@QuantumParadox said in can't disable web config or web GUI to WAN:
I can't seem to disable the web GUI for the WAN ... 25.03.b.20250429.1329 ...
The default firewall behavior, for every interface is (roll the drums) is .... (wait for it) : it block everything.
For this very reason, when you install pfSense, you find this on the LAN interface :
b5a74258-2177-483d-80ea-953e9411aed3-image.png
Not rules 1 and 2, I've added them myself.
Rule 3 and 4 have to be there, otherwise you wouldn't be able to access your pfSense using the Ethernet, using the LAN NIC.
The issue with the WAN interface is .... the admin, better known as : you.
Let's compare pfSense with your own house.
Some one, a stranger, or even you, without your keys, can not enter the front door : it's locked.
While you are at home, you decided to test the front door : is it locked ? To do this test, you opened the front door from the inside (remember : you are at home) and then you say : "hey, it's open !"
Back to pfSense : you are probably connected with a device on the pfSense LAN, default LAN firewall rule let the traffic flow into the LAN, and you used as a destination IP the WAN interface.
That's like accessing the WAN interface from the inside. Traffic actually never leaves that pfSense WAN interface, to be echoed back to the WAN by magic by some other device behind the NAT (some ISP equipment for example).
@QuantumParadox said in can't disable web config or web GUI to WAN:
I did create rules to block 443 and 80
No need.
My WAN rules :
df83d4b9-c7b1-43fc-8d77-8682a1cc0cfa-image.png
Normally, when you install pfSense, there are no rules on the WAN firewall.
This means nothing can enter.
I've surfaced this behavior by adding the last two block (red cross) rules.
The six rules I have before these two block rules are there for me, so I can access my NAS (on my pfSense LAN) and VPN (on pfSense).
The VPN can be accessed from any IP address = from everywhere.
My NAS can only be accessed by the device Ips I've listed in the alias called "SYS", and no one else.
I do accept ping (IPv4 and IPv6) on my WAN because "why not ^^".
Go get some sleep, all is well ^^
@QuantumParadox said in can't disable web config or web GUI to WAN:
asking AI for help
Euh ....
That only works if you ask good questions.
Like this : what is the default FreeBSD firewall pf behavior ?
and you see the good answer right away.
Not only valid for pfSense but every firewall.
@QuantumParadox said in can't disable web config or web GUI to WAN:
Go to System > Advanced > Admin Access.
Fnd the setting for WebGUI Listen Interfaces (it may not be visible in your provided list, but it should be there).
Select LAN or another internal interface only—do not select WAN. and apply the settings the issue is I don't have any of those settings.
I wished that was really the case, but my 24.11 - actually 25.03 beta 4 right now, doesn't have that option.
There is no setting over there that controls on what interface the pfSense web GUI is listing.
The reality is that the pfSense web interface listens to all system known interfaces, this includes also the localhost (127.0.0.1) and interfaces like WAN.
Your pfSense doesn't' contain any AI, but it still give you the answer :
You see the * : * ? That means : every interface. And that includes WAN, which is, imho, somewhat scary.
So, every interface, using tcp4 or IPv4, on both port 80 (http) and port 443 (https).
Two instances because :
cc723b58-8d4d-4753-9713-08b643b0ced8-image.png