Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Is it safe to keep pfsense Web Interface open to the whole world?

    Scheduled Pinned Locked Moved
    General pfSense Questions
    4
    6
    2.8k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      torontob
      last edited by

      Hi Guys,

      Is it safe to keep the HTTPs pfsense UI open to the whole world with a 20 character long password (pretty safe password)?

      I have SSH key generated and port is changed to non-default so that is pretty safe.

      Should I get to the web UI through an SSH tunnel rather than keeping it open to the whole world?

      What is the standard here?

      I am logging in from dynamic IPs sometimes, so static IP is out of the question.

      Thanks

      1 Reply Last reply Reply Quote 0
      • K
        kpa
        last edited by

        The standard is to allow direct access to the webgui only from trusted addresses. For accessing the webgui from untrusted IPs setup a VPN (OpenVPN for example) or use ssh.

        1 Reply Last reply Reply Quote 0
        • C
          cmb
          last edited by

          I would only do that via SSH port forwarding, or VPN. SSH + key only authentication is far better than password-only authentication of the web interface. Though with a 20 character password you're probably very safe, I would never recommend opening the web administration interface of any device to the entire Internet.

          1 Reply Last reply Reply Quote 0
          • T
            torontob
            last edited by

            I haven't go the OpenVPN work it - Thanks to it's very complex setup process. Don't have the luxury of upgrading to 2.0 because it's beta version and that this router is in production, so have to hover around until I get OpenVPN working.

            In the meanwhile, if I use SSH tunneling to webGUI what if the SSH service of the router goes down? That would be still crazy as I will again lock myself out. Wouldn't I?

            Thanks

            1 Reply Last reply Reply Quote 0
            • ?
              Guest
              last edited by

              There is very straightforward documentation on setting up OpenVPN and the book has an excellent section on the subject.  I would encourage you to invest some time in learning to set up OpenVPN because its exceptionally useful for a variety of tasks, this one included.

              1 Reply Last reply Reply Quote 0
              • C
                cmb
                last edited by

                @torontob:

                In the meanwhile, if I use SSH tunneling to webGUI what if the SSH service of the router goes down? That would be still crazy as I will again lock myself out. Wouldn't I?

                Yes but I've seen about every problem there is to see, and never seen that happen. There's a much higher probability that the web interface will become inaccessible or unresponsive (though virtually always only if you're messing with non-stable packages).

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post