Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Security question

    Scheduled Pinned Locked Moved General pfSense Questions
    6 Posts 3 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      Jimbo99
      last edited by

      I don’t have a problem, but I have a question.  I have setup a SG-4860 as a dumb router, turned off packet filtering, DHCP, NAT, DNS and IP6.  The WAN port is setup with the Comcast Metro-E /30 subnet and the OPT4 port is setup with one of the Comcast “usable block” IP address.  This is the default gateway for my firewalls.  Everything works!

      My question is I setup the LAN port with a normal non-routable address (10.x.x.x) I use this for management, the WebGUI. The other ports, WAN and OPT4, have “Block private network and loopback address” checked.

      Is this okay from a security standpoint?  I have been leaving the LAN port unplugged, but I would like to just have a management only port to the router.  What do you think?

      Thanks…Jim

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        Security standpoint from what view.  Who do you think would be accessing the management gui.  Its on a rfc1918 space, your not even natting.  Someone else from your local network.. Why exactly do you unplug it??

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          You "turned off packet filtering" so pf isn't loaded, so "block private networks" does nothing. In that state, it cannot block and the GUI and other firewall services which remain enabled are exposed to every connected interface.

          If it's a completely internal box, you may not need filtering, but if that has a connection to the Internet, then it's very insecure.

          What was your specific reasoning for turning off packet filtering?

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            If what you want is a router, you could just turn off nat.  And leave firewall rule in place any any rule is pretty much just routing ;)

            Jimp makes a great point if turned off the firewall, pretty sure gui is open on every interface, your transit network and your routed network in pfsense.. does not matter what IP address your other interfaces use, ie lan.  Since you have no firewall I believe the gui listens on all interfaces.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              pf will cause a significant performance drop vs having it disabled, so if you need high-speed internal routing then you might require pf to be disabled.

              Otherwise, yes, you can either go with a pass all rule (or a more reasonable but permissive ruleset which also blocks access to the firewall itself) or you might even go with rules set for "no state" (with matching outbound quick floating rules) so you don't bother with state tracking when routing.

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • J
                Jimbo99
                last edited by

                It sounds like I need to turn packet filtering back on and make some rules.

                Thanks…Jim

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.