VPN SSL and IP on WAN interface
-
@daddygo Thanks for your reply
Usually i put public IP on WAN and for remote management i allow access via HTTPS to the firewall and also for VPN SSL. Usually i also change default port 443 with 5432 or something like that.
I need to manage the firewall remotely and my worry is that the firewall is accessible from internet with public IP so I was thinking to use natted IP on wan interface.
That's the reason.
I understand that best solution is allow HTTPS access and restrict access rather than use natted IP. -
Nat is not really a security aspect.. While if port X is only forwarded to pfsense rfc1918 wan ip it would keep pfsense logs free of noise.
While nat can be seen as preventing traffic to any port on your device, and could be beneficial if your device doesn't have a firewall and ports you don't want exposed could be exposed if not behind a nat.
Out of the box all unsolicited traffic to pfsense wan is dropped out of the box anyway.
If your exposing service xyz to the public internet - doesn't really matter if natted or not from a security point of view.
I wouldn't expose the pfsense gui to the public internet be it natted or not, unless you could lock down the source IP to your known IP your coming from.
Its best for remote admin to vpn in..
Nat or Napt in general should not be seen as a security feature..
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.8, 24.11 -
@reynold said in VPN SSL and IP on WAN interface:
I need to manage the firewall remotely and my worry is that the firewall is accessible from internet with public IP so I was thinking to use natted IP on wan interface.
The firewall (NGFW) by default, all traffic is
rejectedDROPPED on the WAN interface.so don't worry until you start opening unnecessary ports to the world
Instead of HTTPS, I would still recommend a VPN solution for remote management, something like this:
-
Oops cross-posted, almost the same
-
@daddygo hehe - yeah pretty close.
Small edit I would suggest for you
by default, all traffic is rejected on the WAN interface.
Not technically correct - the traffic is not "rejected" its dropped.. Reject on wan is almost always a bad idea.. Why would you send back a RST, you would want to just drop/ignore the traffic.
-
@johnpoz said in VPN SSL and IP on WAN interface:
the traffic is not "rejected" its dropped.
True :)
++edit:
The DeepL spellchecker has replaced the words -
@daddygo @johnpoz
Thank you guys
So, just for recap:
- public IP on WAN interface
- VPN solution for remote management as @DaddyGo explained
I abolutely agree with you when you says to not expose pfsense gui on internet. That is exactly what I want to obtain.
Now i know how i can do that! I will use VPN solution instead using HTTPS on a specific port.
That's absolutely the best way, instead HTTPS or NAT.
Thanks again,
-
You can run your vpn over 443 if you want.. I do - since 443 is almost always open no matter where your coming from, and you can even bounce it off a proxy (say at your work location)..
I even share this port with other services available to the public, via haproxy.. So my users can request movies for my plex ;) via that service. Haproxy does the ssl offload for that even. And using sni restrictions - if they don't send the correct fqdn, say some bot just hitting my ip on 443.. haproxy would not send the traffic through to my request service.
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.8, 24.11 -
@johnpoz said in VPN SSL and IP on WAN interface:
443.. haproxy
We use exactly this solution for our IceCast2 servers running behind pfSense, -cool stuff
-
@johnpoz said in VPN SSL and IP on WAN interface:
You can run your vpn over 443 if you want.. I do - since 443 is almost always open no matter where your coming from, and you can even bounce it off a proxy (say at your work location)..
OpenVPN use 1194 port by default isn't it?
Can i run VPN also on 443? -
@reynold said in VPN SSL and IP on WAN interface:
OpenVPN use 1194 port by default isn't it?
Yes and no, you can put it anywhere you like either to 50-60K too
Yes 443 also works :-)
++++edit:
John @johnpoz suggested 443 because it is the HTTPS port.
Therefore it is always open and this is not restricted by the ISPs, because it would be pointless -
yeah the default udp port is 1194, this could quite often be blocked from where your at... 443 never going to be blocked if internet is open. even they are forcing traffic through a proxy you can still get your vpn connection over the proxy on 443.
udp is normally a best choice for the vpn - but hey if it doesn't work tcp over 443 is pretty much guaranteed to work - even if not optimal connection, etc.
You can run both, I run a tcp 443 instance along with a 1194 udp instance.
