don't have nat reflection even enabled - I personally have no use for it, nor do I really understand any use for such a thing.. Why would you bounce off your routers wan IP just to be directed back to a local box.. Just hit the local box directly - setup your name resolution accordingly, etc.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By The Dark Knight
      So these are the rules I've implemented for my IoT VLAN network in pfSense. I wonder if I should restrict the outbound protocols, or just leave it on "Any", since there are other blocks in place?
       

    • By The Dark Knight
      I'm having a very weird and annoying problem with my network all of a sudden. This is my network setup:
       
      pfSense running in Hyper-V 2 dedicated NIC's - one for WAN and one for LAN 4 Wireless AP's - all configured with static addresses and have DHCP disabled so that all wireless clients get their addresses from pfSense instead of the AP's  
      So the problem is, many of my wireless devices particularly phones, start reporting no internet access at least once a day. Other wireless devices like laptops, Fire TV Sticks, and all wired devices work perfectly fine. Phones are connected to WiFi, but are actually using the LTE connection. Checking the IP address confirms this. However if I turn off LTE, the phone again has internet from my home connection, although Android continues to report no internet access! Rebooting the phone doesn't help. Rebooting pfSense makes the problem go away immediately!
       
      Static IP's for all devices configured in pfSense itself, except for the Wireless AP's. Everything was working perfectly fine for a few months, this problem only started about a week back. pfSense is on the latest version with the recent security updates applied via Shell.
    • By The Dark Knight
      So I recently built a home server running Windows 10 Pro and Hyper-V. I initially went with OPNsense, but have now switched to pfSense. Documentation for OPNsense is pretty thin, and so are guides online. Whereas pfSense information is abundant. So anyway, I've got it up and running in Hyper-V, and all my devices are getting internet and LAN access as well as able to push Gig.
       
      Now the thing is, I'm on Carrier Grade NAT. I learned that this is what it is called recently while I have been tearing my hair out to get stuff to work for external access. Turns out, I cannot. Well, not in a straight forward way at least. Some guides do mention using a VPS running a VPN, or SSH tunneling, but my networking knowledge is limited, so don't want to go down those roads. So since I have a double NAT (and I cannot put the ISP hardware in bridge mode like many guides online suggest), my only option is to pay my ISP for a public IP. Which I intend to do in the near future.
       
      So how do I secure my network for this? I want to be able to run OpenVPN, NextCloud, AirSonic and maybe Plex with external access for all. I don't intend to host my website from home as it is too risky. That will remain on professional hosting. I have professional email with GSuite, and want that to continue as well. Can I point my domain to my home server for Plex, NexCloud etc, while still having externally hosted website and email? Ideally I would like to have plex.mydomain.com, nextcloud.mydomain.com, etc.


      I also plan to buy a managed switch next year sometime for segregating traffic using VLAN's. But I have some doubts regarding this. I am totally new to this. How do I segregate wireless traffic? Will I need to buy new Access Points? I've seen hardware from Ubiquiti highly recommended online by many people, but they are bloody expensive here! They start at the equivalent of $150, which is way too much for me at least. I would ideally like to have some wireless clients with unrestricted access and some with only internet and not LAN access. For wired, I think I understand how VLAN's work. I have to create a VLAN, assign it to a port on the switch, and then connect whatever device I want on that port, which will get the alternate IP address specified for that VLAN.
    • By The Dark Knight
      So I plan on building a home server in the near future. This is the kind of stuff I want to run on it. Also listed a few parts that I thought would suit this requirement. Will this be enough?
       
      Current: ASUS RT-N56U router, 125 mbps up/down, unmanaged Gigabit switch, 1 additional access point, Raspberry pi 3B+ running Pi-hole.
      Here is the hardware currently being used at home. 4 computers, 1 media file server, 2 Kodi boxes, 3 tablets, 6 mobile phones, 2 Amazon Echo's and 2 Raspberry Pi's. I really don't foresee much changing in terms of quantity of devices even in the future. But for future proofing sake, let's say another one dozen internet connected devices.
       
      Crucial - will this hardware be capable of pushing Gigabit internet?
       
      Server requirements:
       
      Windows 10 base, Hyper-Virtualisation: pfSense (or OPNsense), WordPress website hosting, Subsonic / Airsonic music server, Pi-hole, some CCTV monitoring, NextCloud, 1 Linux distro for fooling around, and finally Windows 10 (for testing). All these as VM's in Hyper-V. Also, OpenVPN for connecting from outside. A maximum of 4 users at any given point of time. Mostly just me.
       
      Not at all keen on a full Linux setup, as I'm far more comfortable with Windows. Linux based stuff like Pi-hole is fine as it is dead simple to setup.
       
      Thought of using an AMD A8 series processor, coupled with a Gigabyte Mini-ITX motherboard, 450W PSU, 16 GB DDR3 or DDR4 RAM, 1 SSD and 1 HDD.
       
      Finally, I've read that Intel NIC's are the best supported under pfSense/OPNsense. But due to initial budget constraints (will upgrade later), I will be using the on-board LAN (Realtek) and adding in another TP-Link card. Realistically, what kind of hit can I expect by not using Intel, given my requirements and device count?
       
      Look forward to the responses!
    • By dipsylalapo
      So after putting up with crappy WiFi around the house and after months of debating, I finally caved and decided to do something about it. 
       

      I went away and bought a couple of Ubiquiti APs plus an old desktop for pfSense.
       
      Now I did a bit of reading up on best ways to set up, common pit falls and watched a few video tutorials. I arrogantly thought this would be a piece of cake, and of course I was wrong
       
      Credit to Ubiquiti, the APs were a doddle to set up, even with my lack of networking knowledge. The pfSense box on the other hand not so easy. After struggling to install it, configure the NIC and get any kind of basic connection, I gave up after 3 hours of tearing my hair out. 
       
      There was clearly more to to the set up than I'd anticipated. If anyone has any pointers or things to read up on before I make another attempt at the weekend, please feel free to post. Keep an eye out for an update later this week
       
      Here's what I'm working with. 
      UniFi AC Lite AP (x2) HP Compaq 8200 Elite SFF (this is being used for the pfSense box)
      Intel Core i5 2400 3.1GHz
      2GB RAM (DDR3)
      Intel Pro 1000 PT
      TP-LINK TL-SG108E
       
      Here's what I'm trying to achieve

       
      and the issues :P
       
      When I had pfSense working, WAN was reporting 1000BaseTx, LAN however was only reporting 100BaseTx. I have 200Mpbs internet so really need Gigabit.  After setting up and attaching the switch to the pfSense box, I was not able to access the switch. It was throwing an error with the message "Host IP address and switch IP address must be on the same subnet" I hadn't changed any of the subnet settings, so not sure why this was happening