Virtual IP without NAT allows for Admin access on WAN
-
Post up your firewall rules for your wan... And from what direction are you accessing this vip.. from your lan side or your wan side?
-
@johnpoz :
The above is the only rule I had for http - like i said, all servers behind this firewall are webservers.
Yes, I confirmed external access on the WAN side with a device not on our lan.
-
Well that is an any any rule for 80... So yeah... WTF were you thinking creating such a rule?
Your rule should of been locked down to actual dest IP(s)..
When you do a port forward pfsense will auto create the rule for you with the destination rfc1918 address as the dest.. If you have public space behind your pfsense without port forwarding.. Then you should create the rule with the dest IP(s) or a cidr dest that is your web servers, etc.
-
I get that and I've changed it - but why does the firewall block http for the admin interface on it's own IP, but not with virtual IPs?
-
The firewall blocks ALL access from the wan unless you create a rule to allow it.. Out of the box all unsolicited traffic inbound is blocked be it the actual wan IP, a vip or whatever.. Out of the box nothing is allowed in the wan - it doesn't even answer ping out of the box, etc.
-
Even with the any/any rule in place. I cannot get to the admin interface on the wan interface IP. It is treating the formally assigned IP and the VIPs differently.
I'm either trying to understand the difference or suggesting a "pit of success" feature. I get that this was messed up - but these rules were translated from another system where all lan ips would be allowed for http and that's what the context for "any" was. Nobody knew that '*' also included the firewall since testing the WAN ip was denied as expected.
-
My guess is there a redirect to https on the wan IP... But possible this redirect doesn't work on vip? And that redirect port is not allowed.
That is a guess..
How could anyone think that * is just lan IPs?? Come on ;) And doesn't include ALL?
-
@johnpoz said in Virtual IP without NAT allows for Admin access on WAN:
My guess is there a redirect to https on the wan IP... But possible this redirect doesn't work on vip? And that redirect port is not allowed.
Confirmed in fiddler that this is not correct. The firewall does not respond to http at all.
How could anyone think that * is just lan IPs?? Come on ;) And doesn't include ALL?
Because all isn't actually all since it doesn't include the wan IP. If we had a successful test case of all doesn't include the wan IP, where does it say that VIPs are different?
-
I have no idea why you would think that * is not ALL and or that it doesn't include VIP..
You had a firewall rule that was dest *... So yeah if something listening on wan or vip you would be able to get to it!
When you create the rule is says ANY... and puts in the *
-
@johnpoz said in Virtual IP without NAT allows for Admin access on WAN:
I have no idea why you would think that * is not ALL and or that it doesn't include VIP..
It's not what I think. Its what I can actually confirm. The firewall does not respond to requests for the admin interface on the WAN IP regardless of rules. Seems to me that it would be a nifty feature to do the same for VIPs.
