VirtualBox WAN / Port Issues
-
Currently, I have pfsense installed in a virtual box and can access the LAN side without any issues, however in order to access the WAN side I need to open a port via a shell command since I require the port open to access the webgui. I am have tried temporarily disabling the firewall and opening the required port using:
pcftl -d
easyrule pass wan tcp x.x.x.x y.y.y.y 443
However, upon re-enabling the firewall the webgui is then inaccessible again. Although if I use
pfSsh.php playback enableallowallwan
I can disable everything and get access to the WebGUI, the only issue with this is that it leaves everything open and is extremely insecure.
I have watched various youtube videos and read various forum posts and have seen information that states that if the WAN and LAN IP are on the same subnet then its not possible, however I cannot change the subnet for my LAN IP address since I am limited to the permissions that our University allow us to complete this task.
I realise this isnt a vast amount of information but if anybody has any ideas I would appreciate them and I can provide more information if there any specific questions!
-
How would your wan and lan be on the same subnet?
Why would you need to access the webgui from the wan?
What are you trying to accomplish exactly? Are you wanting to run pfsense in a virtualbox as your machines firewall? You want to test pfsense and have it firewall other virtual machines on your box?
So how do you have pfsense setup in virtualbox? You have 1 physical interface - connected to the real network, and you have pfsense wan bridged to this interface in virtualbox? And you also have an IP on this interface?
If wanting to use pfsense as your machines firewall while running it in virtualbox. You would unbind windows/inux from having an IP on this interface - what OS are you running btw?
Then on a host only interface, or natted interface on virtual box this would be connected to the lan of the virtual pfsense - and your os would use that interface to get to the real network via pfsense.
Again to help you going to need some clue to what your actually trying to accomplish - and if you have access to the lan, why would you want to open the web gui to the wan? If so all you need to do is create a firewall run on the wan to allow access to the port you have the webui listening on.
-
How would your wan and lan be on the same subnet?
Its just a bridged network between the actual physical university network and my virtual network
Why would you need to access the webgui from the wan?
We havent actually been given any information as to why, we've just been told to do it.
Its just a lab task that we've been set at University to access the webgui via the WAN & LAN through virtual boxes, I am assuming however that you are correct in thinking the idea is that it will be a firewall / router which will span the virtual network and the physical network
What are you trying to accomplish exactly? Are you wanting to run pfsense in a virtualbox as your machines firewall? You want to test pfsense and have it firewall other virtual machines on your box?
I am just simply right now trying to get access to the webgui of pfsense via 3 virtual boxes network (LAN) and the actual host machines network (WAN). Right now we havent been told why but I am making the assumption you are correct and its as a firewall / router
So how do you have pfsense setup in virtualbox? You have 1 physical interface - connected to the real network, and you have pfsense wan bridged to this interface in virtualbox? And you also have an IP on this interface?
I have pfsense installed in a virtualbox, along with windows 7, 8.1 and Kali Linux as other virtual boxes. The idea of the task is that I can load all 4 virtual boxes and run the same pfsense interface off ALL the machines at the same time. (the 3 virtual boxes and the actual machine i'm running the virtual boxes on)
Getting pfsense to run through the virtual boxes is simple as they are extremely basic, unsecure virtual boxes that have no other purpose than to complete this task.
The issue comes whereby I cannot change any of the WAN IP or set up firewall rules outside of this virtual network because its a university network and I dont have permissions to do so and thus far the only way I can get it to work is allowing complete access to everything via:
pfSsh.php playback enableallowallwan
Which is not secure enough as the ultimate end goal will be to hack into my other class mates virtual network, via the WAN and if I am just allowing complete access to everything, my system is extremely insecure
If wanting to use pfsense as your machines firewall while running it in virtualbox. You would unbind windows/inux from having an IP on this interface - what OS are you running btw?
The host machine is running windows 7
Then on a host only interface, or natted interface on virtual box this would be connected to the lan of the virtual pfsense - and your os would use that interface to get to the real network via pfsense.
Again to help you going to need some clue to what your actually trying to accomplish - and if you have access to the lan, why would you want to open the web gui to the wan? If so all you need to do is create a firewall run on the wan to allow access to the port you have the webui listening on.
-
"The issue comes whereby I cannot change any of the WAN IP or set up firewall rules outside of this virtual network because its a university network "
Why would you need too??
Here is question for you - lets say your host machines IP is 10.1.1.53/24 –- this is your physical nic. Now you bridged that nic to pfsense wan. If pfsense wan is set to dhcp does it get an IP of say 10.1.1.72/24 -- ie does it get an IP address from your schools dhcp server? Or are you limited to using 1 IP address on the real world network?
There are multiple ways to go about this with virtual box, if you can get a IP address on the real world network for pfsense via the bridge then its easy peasy.
To make the web gui open to the wan on pfsense, you need 1 rule to allow it - everything else would be blocked and all inbound access to your vms behind pfsense would be blocked.
-
"The issue comes whereby I cannot change any of the WAN IP or set up firewall rules outside of this virtual network because its a university network "
Why would you need too??
Just going off a youtube video that I had watched previously which is clearly incorrect!
As for the IP address, yes I get an IP from my schools DHCP server so lets say the IP for the physical network is 10.1.1.56/24 then I will get 10.1.1.74/24 as my pfsense WAN IP
-
Well your golden then.. Connect a virtual machine to its lan side interface on virtual box, be host only network on virtual box. And then connect to its lan IP, and create a firewall rule on pfsense to its wan address on the port your webgui is listening on 80 or 443 and there you go done.
https://doc.pfsense.org/index.php/How_can_I_access_the_webGUI_from_the_WAN
-
Well your golden then.. Connect a virtual machine to its lan side interface on virtual box, be host only network on virtual box. And then connect to its lan IP, and create a firewall rule on pfsense to its wan address on the port your webgui is listening on 80 or 443 and there you go done.
https://doc.pfsense.org/index.php/How_can_I_access_the_webGUI_from_the_WAN
Yeah… I cant do that, thats my whole problem.
Connecting pfsense via LAN is simple but the university havent given us the details they want us to use to create the webgui yet, we literally only have the login screen thats all that has been asked for thus far, is to get to the point that the port is allowed access through the firewall so we can access the login screen of pfsense so I cant connect it via the lan and add a rule via the webgui.
It has to be done within pfsense's shell.
Thats why I said at the start I had already tried, via the shell:
easyrule pass wan tcp x.x.x.x y.y.y.y 443
but for some reason its a no go and I cannot understand why
-
I've done this before with only access to the WAN.
1st. You started off right by disabling the firewall
pcftl -d
then connect via the wan to the Web GUI. Don't add any firewall rules at command prompt.
Go to firewall rules > WAN tab
delete the "block private address" wan rule. Its at the top. Grey.
Now add a pass rule on the wan to allow you to access the web gui via the wan
at this point you can pcftl -e
Now, very gingerly change your pfsense password to something secure.
Now, at this point I'd configure SSH on the WAN and probably OpenVPN also.
Then I would delete the HTTP / HTTPS pass rule you created on the wan
From this point, if you are doomed to only have access via the WAN, at least you can do it securely.
For anyone who may be wondering "why the heck did you ever do this", its because I was using pfsense only as a VPN server and was forwarding ports from a ddwrt router to a VM running in vmware player. Just to give a friend access to his LAN remotely without him needing to buy any hardware.