Lost remote access to GUI
-
I need to regain access to a pfsense firewall because the allowed IP changed.
I have not only the IP allowed but also a dns entry that is auto updated if the IP changes but for some reason, that's not working.
A co-worker still has access to the network but doesn't have GUI access and would barely know how to use it anyhow so I'm trying to find out if there is a way to set a rule from the command line. I looked around the net but am not finding any reliable information and this is too important to mess up.So, I want to give my co-worker the ssh credentials to log into the command line.
From there, I'd like to give him the set of commands to get this done but I can't really find any.For example, allow IP 9.9.9.9 from WAN to the GUI admin port.
Or, there is a Windows machine on the LAN side that has access to the GUI but I don't have access to it so that would be;
allow IP 9.9.9.9 from WAN to 192.168.143.201, port 3389.Can one of these rules be done from the command line?
-
@lewis You should be thankful you lost access. That's a really bad idea.
As far as I know you can't edit or create rules by the command line but I may be wrong. Someone who knows will chime in.
Do yourself a favor, have your friend setup a VPN from the GUI and access it that way from now on. -
@Jarhead Thankful? Bad idea or not, it's a temporary fix to get me in so I can regain access.
And yes, I do have VPN access to it which is why I said 'for some reason', I lost access.
My co-worker still has VPN access which is why I need to ask him to handle something temporary so I can get back in.Not really sure what your point of responding was but it wasn't of any use what so ever other than to perhaps try to shame me for making a mistake.
-
The
pfctlutility is tailor-made for what you want to do, But using it is not super easy. The official manual is here: https://man.freebsd.org/cgi/man.cgi?pfctl.I would create a VM install of pfSense where you are located, test out the commands there to fine-tune them, then send them via email to your co-worker at the remote location.
And immediately after you get in and fix whatever happened to cause the problem, you should delete everything related to the command you sent the co-worker (that is, undo the rule changes), or else someone else will be along shortly to let themselves in using the same pathway.
-
Thank you bmeeks.
Lucky for me, I finally got back in. I guess it just took a while for the DNS to propagate.
Now that I'm back in, my question is this.I had created a Firewall/Alias with both the allowed IP and a FQDN that automatically updates at the DNS server, which it did.
I also have VPN access to the LAN so could have gotten into a GUI back to the firewall.However, it took a very long time for VPN to come back and now I'm not really sure why that would be.
This is where I could use some enlightenment if possible so I can learn where I might have gone wrong. -
Actually, I got back in thanks to the VPN. When I looked at the alias list, I had actually removed the fqdn and left the IP in.
That didn't change but something updated that let me back in using the VPN.Wondering what happened so I can better understand.
-
@lewis said in Lost remote access to GUI:
However, it took a very long time for VPN to come back and now I'm not really sure why that would be.
This is where I could use some enlightenment if possible so I can learn where I might have gone wrong.Not sure I can be of much help here as I don't know all the details of your VPN setup. I can tell you that FQDN aliases are only updated in pfSense once every 5 minutes by default. Then you have to factor in the TTL (time-to-live) value set on the DNS record by its authoritative name server. Together those can add up to a bit of time before an updated DNS record results in an actual change to the IP address stored in a pfSense firewall alias table.
But I will say that if you are allowing remote access it should only ever be allowed via VPN. I would usually not restrict the incoming VPN to a particular connecting IP, though. Certificate-based VPN is quite secure, and while someone may knock on the door, they are not getting in without the proper certificate for authentication. I'm saying all this because you said "...need to regain access to a pfsense firewall because the allowed IP changed". This is exactly why I would NOT restrict the connecting IP when using a VPN. You can easily find yourself locked out of the firewall you need to manage. All you should need to connect is the WAN's public IP and the proper authentication certificate key. Firewall rules won't get in the way then. The only restriction I might consider is maybe using a GeoIP block, if available, to limit inbound access to only approved countries. You could do this with pfBlockerNG and an ASN alias, for example.
Under no circumstance, restricted IP or not, would I ever allow non-VPN remote access to a firewall.
-
For reference you can use easyrule to create firewall rules from the CLI:
https://docs.netgate.com/pfsense/en/latest/firewall/easyrule.html#easyrule-in-the-shellSteve
-
I appreciate your input, that's valid and useful information so thanks for that.
It was a while since I used this firewall but I remember now that I had set both a public IP and the VPN because I wasn't feeling confident about using VPN yet.
At worse, I could have had a KVM installed on the device but that was last effort and I wanted to understand how else I could solve this.
Lessons learned, thanks again.
-
@stephenw10 Oh yes, I knew there was something but I could not find it.
That link is going in my notes arsenal right now. Thanks very much for that too. -
BTW, reading that using VPN might be the safest way, perhaps one thought might be to set up dedicated raspberry Pi like devices on each network.
Just a thought either in addition to using the one of pfsense or as an alternative.
I haven't spent enough time learning more about VPNs even though I use the one on pfsense daily.
