WebGUI access on all interfaces ?

Gertjan

@chudak said in WebGUI access on all interfaces ?:

I can access my router WebGUI via all of them.

That's NOT default.
pfSense, as it came out of the box, only accept WebGUI access from its LAN interface. All interfaces have no rules so the default firewall policy kicks in : block all **.

The WebGUI is running on port 80 or port 443 - only you know which one it is, or what port other number it is.
The destination will be the 'pfSense' IP of that interface.
Like, in your case, use the alias "Wifi_address".

On the interface where you want to block, put a block rule on top, TCP, port number, destination Wifi_address.
Leave the rest at default, and Save, Validate.

** maybe an exception : when you use the OpenVPN server wizard, it will put a pass-all firewall rule on yhe OpenVPN interface, thus permitting to access the WebGUI.

Rico

Oh btw, you posted almost the same question here some days ago: https://forum.netgate.com/topic/154387/easy-way-to-restrict-webconfigurator-access-on-openvpn-only
The concept is always the same, no matter if it is a wire Interface, Wifi, VLAN, virtual Interface like OpenVPN, Interface Group, ...

-Rico

Gertjan

@Rico said in WebGUI access on all interfaces ?:

Oh btw, you posted

I don't dare to look neither ask : I was answering there also ?
My memory said that the same question was ask a couple of days ago.
The answer wasn't clear ... ?

Rico

Your answer there was clear as crystal.

-Rico

Gertjan

@Rico said in WebGUI access on all interfaces ?:

Your answer there was clear as crystal.

-Rico

Guess @chudak doesn't share that opnion.

emammadov

Hi. You can create an alias of "pfsense ports" (such as webgui port, ssh and etc.), and the ip address of admins and create a floating rule and select the interfaces that you want to allow or disallow.

chudak

@emammadov

I like this suggestion

I added this rule:

And I don't see access disabled on WIFI net (19.168.70.1 in my case)

WTH ?

@Gertjan @Rico it was slightly different question :) appreciate your participation and contributions to the group! That's why I love open source!

emammadov

Check "Apply the action immediately on match".

Gertjan

@chudak : @emammadov proposed a rule that blocks the access to the webgui of pfSense.
You forgot to copy half of all settings, and created a rule that blocks the access to any web site on planet earth.

chudak

@Gertjan

You are right ! :)

It was test. I ended up with this rule:

Gertjan

Close to perfect

Instead of creating your own alais called pfSense - the one you forget to change when you change the IP of the LAN of pfSense == potential pitfall, use the alias that was designed for this "This firewall".

chudak

@Gertjan

This is interesting.
The reason I have alias called pfSense because it lists LAN addresses like 192.168.90.1 etc as well as DDNS addresses.

I did not see "This Firewall" blocking external DDNS IPs. Did you?

PS: Thinking about it I'd say it should block ANY IPs, maybe a good feature request ?

Thx