Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    WebGUI access on all interfaces ?

    Scheduled Pinned Locked Moved General pfSense Questions
    15 Posts 5 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • GertjanG
      Gertjan @chudak
      last edited by

      @chudak said in WebGUI access on all interfaces ?:

      I can access my router WebGUI via all of them.

      That's NOT default.
      pfSense, as it came out of the box, only accept WebGUI access from its LAN interface. All interfaces have no rules so the default firewall policy kicks in : block all **.

      The WebGUI is running on port 80 or port 443 - only you know which one it is, or what port other number it is.
      The destination will be the 'pfSense' IP of that interface.
      Like, in your case, use the alias "Wifi_address".

      On the interface where you want to block, put a block rule on top, TCP, port number, destination Wifi_address.
      Leave the rest at default, and Save, Validate.

      ** maybe an exception : when you use the OpenVPN server wizard, it will put a pass-all firewall rule on yhe OpenVPN interface, thus permitting to access the WebGUI.

      No "help me" PM's please. Use the forum, the community will thank you.
      Edit : and where are the logs ??

      1 Reply Last reply Reply Quote 1
      • RicoR
        Rico LAYER 8 Rebel Alliance
        last edited by

        Oh btw, you posted almost the same question here some days ago: https://forum.netgate.com/topic/154387/easy-way-to-restrict-webconfigurator-access-on-openvpn-only
        The concept is always the same, no matter if it is a wire Interface, Wifi, VLAN, virtual Interface like OpenVPN, Interface Group, ...

        -Rico

        GertjanG 1 Reply Last reply Reply Quote 0
        • GertjanG
          Gertjan @Rico
          last edited by

          @Rico said in WebGUI access on all interfaces ?:

          Oh btw, you posted

          I don't dare to look neither ask : I was answering there also ?
          My memory said that the same question was ask a couple of days ago.
          The answer wasn't clear ... ?

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          1 Reply Last reply Reply Quote 0
          • RicoR
            Rico LAYER 8 Rebel Alliance
            last edited by

            Your answer there was clear as crystal. ๐Ÿ™ƒ

            -Rico

            GertjanG 1 Reply Last reply Reply Quote 0
            • GertjanG
              Gertjan @Rico
              last edited by

              @Rico said in WebGUI access on all interfaces ?:

              Your answer there was clear as crystal. ๐Ÿ™ƒ

              -Rico

              Guess @chudak doesn't share that opnion.

              No "help me" PM's please. Use the forum, the community will thank you.
              Edit : and where are the logs ??

              1 Reply Last reply Reply Quote 0
              • emammadovE
                emammadov
                last edited by

                Hi. You can create an alias of "pfsense ports" (such as webgui port, ssh and etc.), and the ip address of admins and create a floating rule and select the interfaces that you want to allow or disallow.

                floatng_webgui.JPG

                floatng_webgui2.JPG

                Elvin

                chudakC 1 Reply Last reply Reply Quote 1
                • chudakC
                  chudak @emammadov
                  last edited by

                  @emammadov

                  I like this suggestion

                  I added this rule:

                  53312883-9216-49ae-a395-77581ca15b8a-image.png

                  And I don't see access disabled on WIFI net (19.168.70.1 in my case)

                  WTH ?

                  @Gertjan @Rico it was slightly different question :) appreciate your participation and contributions to the group! That's why I love open source!

                  1 Reply Last reply Reply Quote 0
                  • emammadovE
                    emammadov
                    last edited by

                    Check "Apply the action immediately on match".

                    Elvin

                    1 Reply Last reply Reply Quote 0
                    • GertjanG
                      Gertjan
                      last edited by

                      @chudak : @emammadov proposed a rule that blocks the access to the webgui of pfSense.
                      You forgot to copy half of all settings, and created a rule that blocks the access to any web site on planet earth.

                      No "help me" PM's please. Use the forum, the community will thank you.
                      Edit : and where are the logs ??

                      chudakC 1 Reply Last reply Reply Quote 0
                      • chudakC
                        chudak @Gertjan
                        last edited by

                        @Gertjan

                        You are right ! :)

                        It was test. I ended up with this rule:

                        e1c461fa-3143-4dde-8f4b-b66cef6aba74-image.png

                        1 Reply Last reply Reply Quote 0
                        • GertjanG
                          Gertjan
                          last edited by

                          Close to perfect ๐Ÿ‘

                          Instead of creating your own alais called pfSense - the one you forget to change when you change the IP of the LAN of pfSense == potential pitfall, use the alias that was designed for this "This firewall".

                          No "help me" PM's please. Use the forum, the community will thank you.
                          Edit : and where are the logs ??

                          chudakC 1 Reply Last reply Reply Quote 0
                          • chudakC
                            chudak @Gertjan
                            last edited by chudak

                            @Gertjan

                            This is interesting.
                            The reason I have alias called pfSense because it lists LAN addresses like 192.168.90.1 etc as well as DDNS addresses.

                            I did not see "This Firewall" blocking external DDNS IPs. Did you?

                            PS: Thinking about it I'd say it should block ANY IPs, maybe a good feature request ?

                            Thx

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.