Allowing selected Ip or System to access Pfsense via WAN

networkinggeek · Oct 21, 2014, 10:59 AM

Hello Forum,
I have setup a pfsense where access to WebUI via WAN is not allowed from any system. But, if any problem occurs then as a admin I should be able to access the pfsense webui from only my system or you can say particular ip configured system. So is it possible to provide privileged access via WAn only to that IP address or that system? If yes, then how to configure it?

Wolf666 · Oct 21, 2014, 11:08 AM

First thing comes in my mind:
Port Forwarding, putting as source the IP you are connecting from and letting pfSense make the associated firewall rule, by default WAN Firewall rules are deny all.

networkinggeek · Oct 21, 2014, 11:31 AM

@Wolf666:

First thing comes in my mind:
Port Forwarding, putting as source the IP you are connecting from and letting pfSense make the associated firewall rule, by default WAN Firewall rules are deny all.

Okay here is what I think you are trying to say
In NAT rules I need to select interface as WAN
Protocol as TCP
Source Adress port range: any
Destination "NOT" WAN address
Destination port range: any
Redirect IP address: ?? Getting Confused here :-
Redirect port: ?? :-\

Kindly correct me where I am going wrong

kejianshi · Oct 21, 2014, 11:39 AM

when you are setting up port forwarding fro that NAT rule do everything as usual EXCEPT:

you see the source field? Click "advanced button". Then select single host or alias as type. Then enter the IP of the remote machine you wish to have access to your pfsense.

networkinggeek · Oct 21, 2014, 11:53 AM

@kejianshi:

when you are setting up port forwarding fro that NAT rule do everything as usual EXCEPT:

you see the source field? Click "advanced button". Then select single host or alias as type. Then enter the IP of the remote machine you wish to have access to your pfsense.

Okay then what IP do I need to enter in "Redirect IP" option?

kejianshi · Oct 21, 2014, 11:58 AM

The local private IP of the machine you are trying to allow access to.

Wolf666 · Oct 21, 2014, 1:22 PM

@kejianshi:

The local private IP of the machine you are trying to allow access to.

Means IP of pfSense WEBGUI access.

networkinggeek · Oct 25, 2014, 5:13 AM

Sorry for the late reply.
The above method is working fine. One more doubt or you can say just curious to know whether the Source IP and MAC can be bound to access web GUI?

chpalmer · Oct 25, 2014, 6:31 AM

Truthfully its as easy as making a WAN rule. No port forwarding needed.

To do it with just a WAN rule- create a WAN rule with your public IP as the source (any port) and your WAN Address (whatever port your firewall gui answers to) as the destination.

But your really better off security wise creating a VPN from your (home?) connection to your office network behind your firewall.

P3R · Oct 25, 2014, 11:23 AM

@networkinggeek:

One more doubt or you can say just curious to know whether the Source IP and MAC can be bound to access web GUI?

Well you need to specify the source ip address (WAN-address if behind NAT) in the rule to whatever you have at the location you intend to do the remote management from. Not doing that would totally compromise the security of your firewall.

The only proper way to do remote management though is to set up a VPN. It is available in pfSense so why not make use of it?

MAC-addressing filtering isn't possible in a routed (internet) environment.

networkinggeek · Oct 26, 2014, 6:25 AM

@P3R:

@networkinggeek:

One more doubt or you can say just curious to know whether the Source IP and MAC can be bound to access web GUI?

Well you need to specify the source ip address (WAN-address if behind NAT) in the rule to whatever you have at the location you intend to do the remote management from. Not doing that would totally compromise the security of your firewall.

The only proper way to do remote management though is to set up a VPN. It is available in pfSense so why not make use of it?

MAC-addressing filtering isn't possible in a routed (internet) environment.

Well thank you for the idea about VPN and I will try to set it up.
VPN concept brought me ask you another question.
I have set some filtering rules like blocking social networking sites for the clients in Pfsense.
The client has to go through proxy and all the filtering rules are applied. What if client connects to a different VPN server and bypass the firewall?

P3R · Oct 27, 2014, 11:38 PM

@networkinggeek:

VPN concept brought me ask you another question.
I have set some filtering rules like blocking social networking sites for the clients in Pfsense.
The client has to go through proxy and all the filtering rules are applied. What if client connects to a different VPN server and bypass the firewall?

That shouldn't be an issue at all when solving the topic of this thread.

If your question is in general if VPN can be used to bypass filtering the answer is yes. You as the administrator need to prevent that if necessary.