How to disable webgui connection on LAN IP?

doktornotor

Sorry, I don't understand your question. What's "invoke"?

onlineph

I created an alias ManagementAccess with the value of 192.168.13.143/32, 192.168.13.1/22. I'm not really sure if these values are the proper values. I'm trying to figure out how to limit the access to the management functionality such that I am the only one who knows what IP can I access the WebGUI.

I also created ManagementPorts with a value of 443, 22.

Firewall: Rules
Action : Pass
Interface : LAN
TCP/IP Version : IPv4
Protocol: TCP
Source: Here is the invoke thing. When I dropdown to select "Single Host or Alias" I was given an address box and when I started typing letter "M" it auto complete to "ManagementAccess" - sorry for misusing the word "invoke" here as I was thinking this drop down arrow invokes the alias I created earlier.

Destination: LAN Address
Port: Here lies my problem - on the wiki it shows "ManagementPorts" under the "Port" column just after "Destination" column. I just can't find where to INVOKE (sorry  ;) ) or find any drop down arrow or any address box to type "managementports"

Sorry, English is not my first lang… :P

doktornotor

As for your destination ports, there's "Destination port range" where you type the ManagementPorts alias. Cannot really see the problem with that.

Finally - please, if you are unsure what IPs are you accessing the management GUI from… Leave the thing well alone. The only thing you'll achieve is locking yourself out. The settings there are NOT the IP you type to the browser. The settings are the client IPs which will be allowed access!!!

phil.davis

192.168.13.143/32, 192.168.13.1/22

The first entry is inside the 2nd subnet. The 2nd subnet with "/22" actually goes from-to:
192.168.12.0 - 192.168.15.255
So this seems very odd.
Like doktornotor says, if you really do not understand your subnets and what is needed, then leave the anti-lockout rule as it is. Put a good password on your pfSense admin account/s. Your guest users can have lots of fun trying to guess the password :)
If you really want to proceed, then post your LAN subnet+mask, pfSense LAN IP and the IP addresses you want to allow to the webGUI, and we can help guide you.

kejianshi

Why is this so hard?  You just put pfsense web gui on a slightly off port and then you block access to the IP:port of the interface(s) where the GUI is.

I don't know why people feel a need to do it very complicated ways?

onlineph

@kejianshi:

Why is this so hard?  You just put pfsense web gui on a slightly off port and then you block access to the IP:port of the interface(s) where the GUI is.

I don't know why people feel a need to do it very complicated ways?

Sir please don't be hard on me. I am just a new guy so very interested and have been appreciating pfsense and I want to learn it and from you Heroes.  I  may appear complicating the issue  maybe perhaps the way I present my issue is a bit odd to you, but I am trying to uncomplicate it so I need the forum.

TO: phil.davis

Sorry I should have mistype 22 instead of 24.

LAN IP: 192.168.13.1/24
Mask: 255.255.255.0

I wish to access my WebGUI at  192.168.13.143

(I wonder is it possible to have my GUI accessed from an odd IP like 10.20.30.40? if not then its ok, just want to know if its possible  :) )

doktornotor

@onlineph:

I wish to access my WebGUI at  192.168.13.143
(I wonder is it possible to have my GUI accessed from an odd IP like 10.20.30.40? if not then its ok, just want to know if its possible  :) )

OMG. Again. This is NOT how it works. This has absolutely NOTHING to do with the LAN antilockout rule. Leave it alone until you have fully understood the feature! You cannot protect your router by making its IP secret, ever. It's the default GW required to be visible and accessible from every computer that is supposed to have proper connectivity. You can limit the IP addresses of other computers that are allowed to access the WebGUI. That's all. No security by obscurity nonsense!

onlineph

Ok, never mind. Thanks anyway.

phil.davis

I wish to access my WebGUI at  192.168.13.143

I am hoping you mean:

I wish to access my WebGUI from  192.168.13.143

If that is correct, then (very carefully, only do each step when you understand it - there is no point doing this if you don't understand something, because it will make trouble for you):
a) Make an alias for 192.168.132.143 - ManagementAccess
b) Add a ports alias for 22 (SSH), 80 (HTTP) and 443 (HTTPS) - ManagementPorts
c) Add a rule at the top of the LAN Firewall rules, pass source ManagementAccess, destination LAN Address ,destination ports ManagementPorts.
d) Make sure the new rule destination looks reasonably like the anti-lockout rule, and that you have access to the console for when it all goes wrong.
e) Say a quick prayer and disable the anti-lockout rule.

You should be able to get to the webGUI and SSH to pfSense from 192.168.13.143.
Of course, a guest user on your LAN who guesses 192.168.13.143 can set their IP to that and get the webGUI login screen. So you still always want to use a secure password.

onlineph

@kejianshi:

Why is this so hard?  You just put pfsense web gui on a slightly off port and then you block access to the IP:port of the interface(s) where the GUI is.

I don't know why people feel a need to do it very complicated ways?

Thanks I've found the simple way to do it.

kejianshi

What was the simple way?

Gertjan

Easy !
Use the LAN interface non-connected - and use it as the 'administer' interface.
All users/clients/visitors are hooked up to the second interface (OPT1).
On this interface, assign an IP, block with a firewall rule all access to (IP-OF-OPT1):80 (and 443 if you use https to acces your box) and done.

I haven't even checked, but it might be so that the GUI web server isn't even listening the the IP of OPT, so the rule isn't even needed.

Rule of thumb: all non-trusted persons/devices/equipment shouldn't be on the LAN interface anyway.
Another rule (mine): a pfSense box should always have 3 interface at least: WAN (logic) - LAN(needed) and a "sheep and wolfs shelter" (the ones you work for).

behind.you

@Gertjan:

Easy !
Use the LAN interface non-connected - and use it as the 'administer' interface.
All users/clients/visitors are hooked up to the second interface (OPT1).
On this interface, assign an IP, block with a firewall rule all access to (IP-OF-OPT1):80 (and 443 if you use https to acces your box) and done.

I haven't even checked, but it might be so that the GUI web server isn't even listening the the IP of OPT, so the rule isn't even needed.

Rule of thumb: all non-trusted persons/devices/equipment shouldn't be on the LAN interface anyway.
Another rule (mine): a pfSense box should always have 3 interface at least: WAN (logic) - LAN(needed) and a "sheep and wolfs shelter" (the ones you work for).

caution. webConfigurator is accessible from every interface.

onlineph

I don't know how you do it accessing webGUI to all interface but I did try in my end and it can't be, anyway, I'm not techie enough to see those tricks but, I am now happy because I am now able to de-access my webGUI from the LAN IP but I am able to access it alone, maybe it's too risky but I have not yet realized the risk.

While I really appreciate all the suggestions and steps and thumbs up for that, I just discovered this simple for me.