How Access Web GUI over Wan through Strict Access?
-
@gertjan How to rstrict just a few IPs and should I be needing a VPN to access?
-
@nprog said in How Access Web GUI over Wan through Strict Access?:
How to rstrict just a few IPs
You need a firewall.
The good news is : pfSense is a firewall.
So : set up an Alias ( Firewall > Aliases > IP ) and give it a name.
Use this Alias name in the Source filed in a firewall rule to restrict access only to the IPs listed in the Alias :Example :
My Alias "SYS" which is a collection of IPv4.
Same thing for "he.net".
So, only "he.net" or "SYS" can pass.
And everybody else, if it's VPN on port 1194, UDP.@nprog said in How Access Web GUI over Wan through Strict Access?:
should I be needing a VPN to access?
Noop. It depends your needs. When the day comes that you need to access pfSense or your LAN from an IP not listed in the Alias, you will know ;)
-
@gertjan thanx a lot for your reply I am considering configuring SSH tunnel and apply for some strict wan access as I have to move between two to three locations mostly while I have a setup at my main office which is a location X.
I am looking forward to using your suggestion plus I have found this post regarding ssh tunneling to open web interface from wan. -
@nprog Just set up a vpn and be done with it.
-
@nogbadthebad said in How Access Web GUI over Wan through Strict Access?:
Just set up a vpn and be done with it.
I might as well +1 that.
Hosting your own VPN access is since march 2020 very popular.
It's totally 'free' ;) -
@gertjan which one is easy , is it ssh tunneling or set up a remote access openvpn or IPsec VPN what do you suggest for a newbie?
-
@nprog said in How Access Web GUI over Wan through Strict Access?:
@gertjan which one is easy , is it ssh tunneling or set up a remote access openvpn or IPsec VPN what do you suggest for a newbie?
For a newbie? Setup remote access with a firewall rule to the webgui and a limited set of source IP addresses. It's easy. Don't set it to be open to the world, that would be bad.
Let us know if you want screenshots of the rules on how to set this up. I do this from home to work (2 netgate pfsense boxes). Like I said, it's really easy.
-
@akuma1x I am following this post, which says allowing HTTPS `wan access to WebGUI is a pretty bad idea ...while using a local SSL cert ....Its better to use either a VPN (That involves some learning curve) or ssh tunnel ....but I don't see ssh tunnel much in the searches, most return the results related to enable HTTPS over wan with a firewall rule, I am confused ...can you guys recommend.
here is the link:
ssh tunnel pfsense -
@nprog said in How Access Web GUI over Wan through Strict Access?:
which one is easy
Again, this is 2021.
Setting up a remote OpenVPN access is what people do these days. Remember the terms like "lock down" etc ?
Setting uo a remote access is like buying that car and taking care of the licence to drive it. We all just do it. There is only THE way, dono of there are hard ways, or easy ways.Go here : Youtube : Netgate : all the videos
and locate the two special OpenVPN video's, the basic one, and the advanced one.
Take also a look at the OpenVPN Export video.
There are many more pfSense OpenVPN video's on the net (thousands ?).Now, just do it.
Remember : you control both sides : pfSense and your PC/MAC/phone so you have full control.
I'll call it easy ;) -
@Gertjan On a separate note
Thank you for sharing the screenshot. I had been pulling my hair for the past few days trying to figure out why I could not access my WAN GUI from a external network.
I had followed the steps and setup the rule. But your screenshot showed me that I also needed to specify the port within the rule to allow access rather than a choosing HTTP or HTTPS as the destination port
FYI for anyone reading this, you need to pick Port Range as "other" and insert the Port you chose for your GUI which was set in System>Advanced> TCP Port
I'm enjoying learning about all this all thanks to you @Gertjan. On behalf of all the newbies and rookies, thank you for all your contributions
