Open Ports

dgeorge

New user and first post here. I have pfsense up and running as an Openvpn client, using the guide in this forum. I connect no problem but when I do a scan on GRC.com, I am showing open ports on 80 and 443. If I go into System>Advanced and disable webconfigurator redirect rule, it closes 80 or 443, depending on what protocol I select but not both.

If I do a scan without the Openvpn client connected, there are no open ports.

I have searched but cant see any answer on the forum. I do not need to access pfsense remotely as I only access via the console or lan.

Any help to close those ports when running Openvpn is appreciated.

chpalmer

https://forum.pfsense.org/index.php/topic,61693.msg347795.html#msg347795

Until I check via other methods I don't trust a thing I see from Gibson's "scanner".

However- Its hard to tell how you connect to the internet from here because you didn't share. But if you have a modem/router combination and that device is in NAT mode, you can bet that it will probably be involved.

The best way to know is to have someone on the outside try and access those ports and see what they get.

I have OpenVPN clients in several locations and do not see this behavior…

dgeorge

Thanks for the reply. I do in fact have a cable modem/ router in bridge mode to disable its gateway functions and was wondering if it could be the culprit.
What would you suggest to test or fix this? Set it back to gateway mode?

dgeorge

Update: Put cable modem/router back into gateway mode and still getting port 80 and 443 open on grc.com when openvpn client is running. All ports are fine without openvpn.

How do I disable remote management access?

chpalmer

I would leave it in Bridge mode myself…

I seriously doubt anyone can see your pfsense gui from the outside if you haven't allowed it.

Your modems gui might be another story. Who is your ISP?

Ask someone you know to try and access your IP address with a browser and see what they get.

Good Luck!

dgeorge

Just checked myself with my cell phone on the cell network (not wifi) and up popped the pfsense login screen!
Im on Rogers in Canada.

Need to get this fixed before I can use this. How do I disable remote access?

chpalmer

Can you post a screenshot of your WAN firewall rules?

Is your phone connected to the same VPN?

dgeorge

Cell phone was not on the vpn or the wifi. Checked using lte network
Lets hope this works…......attaching....... :)

![WAN rules.jpg](/public/imported_attachments/1/WAN rules.jpg)
![WAN rules.jpg_thumb](/public/imported_attachments/1/WAN rules.jpg_thumb)

chpalmer

Yep that worked.

And as I thought. You have the entire world allowed to see everything.

You need to turn that rule off.

What are you attempting to give the world WAN access to?

dgeorge

I think I saw that rule in another guide and added it to see if it helped.
Deleted it and rebooted but still seeing port 80 and 443 open

chpalmer

VPN rule?
Im wiress for a bit. But this sound like you have a vpn firewall rule thats set to any.

dgeorge

The wan rule you said should be deleted. I want to route all traffic through the VPN to my VPN provider.

chpalmer

Yep understood. VPN rules are also incoming. Shut any off.

dgeorge

Great success! (in my best Borat voice)

Looks like that fixed it. I'll give it a reboot to make sure and post back.

Thank you!

dgeorge

Looks like its sticking.

Thanks again for your help chpalmer. Now I can enjoy my weekend!

chpalmer

Congrats!

Keep in mind that rules on an interface are incoming to that interface. By making an "any" to "any" rule on WAN or VPN you let anything through to anything. ( this took me a few times to get across to myself…)

For a box only dealing with clients on the lan side and no servers (no reason to allow someone on the outside acess to the inside) there should never be any rules for other than the LAN interface.