How To Remotely Access Router WebGUI ?
-
Most people don't recommend opening the WebGUI up to the internet.
Setup the OpenVPN server, then connect via this VPN, much safer.
-
^^ what Joe said.
Don't open up ports that don't need to be open.
https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2
Also a big plus for your customers is they could access their network remotely as well.
-
Agreed. Configuring VPN access is the ideal solution. However, another option is configuring a port forward on a random port then redirect it to the firewall's LAN IP on port 443. The last step would be to enter your home public IP as the source so the rule is explicit and only you can access the rule from the outside.
-
A VPN solution is of course the preferred solution security-wise. That said, IF….. you do want to open access to the WebGUI to the whole world, this would be the Firewall rule that you would create on the WAN interface to do so. In my case I am using Port 8080 as my Webconfigurator port, the one listed in System/Advanced/Admin Access.
 -
As an aside, and a genuine question….given that there is a webconfigurator lockout table preventing multiple incorrect logins within a time period, assuming you choose a reasonably secure password.... what realistically would be the security threat or possible vector of attack? I'm talking about a home setup here. The convenience of not having to use a VPN, especially from mobile devices, is quite high.
-
The solution occamsrazor's provided works too. Although, 8080 is a known admin port for many devices and applications, so I personally wouldn't open 8080 if I had other options. Also, I would not leave the source as "any". I would configure the source with an explicit list of the IP's you want accessing the firewall.
-
The solution occamsrazor's provided works too. Although, 8080 is a known admin port for many devices and applications, so I personally wouldn't open 8080 if I had other options.
Thanks for the advice. As I'm the only user I can set it to whatever. So a higher port like 5xxxx or suchlike would be less likely to attract attention? Second question, I noted your reply a couple posts above… what's the advantage of a port forward from 5xxxx > 443 vs just using 5xxxx in System/Advanced/Admin Access? Simply so you can continue to use 443 internally on LAN? Or something else?
Also, I would not leave the source as "any". I would configure the source with an explicit list of the IP's you want accessing the firewall.
I guess if you only want to access from some fixed locations that would work, but if you want to access from a roaming laptop or mobile device on 4g, that wouldn't be possible…..
-
"The convenience of not having to use a VPN, especially from mobile devices, is quite high."
How so - openvpn has client for both android and ios.. It takes like less than a second to connect to vpn on my phone. Be it on wifi network or even just on cell coverage.. So why in the world would I not just use the more secure option with a vpn?
Like saying you know what locking my car door and taking my keys with me is such a inconvenience… I will just leave them in the car and not lock the door.. And then complain when someone takes your car...
Passwords are such an inconvenience... I just make them all 12345678 to make it easier ;) Why do we need pins on our Debit cards again? Its such a PITA to have to type them in ;)
-
"The convenience of not having to use a VPN, especially from mobile devices, is quite high."
How so - openvpn has client for both android and ios.. It takes like less than a second to connect to vpn on my phone. Be it on wifi network or even just on cell coverage.. So why in the world would I not just use the more secure option with a vpn?
No dispute on that, each to their own of course. And I actually do have OpenVPN set up with both Mac and IOS client apps. But it's still quicker without. I remain genuinely curious what the possible vector of attack would be though, given webconfigurator's lockout table…...
Passwords are such an inconvenience… I just make them all 12345678 to make it easier ;) Why do we need pins on our Debit cards again? Its such a PITA to have to type them in ;)
Not really an equivalent though… you still need the correct administrator username/password entered within a certain number of tries to access the router. BTW I have disabled the default "admin" user login capability.
As mentioned, I'm no expert and genuinely interested in this.
-
You could also set up a VPN into your management location then put a firewall rule on the client firewall that only allows connections from that location. So you VPN into one location and use that to access the clients' systems.
I have found that a VPN to my office and remote desktop into my workstation is far easier than maintaining/syncing all the tools I might need on my laptop.
-
"you still need the correct administrator username/password entered within a certain number of tries to access the router."
Not if there is an exploit to the whatever it is running the webgui.. Exposure of any service is risk! Even exposure of vpn is a risk when you look at the big picture..
While the lock rule does lock an IP for like 24 hours after 15 bad.. Are you watching the logs… Could be tried for multiple days, etc.
Changing the port to not so common port is not security.. That is an attempt at obscurity, which we all no is not security ;) While it might help in reducing the noise in your logs - it is not considered a security measure.
As to my password and pin examples - they are quite relevant to your point.. You state connecting to your vpn is not convenient so you just open up your webgui... Even if you have taken what you believe steps to make it "more" secure than just open on 80 or 443..
Why do I need a pin when some user has to have my debit card to access my account ;) So the whole idea of pin seems to be just an inconvenience if you look at it that way. Could say the same with password... Why not just make them all the same so they are easier to remember which is way more convenient ;) Really the person trying to access my account would still need to know my email or username right ;) And they would still need to guess that 12345678 password. Which sure websites lock you out when wrong password tried too many times.. so what are the odds...
edit: Why exactly do you even need to access your pfsense web gui remotely to be honest? How often are you doing it that the click the vpn icon on your phone/laptop/pc is such a bother? I am normally vpn'd into my home network all day from work ;) But not really to access the webgui of pfsense, unless doing so to take a screenshot to help out on some thread.
-
edit: Why exactly do you even need to access your pfsense web gui remotely to be honest? How often are you doing it that the click the vpn icon on your phone/laptop/pc is such a bother? I am normally vpn'd into my home network all day from work ;) But not really to access the webgui of pfsense, unless doing so to take a screenshot to help out on some thread.
I would like access to it because we have several all around the county and some are not so easy to access during the weekend or evenings. There may be some issues that I can resolve without physically being there.
-
The question on access what not really directed at you captionjackla.. More to occamsrazor that says vpn is too much of a inconvenience.
I agree there are for sure reason to access the firewall remotely to correct some sort of issues like something blocked, dns not working, etc etc.. Especially when supporting a remote customer. In such a scenario though I would think you would be coming from a known IP.. Or at least a known limited netblock - which if your going to open up remote access should be limited to your IP you would be coming from.
-
Thanks for the advice. As I'm the only user I can set it to whatever. So a higher port like 5xxxx or suchlike would be less likely to attract attention? ?
Something random, yes, 5xxxx works… it can be anything really... I would just make it random that isn't commonly known as an admin port
Second question, I noted your reply a couple posts above… what's the advantage of a port forward from 5xxxx > 443 vs just using 5xxxx in System/Advanced/Admin Access? Simply so you can continue to use 443 internally on LAN? Or something else?
1)IMO, it's just one more hurdle for someone to go over…the real port isn't exposed, so the port/service first has to be discovered for a connection attempted to be made. Hopefully, you have IDS/IPS catching port scans, etc. Is there an advantage over changing the TCP port to e.g. 56832 and then mapping directly to 56832? The only real advantage would be the option of keeping everything on the backend on "normal" ports... instead of having to make changes on the backend to match the frontend.
I guess if you only want to access from some fixed locations that would work, but if you want to access from a roaming laptop or mobile device on 4g, that wouldn't be possible…..
The simple solution, which is what I've done:
-
Open a free Dynamic DNS account (e.g. captainjackla.noip.com)
-
Create an alias on PFsense with captainjackla.noip.com as the FQDN
-
Have the client update software running on your laptop, so your IP is always updated
-
Have your firewall rule sourced from the alias you just made
Now, not only do you have access from whatever IP captainjackla.noip.com is currently updated with, but you can also add multiple hosts to the same alias for access… e.g. home, work, etc... all from one firewall rule and it's still explicit.
-
-
"Have your firewall rule sourced from the alias you just made"
This valid solution to locking down to source IP from something that changes, etc… If you have to open up such a service.. But at a loss to how that is less of a PITA to setup than simple vpn? You have to deal with maybe not having stuff in sync.. The aliases in pfsense only update so often... So if your client just updated the dynamic fqdn, you might have to wait for pfsense to update its alias, etc.
But it is a nice solution to something that changes IP ;)
-
Thanks @Marvosa…
I am going to try this idea.
