- help- how i can block access to webgui manager from interface wireless?
-
I assume you have a rule on your WLAN interface looking something like:
allow; source: wlan-subnet, destination: anychange this rule to three rules:
#1: allow, source: any, destination: WLAN-interface, destination-port: 68-69
#2: allow, source: wlan-subnet, destination: WLAN-interface, destination-port: 53
#3: allow, source: wlan-subnet, destination: !WLAN-interface
–> destination: NOT WLAN-interfaceWith rule 3 you allow access to everywhere (internet) except the WLAN-interface.
With the rules 1 and 2 you allow DHCP and DNS to the pfSense.
You can combine the rules 1 and 2 if you use aliases. -
thanks a lot GruensFroeschli I will try this evening
-
hello GruensFroeschli,
my setup is this:
allow, tcp/udp, wireless net, any, any, 53
allow tcp, wireless net, any, any 80
allow tcp, wireless net, any, any, 443so in this case, from any wireless is possible to see pfsense (192.168.2.1).
I dont know how I can block it.
Can u help me?
thanks -
change the destination of your rules with ports 80 and 443 from any to !WLAN-interface
-
thanks a lot I will try later
-
hello GruensFroeschli,
sorry i continue to have problems.. :(
can u help me if I dont disturb?thanks!
-
Please post a Screenshot of your LAN Rules
(You can attach the IMG directly to the forum,in "post reply" just use the "Advanced options" –> Attach)
-
hello ptt!
I did screenshot so I hope now better…thanks
-
Just add a rule (on top of all others):
Action: Block
Proto: TCP
SRC: Wireless Net
Port: Any ( * )
Destination: Wireless Address
Port: 80
PS: from where you are ?
-
well yeah that would work too.
but a more elegant solution is to simply change the third rule in your screenshot.
change the destination from "any" to "WLAN-interface" and check the "NOT" checkbox. -
Thanks!
I did following instructions GruensFroeschi and now is working!!!thanks again!
-
well yeah that would work too.
but a more elegant solution is to simply change the third rule in your screenshot.
change the destination from "any" to "WLAN-interface" and check the "NOT" checkbox.GruensFroeschli,
There is no "WLAN-interface" option from the destination type dropdown. Please explain what it is that you're talking about as I would like to try your method. Thanks.
-
Which name have your WLAN interface ?
-
What?
-
You should choose your assigned interface name as destination of the rule
You never will see "WLAN-interface" unless you give that name to your WLAN interface…
-
@ptt:
You should choose your assigned interface name as destination of the rule
You never will see "WLAN-interface" unless you give that name to your WLAN interface…
My wireless interface is named WAP. The only options that I get from the "destination type" dropdown are: any, Single host or alias, Network, PPTP clients, PPPoE clients, L2TP clients, WAN subnet, WAN address, LAN subnet, LAN address, WAP subnet, and WAP address. No option is given to select the WAP interface.
-
WLAN-interface = WAP address
wlan-subnet = WAP subnet
-
Thanks ptt, but if that is so then why GruensFroeschli not just say so? Why use ambiguous terminology? He said "change the destination from "any" to "WLAN-interface" and check the "NOT" checkbox," and that is what confused me to no end. Anyhow, I'll give this a try and see if it works. I'd rather have allow rules than block rules.
-
Maybe he should say "WLAN-address " instead of "WLAN-interface"
change the destination from "any"
to "WLAN-address" and check the "NOT" checkbox
Using the "NOT" you have a "2in1" rule, it "Allow" and also "Block" at the same time ;)
But, anyway it is understandable, IMHO
-
I certainly didn't get it. I was looking for "WLAN-interface," but what I needed was "WLAN-address," which would have made perfect sense. Why make stuff even more cryptic? Anyway, I'm over it now. I set up the rules and it's working; WebGUI access is blocked from my WLAN. Unfortunately, it only blocks the IP address. If I type the hostname into my browser, the WebGUI still comes up. Any ideas how to block it completely?
-
if you type the host name it most probably resolves to the address on your WAN interface.
add a new BLOCK rule at the top (above all other rules) on the LAN-tab.
set the destination to WAN-address.