• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Open Ports

Scheduled Pinned Locked Moved OpenVPN
16 Posts 2 Posters 4.2k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • D
    dgeorge
    last edited by Oct 25, 2013, 4:13 PM

    New user and first post here.  I have pfsense up and running as an Openvpn client, using the guide in this forum.  I connect no problem but when I do a scan on GRC.com, I am showing open ports on 80 and 443.  If I go into System>Advanced and disable webconfigurator redirect rule, it closes 80 or 443, depending on what protocol I select but not both.

    If I do a scan without the Openvpn client connected, there are no open ports.

    I have searched but cant see any answer on the forum.  I do not need to access pfsense remotely as I only access via the console or lan.

    Any help to close those ports when running Openvpn is appreciated.

    1 Reply Last reply Reply Quote 0
    • C
      chpalmer
      last edited by Oct 25, 2013, 4:55 PM

      https://forum.pfsense.org/index.php/topic,61693.msg347795.html#msg347795

      Until I check via other methods I don't trust a thing I see from Gibson's "scanner".

      However- Its hard to tell how you connect to the internet from here because you didn't share. But if you have a modem/router combination and that device is in NAT mode, you can bet that it will probably be involved.

      The best way to know is to have someone on the outside try and access those ports and see what they get.

      I have OpenVPN clients in several locations and do not see this behavior…

      Triggering snowflakes one by one..
      Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

      1 Reply Last reply Reply Quote 0
      • D
        dgeorge
        last edited by Oct 25, 2013, 5:33 PM

        Thanks for the reply.  I do in fact have a cable modem/ router in bridge mode to disable its gateway functions and was wondering if it could be the culprit.
        What would you suggest to test or fix this?  Set it back to gateway mode?

        1 Reply Last reply Reply Quote 0
        • D
          dgeorge
          last edited by Oct 25, 2013, 6:15 PM

          Update:  Put cable modem/router back into gateway mode and still getting port 80 and 443 open  on grc.com when openvpn client is running.  All ports are fine without openvpn.

          How do I disable remote management access?

          1 Reply Last reply Reply Quote 0
          • C
            chpalmer
            last edited by Oct 25, 2013, 6:54 PM

            I would leave it in Bridge mode myself…

            I seriously doubt anyone can see your pfsense gui from the outside if you haven't allowed it.

            Your modems gui might be another story.  Who is your ISP?

            Ask someone you know to try and access your IP address with a browser and see what they get.

            Good Luck!

            Triggering snowflakes one by one..
            Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

            1 Reply Last reply Reply Quote 0
            • D
              dgeorge
              last edited by Oct 25, 2013, 7:17 PM

              Just checked myself with my cell phone on the cell network (not wifi) and up popped the pfsense login screen!
              Im on Rogers in Canada.

              Need to get this fixed before I can use this.  How do I disable remote access?

              1 Reply Last reply Reply Quote 0
              • C
                chpalmer
                last edited by Oct 25, 2013, 7:36 PM

                Can you post a screenshot of your WAN firewall rules?

                Is your phone connected to the same VPN?

                Triggering snowflakes one by one..
                Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                1 Reply Last reply Reply Quote 0
                • D
                  dgeorge
                  last edited by Oct 25, 2013, 7:48 PM

                  Cell phone was not on the vpn or the wifi.  Checked using lte network
                  Lets hope this works…......attaching....... :)

                  ![WAN rules.jpg](/public/imported_attachments/1/WAN rules.jpg)
                  ![WAN rules.jpg_thumb](/public/imported_attachments/1/WAN rules.jpg_thumb)

                  1 Reply Last reply Reply Quote 0
                  • C
                    chpalmer
                    last edited by Oct 25, 2013, 8:16 PM Oct 25, 2013, 8:15 PM

                    Yep that worked.

                    And as I thought.  You have the entire world allowed to see everything.

                    You need to turn that rule off.

                    What are you attempting to give the world WAN access to?

                    Triggering snowflakes one by one..
                    Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                    1 Reply Last reply Reply Quote 0
                    • D
                      dgeorge
                      last edited by Oct 25, 2013, 9:00 PM

                      I think I saw that rule in another guide and added it to see if it helped.
                      Deleted it and rebooted but still seeing port 80 and 443 open

                      1 Reply Last reply Reply Quote 0
                      • C
                        chpalmer
                        last edited by Oct 25, 2013, 10:52 PM Oct 25, 2013, 10:27 PM

                        VPN rule?
                        Im wiress for a bit. But this sound like you have a vpn firewall rule thats set to any.

                        Triggering snowflakes one by one..
                        Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                        1 Reply Last reply Reply Quote 0
                        • D
                          dgeorge
                          last edited by Oct 25, 2013, 11:32 PM

                          The wan rule you said should be deleted.  I want to route all traffic through the VPN to my VPN provider.

                          1 Reply Last reply Reply Quote 0
                          • C
                            chpalmer
                            last edited by Oct 25, 2013, 11:59 PM

                            Yep understood.  VPN rules are also incoming. Shut any off.

                            Triggering snowflakes one by one..
                            Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                            1 Reply Last reply Reply Quote 0
                            • D
                              dgeorge
                              last edited by Oct 26, 2013, 12:23 AM

                              Great success! (in my best Borat voice)

                              Looks like that fixed it.  I'll give it a reboot to make sure and post back.

                              Thank you!

                              1 Reply Last reply Reply Quote 0
                              • D
                                dgeorge
                                last edited by Oct 26, 2013, 1:10 AM

                                Looks like its sticking.

                                Thanks again for your help chpalmer.  Now I can enjoy my weekend!

                                1 Reply Last reply Reply Quote 0
                                • C
                                  chpalmer
                                  last edited by Oct 26, 2013, 1:23 AM

                                  Congrats!

                                  Keep in mind that rules on an interface are incoming to that interface.  By making an "any" to "any" rule on WAN or VPN you let anything through to anything.  ( this took me a few times to get across to myself…)

                                  For a box only dealing with clients on the lan side and no servers (no reason to allow someone on the outside acess to the inside) there should never be any rules for other than the LAN interface.

                                  Triggering snowflakes one by one..
                                  Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                                  1 Reply Last reply Reply Quote 0
                                  16 out of 16
                                  • First post
                                    16/16
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                    This community forum collects and processes your personal information.
                                    consent.not_received