Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to block WebGUI access from WAN

    Scheduled Pinned Locked Moved
    Off-Topic & Non-Support Discussion
    4
    6
    3.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • OBXJeepGuyO
      OBXJeepGuy
      last edited by

      I have searched this, and there's even a topic with the same title (I trunicated it a bit).

      The thread I found still doesn't answer the question of how to NOT let the WebGUI show itself when you put your public IP address in a browser. It does this whether I am on my LAN, or anywhere else in the WAN (my office, for example).

      It does this by default, which is bothersome to me. I do not want the WebGUI logon page to show if someone puts my IP address in.

      Any help would be appreciated!

      keyserK johnpozJ 2 Replies Last reply Reply Quote 0
      • keyserK
        keyser Rebel Alliance @OBXJeepGuy
        last edited by

        @obxjeepguy said in How to block WebGUI access from WAN:

        I have searched this, and there's even a topic with the same title (I trunicated it a bit).

        The thread I found still doesn't answer the question of how to NOT let the WebGUI show itself when you put your public IP address in a browser. It does this whether I am on my LAN, or anywhere else in the WAN (my office, for example).

        It does this by default, which is bothersome to me. I do not want the WebGUI logon page to show if someone puts my IP address in.

        Any help would be appreciated!

        I do it by creating a floating rule that blocks access to WAN (pfsense WebUI ports) from all other interfaces.

        Love the no fuss of using the official appliances :-)

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator @OBXJeepGuy
          last edited by

          @obxjeepguy said in How to block WebGUI access from WAN:

          I do not want the WebGUI logon page to show if someone puts my IP address in.

          Well that wouldn't be open on the wan unless you allowed it. The default rules on the wan are DENY.. So coming from your wan or the internet they would not be able to access the web gui, unless you created a rule to allow it.

          From the lan side, the default is any any allow. So yes your lan side devices would be able to access the gui using your wan IP.. Just like they are allowed to access the web gui via the lan IP via the antilock out rule.

          If you do not want lan side network to access your web gui, then you would have to setup your rules to not allow it

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.03 | Lab VMs 2.7.2, 24.03

          OBXJeepGuyO 1 Reply Last reply Reply Quote 1
          • OBXJeepGuyO
            OBXJeepGuy @johnpoz
            last edited by

            @johnpoz Okay, I got it. I did indeed create an allow rule in WAN in a panic because when I first set this up, it would not pass any traffic from the LAN to the WAN. I just “suspended” the allow rule, and now the WebGUI cannot be accessed from the WAN. And oddly enough I can also still access “the internet” like I couldn’t at first.

            Thanks again!

            stephenw10S 1 Reply Last reply Reply Quote 0
            • stephenw10S
              stephenw10 Netgate Administrator @OBXJeepGuy
              last edited by

              @obxjeepguy said in How to block WebGUI access from WAN:

              oddly enough I can also still access “the internet” like I couldn’t at first.

              That's expected. Rules on WAN only prevent/allow traffic coming into the WAN interface from some external IP. Traffic from an internal subnet like LAN is always allowed out.

              Steve

              OBXJeepGuyO 1 Reply Last reply Reply Quote 0
              • OBXJeepGuyO
                OBXJeepGuy @stephenw10
                last edited by OBXJeepGuy

                @stephenw10 Yeah when I first set this thing up, I could get ZERO traffic to pass at all. That’s when I panicked, and made the WAN rule. It was probably coincidence that it started working after that. Now that I think about it, the WAN side probably hadn’t found my public IP yet.

                1 Reply Last reply Reply Quote 1
                • First post
                  Last post