• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Allowing selected Ip or System to access Pfsense via WAN

Scheduled Pinned Locked Moved Firewalling
12 Posts 5 Posters 6.5k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • N
    networkinggeek
    last edited by Oct 21, 2014, 10:59 AM

    Hello Forum,
    I have setup a pfsense where access to WebUI via WAN is not allowed from any system. But, if any problem occurs then as a admin I should be able to access the pfsense webui from only my system or you can say particular ip configured system. So is it possible to provide privileged access via WAn only to that IP address or that system? If yes, then how to configure it?

    "Mastery isn't a natural gift. Its a daily devotion"

    1 Reply Last reply Reply Quote 0
    • W
      Wolf666
      last edited by Oct 21, 2014, 11:08 AM

      First thing comes in my mind:
      Port Forwarding, putting as source the IP you are connecting from and letting pfSense make the associated firewall rule, by default WAN Firewall rules are deny all.

      Modem Draytek Vigor 130
      pfSense 2.4 Supermicro A1SRi-2558 - 8GB ECC RAM - Intel S3500 SSD 80GB - M350 Case
      Switch Cisco SG350-10
      AP Netgear R7000 (Stock FW)
      HTPC Intel NUC5i3RYH
      NAS Synology DS1515+
      NAS Synology DS213+

      1 Reply Last reply Reply Quote 0
      • N
        networkinggeek
        last edited by Oct 21, 2014, 11:31 AM

        @Wolf666:

        First thing comes in my mind:
        Port Forwarding, putting as source the IP you are connecting from and letting pfSense make the associated firewall rule, by default WAN Firewall rules are deny all.

        Okay here is what I think you are trying to say
        In NAT rules I need to select interface as WAN
        Protocol as TCP
        Source Adress port range: any
        Destination "NOT" WAN address
        Destination port range: any
        Redirect IP address: ??  Getting Confused here  :-
        Redirect port: ??  :-\

        Kindly correct me where I am going wrong

        "Mastery isn't a natural gift. Its a daily devotion"

        1 Reply Last reply Reply Quote 0
        • K
          kejianshi
          last edited by Oct 21, 2014, 11:39 AM

          when you are setting up port forwarding fro that NAT rule do everything as usual EXCEPT:

          you see the source field?  Click "advanced button".  Then select single host or alias as type.  Then enter the IP of the remote machine you wish to have access to your pfsense.

          1 Reply Last reply Reply Quote 0
          • N
            networkinggeek
            last edited by Oct 21, 2014, 11:53 AM

            @kejianshi:

            when you are setting up port forwarding fro that NAT rule do everything as usual EXCEPT:

            you see the source field?  Click "advanced button".  Then select single host or alias as type.  Then enter the IP of the remote machine you wish to have access to your pfsense.

            Okay then what IP do I need to enter in "Redirect IP" option?

            "Mastery isn't a natural gift. Its a daily devotion"

            1 Reply Last reply Reply Quote 0
            • K
              kejianshi
              last edited by Oct 21, 2014, 11:58 AM

              The local private IP of the machine you are trying to allow access to.

              1 Reply Last reply Reply Quote 0
              • W
                Wolf666
                last edited by Oct 21, 2014, 1:22 PM

                @kejianshi:

                The local private IP of the machine you are trying to allow access to.

                Means  IP of pfSense WEBGUI access.

                Modem Draytek Vigor 130
                pfSense 2.4 Supermicro A1SRi-2558 - 8GB ECC RAM - Intel S3500 SSD 80GB - M350 Case
                Switch Cisco SG350-10
                AP Netgear R7000 (Stock FW)
                HTPC Intel NUC5i3RYH
                NAS Synology DS1515+
                NAS Synology DS213+

                1 Reply Last reply Reply Quote 0
                • N
                  networkinggeek
                  last edited by Oct 25, 2014, 5:13 AM

                  Sorry for the late reply.
                  The above method is working fine. One more doubt or you can say just curious to know whether the Source IP and MAC can be bound to access web GUI?

                  "Mastery isn't a natural gift. Its a daily devotion"

                  1 Reply Last reply Reply Quote 0
                  • C
                    chpalmer
                    last edited by Oct 25, 2014, 6:31 AM

                    Truthfully its as easy as making a WAN rule.  No port forwarding needed.

                    To do it with just a WAN rule- create a WAN rule with your public IP as the source (any port) and your WAN Address (whatever port your firewall gui answers to) as the destination.

                    But your really better off security wise creating a VPN from your (home?) connection to your office network behind your firewall.

                    Untitled.jpg
                    Untitled.jpg_thumb

                    Triggering snowflakes one by one..
                    Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                    1 Reply Last reply Reply Quote 0
                    • P
                      P3R
                      last edited by Oct 25, 2014, 11:23 AM Oct 25, 2014, 10:36 AM

                      @networkinggeek:

                      One more doubt or you can say just curious to know whether the Source IP and MAC can be bound to access web GUI?

                      Well you need to specify the source ip address (WAN-address if behind NAT) in the rule to whatever you have at the location you intend to do the remote management from. Not doing that would totally compromise the security of your firewall.

                      The only proper way to do remote management though is to set up a VPN. It is available in pfSense so why not make use of it?

                      MAC-addressing filtering isn't possible in a routed (internet) environment.

                      1 Reply Last reply Reply Quote 0
                      • N
                        networkinggeek
                        last edited by Oct 26, 2014, 6:25 AM

                        @P3R:

                        @networkinggeek:

                        One more doubt or you can say just curious to know whether the Source IP and MAC can be bound to access web GUI?

                        Well you need to specify the source ip address (WAN-address if behind NAT) in the rule to whatever you have at the location you intend to do the remote management from. Not doing that would totally compromise the security of your firewall.

                        The only proper way to do remote management though is to set up a VPN. It is available in pfSense so why not make use of it?

                        MAC-addressing filtering isn't possible in a routed (internet) environment.

                        Well thank you for the idea about VPN and I will try to set it up.
                        VPN concept brought me ask you another question.
                        I have set some filtering rules like blocking social networking sites for the clients in Pfsense.
                        The client has to go through proxy and all the filtering rules are applied. What if client connects to a different VPN server and bypass the firewall?

                        "Mastery isn't a natural gift. Its a daily devotion"

                        1 Reply Last reply Reply Quote 0
                        • P
                          P3R
                          last edited by Oct 27, 2014, 11:38 PM

                          @networkinggeek:

                          VPN concept brought me ask you another question.
                          I have set some filtering rules like blocking social networking sites for the clients in Pfsense.
                          The client has to go through proxy and all the filtering rules are applied. What if client connects to a different VPN server and bypass the firewall?

                          That shouldn't be an issue at all when solving the topic of this thread.

                          If your question is in general if VPN can be used to bypass filtering the answer is yes. You as the administrator need to prevent that if necessary.

                          1 Reply Last reply Reply Quote 0
                          12 out of 12
                          • First post
                            12/12
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                            This community forum collects and processes your personal information.
                            consent.not_received