How to block WebGUI access from WAN 2.3.3-RELEASE-p1
-
I've been running pfSense for a while now. I recently reinstalled and rebuilt my config. For some reason now I am able to access my webGUI from the WAN side. I have been testing from my friend's wifi. I never had this happen in the past. I have even created rules on the LAN and the WAN interfaces which I though would block any access to the webGUI from outside my network. See the attachments for screenshots
Does anyone have any suggestions? I have found a few posts but have not been able to stop access to the webGUI.
Thanks in advance
-
The only rules that matter for accessing the GUI from the WAN are on the WAN tab or potentially the Floating tab.
LAN rules won't ever match traffic inbound from the WAN.
The WAN rules are all blocks except that last port forward rule, so nothing there would be letting it in. Check the floating tab for other rules that might be doing it.
Or do you have any notifications about the rules failing to load? Perhaps an old rule is stuck allowing in traffic if something else is preventing a new ruleset from being loaded by the firewall.
-
I am experiencing the same issue, for some reason i'm able to access the web gui via my WAN ip from within my network.
i have very similar rules as you, pfblocker and block bogon from wan. basic setup. nothing in the floating rules, and no failing rules that i can see.
I checked access to the webgui from my wan ip external from [*edit] different external networks, i am not getting responses, thankfully, but it is disheartening to type in my wan ip from within my network and see the webgui login page appear.
I've looked through the web to see if i can do the opposite of all the posts asking how to setup wan access, but i don't have anything setup that would suggest it should be responding on the WAN. everything i've read suggests web gui is disabled by default on WAN, so i'm not sure what is going on.
just in case, i've added a rule in the WAN tab to block * to WAN Address for 443.
thank you in advance if anyone has any other helpful hints or tips to look at.
-
That is normal.
If you want to block access to that from something like a guest network you have to either not pass it or explicitly block it. Using destination This Firewall (self) works great for that.
-
Thank you for the fast reply, i was hoping the firewall login wouldn't show up on WAN IP, and only be bound to a internal LAN ip. I do block guest network access.
it was quite the scare when i realized the WAN ip was displaying the web login for my firewall, when i didn't think it was exposed by default, i thought something was screwed up.
If ever the case where wan did accidentally get opened to WAN by some accidental configuration, it would be hard to easily tell, i'd have to keep checking from external networks just to double check, or have a script run externally on another network probing to see if 443 responds on wan for the webgui.
-
You would have to add a rule to WAN to have connections coming in from WAN to actually get the WebGUI.
Accessing the web gui from LAN on the WAN address has really no bearing on any possibility it would be accessible form the outside. It is how pfSense interface rules work.
I agree it would be nice to be able to bind the webgui to a specific interface, though many, many people would simply lock themselves out with the feature.
-
thank you again for your help and explanations, it makes sense.
