Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Hide GUI

    Scheduled Pinned Locked Moved General pfSense Questions
    14 Posts 5 Posters 1.1k Views 5 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J Offline
      JALaB
      last edited by

      HELP! My IT guy passed away unexpectedly. He set up pfSense in my small business. My credit card company called and said we failed compliance testing. They want my GUI login interface to be invisible. I don't want to mess things up. How do I do this to satisfy them? THANKS! Joe

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG Offline
        Gertjan @JALaB
        last edited by

        @jalab said in Hide GUI:

        They want my GUI login interface to be invisible.

        By default, the GUI can not be seen / used / noticed on the WAN side.
        It's all considered as "bad practice" to do so.

        The default pfSEnse has not WAN firewall rules - and no NAT rules.
        This means : nothing from the outside (the Internet) can go "in".

        Your hosting services locally that handle credit card transaction ?
        Get yourself an "admin".

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • J Offline
          JALaB
          last edited by

          My credit card machine has an IP address on my LAN. Yearly, we have to go thru a credentialing process to assure security. Not sure what changed from last year, but their tech guy sent me a screen shot of my login screen and apparently this is a no no on their end. I am not sure how he was able to do this. I would appreciate any help. I am not an IT person, but know enough to get myself in trouble. Since my IT person passed, I don't want to muck up anything by messing with settings. Thanks again.

          Joe

          JKnottJ GertjanG 2 Replies Last reply Reply Quote 0
          • JKnottJ Offline
            JKnott @JALaB
            last edited by

            @jalab

            I don't know what's happening there, but many companies do not allow any management interfaces on the main LAN. I have set up networks where the management interfaces are on a VLAN that users don't have access to.

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            johnpozJ 1 Reply Last reply Reply Quote 0
            • johnpozJ Offline
              johnpoz LAYER 8 Global Moderator @JKnott
              last edited by

              Did they do the check from outside your network or inside your network?

              If outside - then yeah that would be bad.. Post up your wan rules.

              If from inside your network, ie the lan side. If on lan then yes the antilock out rules would allow the gui to be accessed from lan network.

              And yes @JKnott is correct - if your doing stuff with CC and such, you prob do not want the webgui available from that network. Your CC stuff should prob be on different vlan than all your other stuff, ie not your normal lan.. And you would yes prevent this network from accessing the web gui of your firewall.

              You have 2 options - disable the antilock out rule on your lan and setup only specific IP on your lan to be able to access the gui. Or better solution would be to move your CC stuff to a different vlan.. And isolate it as much as possible from talking to anything else on your network that it doesn't need to talk to do its CC stuff.

              Sorry to hear about loss of your IT guy - but your best bet here is to get another IT guy that knows how to properly secure a network for PCI compliance.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • GertjanG Offline
                Gertjan @JALaB
                last edited by Gertjan

                @jalab said in Hide GUI:

                My credit card machine has an IP address on my LAN.

                I've got a couple of them in my (company) LAN.
                And I can host or make visible on my WAN IP whatever I want.
                Why should my bank bother ?

                As far as I know, these device (in France - the place where they invented the Credit Card) bank or other organisations don't care.
                These devices uses their own TLS based connections, which are 'unbreakable'.
                These devices do not accept 'connections' from anywhere. Again : they are located in the same LAN as the PC on which I'm writing this post. They just allow a simple end user keyboard (pad) control.
                These devices can only connect - that is : they make the initiative - to a known server "at the bank".

                Btw : if the IT guy isn't the boss of the company : replace him : people come and go, that happens all the time. That's what people do.

                Making a backup of the pfSense config - so you can step back with the click of a button - is a matter of .... clicking a button.
                Then : remove that firewall rule that enables GUI access from the outside = as it is at best very bad practice anyway (your bank is doing you a favour in fact, they should send you a bill for this audit - and normally you would have a not so friendly talk the IT guy ....)

                You can show the firewall rules on your WAN interface, like this(these are mine, used for our company, a hotel ) :

                cf47ddf4-9099-491e-b53c-d4cb9a91f9f9-image.png

                but if you do not understand what these rule do or imply, don't worry, you're right, or get some one involved that understand these things.

                Just for my own curiosity : You're talking about basic Payment terminal equipment here, right ? what country / bank ? or do you really want to store credit card details of people on your local equipment (and if so, why ?? beause such a thing opens a huge security can-of-worms here where I live)

                No "help me" PM's please. Use the forum, the community will thank you.
                Edit : and where are the logs ??

                1 Reply Last reply Reply Quote 0
                • J Offline
                  JALaB
                  last edited by

                  Thanks for the reply. I am in NY state .. USA. Just a terminal machine attached to my LAN with its own IP address. Nothing is stored .. just transmitting the card and amount to the processing company.

                  johnpozJ J 2 Replies Last reply Reply Quote 0
                  • johnpozJ Offline
                    johnpoz LAYER 8 Global Moderator @JALaB
                    last edited by

                    Well the "fastest/simplest" way to meet your criteria of hiding the pfsense gui from the machine on your lan would be.

                    To create a rule to allow "your" machines IP to access the gui.. Then turn off the antilockout rule, and then a rule to block all other IPs from accessing it.

                    Keep in mind that rules are evaluated top down, first rule to trigger wins, no other rules are evaluated.

                    So put the rule that allows access to the gui from your machines IP above the rule that blocks access to the gui..

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • J Offline
                      JALaB @JALaB
                      last edited by

                      @jalab Thank you .. makes sense. By chance, what is the "rule" for doing this? Appreciate it.
                      Joe

                      johnpozJ 1 Reply Last reply Reply Quote 0
                      • johnpozJ Offline
                        johnpoz LAYER 8 Global Moderator @JALaB
                        last edited by johnpoz

                        Rule for what - I just explained to you what rules..

                        I SERIOUSLY suggest you get someone in IT to do this for you - if you have no idea what I meant above about block and allow rules..

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • J Offline
                          JALaB
                          last edited by

                          Thanks -- I do know how to do it .. actually set up my 2016 server and network when the IT company I hired after my other guy died completely screwed everything up .. so I guess my question is what ports and rules apply specifically to the GUI log on screen .. which is what they want blocked .. thought you could save me some time searching for this info.......

                          johnpozJ 1 Reply Last reply Reply Quote 0
                          • johnpozJ Offline
                            johnpoz LAYER 8 Global Moderator @JALaB
                            last edited by johnpoz

                            Well most likely default 80 or 443.. But could be anything.. Mine is on 8443 for example..

                            You really need to look here
                            port.jpg

                            And if you have the redirect from 80 to your https port enabled or not, etc.

                            You could just block all access to "this firewall" alias - but then I don't know what your doing for dns, ntp, etc. Which can also point to the firewall IP. Or maybe you need to be able to ping it, etc..

                            This is not like 1 thing, all users setups could be different. For all we know your running only http on port 92, etc.

                            Your antilock rule would show you what ports are being used for the gui, and ssh if your using that, etc.

                            antilock.jpg

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            B 1 Reply Last reply Reply Quote 0
                            • B Offline
                              bcruze @johnpoz
                              last edited by

                              This post is deleted!
                              1 Reply Last reply Reply Quote 0
                              • J Offline
                                JALaB
                                last edited by

                                Perfect .. that helped immensely .. Thank you!!

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.