pfsense, disable webgui on WAN

[Slacker]

I know that I'm not the greatest at this stuff. Normally I'm impressed with pfsense, but I've got an issue that I can't quite figure out. Right now, for some reason, I can access the webgui for my pfsense box from my WAN port, something that I do not want since my WAN port is exposed to the internet. I changed the default webgui part to 88, and created a rule to block all WAN traffic to port 88 but still I can access it by typing in the wan ip address and port into the web browser. Here's a screenshot of the firewall rules. The first rule should allow ssh traffic from the WAN port (internet) to a specific device on my network. The second rule should block any WAN traffic to port 88. The first rule works properly, the second does not. I think that there's a conflict somewhere... any ideas? Thanks.

[+BudMan MVC]

the web gui would not be open to the public wan IP.. You should not need a specific rule! By default ALL unsolicited traffic to wan is blocked by default.

You sure your accessing it via wan and not the lan?

How do you have your pfsense setup in your network.. Is the wan on the public NET!! or is it behind a nat already? On a work call currently, but as soon as finishes will take a look at the pfsense config to allow it to happen.

Also what version are you running? 2.0.2, 2.1? 2.0.3 ?

I just checked mine and its not open to public - are you accessing it via a nat reflection or something. Since you have changed the port, have you check the Disable webConfigurator redirect rule option the advanced settings.

What I think could be happening is you have the antilockout rule running on your lan. and then hitting it maybe via nat reflection?

BTW: Such a question is better suited for the pfsense forums, very responsive people there! Me being one of them ;) Just use a different nick there.

[Slacker]

You are correct, it was NAT reflection that was allowing me to access the webgui; canyouseeme shows the port as closed.

However, now I have another problem. I have a NAT rule to forward traffic on port 22 to a local IP address, and it automatically created the needed firewall rule as you can see in the screenshot on the original post, but canyouseeme shows port 22 as closed. Here's the NAT redirect rule:

If WAN TCP

SRC addr = *

SRC ports = *

DEST addr = WAN address

DEST ports = 22

NAT IP = (IP address of device I want external access to)

NAT ports = 22

I have deleted the firewall rule to block traffic on port 88, but have left the rule to allow traffic on port 22

the pfsense box WAN port is connected to internet, no other NAT device on the network.

I'm running pfsense 2.0.2

[Slacker]

Nevermind. I jumped too quickly. It all works as expected. Thanks much! It was all in the NAT reflection.

[+BudMan MVC]

glad you got it all sorted.. I don't have nat reflection even enabled - I personally have no use for it, nor do I really understand any use for such a thing.. Why would you bounce off your routers wan IP just to be directed back to a local box.. Just hit the local box directly - setup your name resolution accordingly, etc.