Allowing webGUI from one ip/mac address on LAN
-
Will this work? I don't want to get locked out for trying this.
States Protocol Source Port Destination Port Gateway Queue Schedule Description
(allow) 0 /0 B IPv4 TCP 192.168.0.3 * This Firewall 443 (HTTPS) * * WebGUI
(allow) 10 /3.78 GiB IPv4 * LAN net * * * * none Default allow LAN to any rule -
States Protocol Source Port Destination Port Gateway Queue Schedule Description
(allow) 0 /0 B IPv4 TCP GUIadmins * This Firewall 443 (HTTPS) * none WebGUI Access
(allow) 0 /0 B IPv4 * LAN net * * * * none Default allow LAN to any ruleThis seems to work. GUIadmins is an alias with host ip of my workstation.
-
@louisg00:
States Protocol Source Port Destination Port Gateway Queue Schedule Description
(allow) 0 /0 B IPv4 TCP GUIadmins * This Firewall 443 (HTTPS) * none WebGUI Access
(allow) 0 /0 B IPv4 * LAN net * * * * none Default allow LAN to any ruleThis seems to work. GUIadmins is an alias with host ip of my workstation.
That certainly will allow alright. ;)
-
I tried with another workstation and did not block access. Do I need another rule blocking access to everyone for the webGUI?
-
@louisg00:
I tried with another workstation and did not block access. Do I need another rule blocking access to everyone for the webGUI?
Well if there is no rule that blocks the undesirables ahead of a pass all rule. Then all will be passed.
If may be helpful to know why you are trying to do this. It is not very typical for LAN side. Most people probably find authentication sufficient for the LAN side.
-
Some Blackhat conference that described dns binding and spoofing to get to the routers admin page from the WAN. All the LAN systems do not need to access the admin page except mine to just to be safe.
Ok added a block rule.
States Protocol Source Port Destination Port Gateway Queue Schedule Description
(block) 0 /0 B IPv4+6 LAN net * This Firewall * * none Block router access
(allow) 0 /0 B IPv4 TCP GUIadmins * This Firewall 443 (HTTPS) * none WebGUI access
(allow) 0 /0 B IPv4 * LAN net * * * * none Default allow LAN to any rule -
@louisg00:
Some Blackhat conference that described dns binding and spoofing to get to the routers admin page from the WAN. All the LAN systems do not need to access the admin page except mine to just to be safe.
Sounds like la-la-land to me. Even if able to get to the admin page, authentication is still required plus any login attempt, failed or successful, is shown on the console and in the log too I believe.
-
Opps this just blocked my out completely. How can I undo this that rule from the console?
-
@louisg00:
Opps this just blocked my out completely. How can I undo this that rule from the console?
That's funny because I was just thinking you'll probably block yourself out dozens of times before ever blocking out even one packet originating from the WAN side with this.
Restore a recent config.
-
ok I think I got it;
States Protocol Source Port Destination Port Gateway Queue Schedule Description
(allow) 0 /0 B IPv4 TCP GUIadmins * This Firewall Management * none WebGUI access
(block) 0 /0 B IPv4+6 TCP * * This Firewall Management * none Block management access
(allow) 0 /0 B IPv4 * LAN net * * * * none Default allow LAN to any ruleOne thing, what is the difference between LAN net and any? I only have one subnet on LAN interface on one on OPT1 interface with the WAN port.
-Thanks
-
@louisg00:
One thing, what is the difference between LAN net and any?
Any is just that. anything (0.0.0.0 - 255.255.255.255)
LAN net is anything within the LAN net. x.x.x.x/n -
On an ordinary LAN, all the devices should have IP addresses in LANnet (the LAN subnet defined by the pfSense LAN IP/CIDR). In any case, the firewall is only going to receive and respond usefully to devices in LANnet. So packets in LANnet are all that needs to be passed.
If you have a more complex setup for some reason, that has other private subnets reached via static routes to another router that is on LANnet, then pfSense LAN could receive packets with source addresses that are not in LANnet. So for that case you need a pass rule wider than just LANnet to let traffic through.