How to disable webgui connection on LAN IP?
-
192.168.13.143/32, 192.168.13.1/22The first entry is inside the 2nd subnet. The 2nd subnet with "/22" actually goes from-to:
192.168.12.0 - 192.168.15.255
So this seems very odd.
Like doktornotor says, if you really do not understand your subnets and what is needed, then leave the anti-lockout rule as it is. Put a good password on your pfSense admin account/s. Your guest users can have lots of fun trying to guess the password :)
If you really want to proceed, then post your LAN subnet+mask, pfSense LAN IP and the IP addresses you want to allow to the webGUI, and we can help guide you. -
Why is this so hard? You just put pfsense web gui on a slightly off port and then you block access to the IP:port of the interface(s) where the GUI is.
I don't know why people feel a need to do it very complicated ways?
-
Why is this so hard? You just put pfsense web gui on a slightly off port and then you block access to the IP:port of the interface(s) where the GUI is.
I don't know why people feel a need to do it very complicated ways?
Sir please don't be hard on me. I am just a new guy so very interested and have been appreciating pfsense and I want to learn it and from you Heroes. I may appear complicating the issue maybe perhaps the way I present my issue is a bit odd to you, but I am trying to uncomplicate it so I need the forum.
TO: phil.davis
Sorry I should have mistype 22 instead of 24.
LAN IP: 192.168.13.1/24
Mask: 255.255.255.0I wish to access my WebGUI at 192.168.13.143
(I wonder is it possible to have my GUI accessed from an odd IP like 10.20.30.40? if not then its ok, just want to know if its possible :) )
-
I wish to access my WebGUI at 192.168.13.143
(I wonder is it possible to have my GUI accessed from an odd IP like 10.20.30.40? if not then its ok, just want to know if its possible :) )OMG. Again. This is NOT how it works. This has absolutely NOTHING to do with the LAN antilockout rule. Leave it alone until you have fully understood the feature! You cannot protect your router by making its IP secret, ever. It's the default GW required to be visible and accessible from every computer that is supposed to have proper connectivity. You can limit the IP addresses of other computers that are allowed to access the WebGUI. That's all. No security by obscurity nonsense!
-
Ok, never mind. Thanks anyway.
-
I wish to access my WebGUI at 192.168.13.143
I am hoping you mean:
I wish to access my WebGUI from 192.168.13.143
If that is correct, then (very carefully, only do each step when you understand it - there is no point doing this if you don't understand something, because it will make trouble for you):
a) Make an alias for 192.168.132.143 - ManagementAccess
b) Add a ports alias for 22 (SSH), 80 (HTTP) and 443 (HTTPS) - ManagementPorts
c) Add a rule at the top of the LAN Firewall rules, pass source ManagementAccess, destination LAN Address ,destination ports ManagementPorts.
d) Make sure the new rule destination looks reasonably like the anti-lockout rule, and that you have access to the console for when it all goes wrong.
e) Say a quick prayer and disable the anti-lockout rule.You should be able to get to the webGUI and SSH to pfSense from 192.168.13.143.
Of course, a guest user on your LAN who guesses 192.168.13.143 can set their IP to that and get the webGUI login screen. So you still always want to use a secure password. -
Why is this so hard? You just put pfsense web gui on a slightly off port and then you block access to the IP:port of the interface(s) where the GUI is.
I don't know why people feel a need to do it very complicated ways?
Thanks I've found the simple way to do it.
-
What was the simple way?
-
Easy !
Use the LAN interface non-connected - and use it as the 'administer' interface.
All users/clients/visitors are hooked up to the second interface (OPT1).
On this interface, assign an IP, block with a firewall rule all access to (IP-OF-OPT1):80 (and 443 if you use https to acces your box) and done.I haven't even checked, but it might be so that the GUI web server isn't even listening the the IP of OPT, so the rule isn't even needed.
Rule of thumb: all non-trusted persons/devices/equipment shouldn't be on the LAN interface anyway.
Another rule (mine): a pfSense box should always have 3 interface at least: WAN (logic) - LAN(needed) and a "sheep and wolfs shelter" (the ones you work for). -
Easy !
Use the LAN interface non-connected - and use it as the 'administer' interface.
All users/clients/visitors are hooked up to the second interface (OPT1).
On this interface, assign an IP, block with a firewall rule all access to (IP-OF-OPT1):80 (and 443 if you use https to acces your box) and done.I haven't even checked, but it might be so that the GUI web server isn't even listening the the IP of OPT, so the rule isn't even needed.
Rule of thumb: all non-trusted persons/devices/equipment shouldn't be on the LAN interface anyway.
Another rule (mine): a pfSense box should always have 3 interface at least: WAN (logic) - LAN(needed) and a "sheep and wolfs shelter" (the ones you work for).caution. webConfigurator is accessible from every interface.
-
I don't know how you do it accessing webGUI to all interface but I did try in my end and it can't be, anyway, I'm not techie enough to see those tricks but, I am now happy because I am now able to de-access my webGUI from the LAN IP but I am able to access it alone, maybe it's too risky but I have not yet realized the risk.
While I really appreciate all the suggestions and steps and thumbs up for that, I just discovered this simple for me.
