Allowing webGUI from one ip/mac address on LAN

A Former User

Is there a setting to only allow webGUI access from a specific ip/mac address? Or is a firewall rule needed?

–Thanks

johnpoz

The antilock rule would allow all from lan.. If you want to limit to specific machines you would need to disable the antilock out rule and put in a specific rule to only allow the IPs you want.

A Former User

Will this work? I don't want to get locked out for trying this.

States            Protocol      Source            Port    Destination      Port                  Gateway  Queue  Schedule  Description
  (allow)  0 /0 B              IPv4 TCP    192.168.0.3  *          This Firewall    443 (HTTPS)    *                *                                WebGUI
  (allow)  10 /3.78 GiB  IPv4 *          LAN net          *          *                          *                          *                none                        Default allow LAN to any rule

A Former User

States  Protocol    Source        Port  Destination    Port                  Gateway  Queue  Schedule  Description
  (allow)  0 /0 B  IPv4 TCP  GUIadmins  *        This Firewall  443 (HTTPS)  *                none                        WebGUI Access
  (allow)  0 /0 B  IPv4 *        LAN net        *        *                        *                        *                none                        Default allow LAN to any rule

This seems to work. GUIadmins is an alias with host ip of my workstation.

NOYB

@louisg00:

States  Protocol    Source        Port  Destination    Port                  Gateway  Queue  Schedule  Description
  (allow)  0 /0 B  IPv4 TCP  GUIadmins  *        This Firewall  443 (HTTPS)  *                none                        WebGUI Access
  (allow)  0 /0 B  IPv4 *        LAN net        *        *                        *                        *                none                        Default allow LAN to any rule

This seems to work. GUIadmins is an alias with host ip of my workstation.

That certainly will allow alright.  ;)

A Former User

I tried with another workstation and did not block access. Do I need another rule blocking access to everyone for the webGUI?

NOYB

@louisg00:

I tried with another workstation and did not block access. Do I need another rule blocking access to everyone for the webGUI?

Well if there is no rule that blocks the undesirables ahead of a pass all rule.  Then all will be passed.

If may be helpful to know why you are trying to do this.  It is not very typical for LAN side.  Most people probably find authentication sufficient for the LAN side.

A Former User

Some Blackhat conference that described dns binding and spoofing to get to the routers admin page from the WAN. All the LAN systems do not need to access the admin page except mine to just to be safe.

Ok added a block rule.

States  Protocol    Source        Port  Destination    Port                  Gateway  Queue  Schedule  Description
  (block)  0 /0 B  IPv4+6      LAN net        *      This Firewall  *                        *                none                        Block router access
  (allow)  0 /0 B  IPv4 TCP  GUIadmins  *      This Firewall  443 (HTTPS)  *                none                        WebGUI access
  (allow)  0 /0 B  IPv4 *        LAN net        *      *                      *                        *                none                        Default allow LAN to any rule

NOYB

@louisg00:

Some Blackhat conference that described dns binding and spoofing to get to the routers admin page from the WAN. All the LAN systems do not need to access the admin page except mine to just to be safe.

Sounds like la-la-land to me.  Even if able to get to the admin page, authentication is still required plus any login attempt, failed or successful, is shown on the console and in the log too I believe.

A Former User

Opps this just blocked my out completely. How can I undo this that rule from the console?

NOYB

@louisg00:

Opps this just blocked my out completely. How can I undo this that rule from the console?

That's funny because I was just thinking you'll probably block yourself out dozens of times before ever blocking out even one packet originating from the WAN side with this.

Restore a recent config.

A Former User

ok I think I got it;

States  Protocol        Source        Port  Destination    Port                  Gateway  Queue  Schedule  Description
  (allow)  0 /0 B  IPv4 TCP      GUIadmins  *      This Firewall  Management  *              none                        WebGUI access
  (block)  0 /0 B  IPv4+6 TCP  *                    *      This Firewall  Management  *              none                        Block management access
  (allow)  0 /0 B  IPv4 *            LAN net      *      *                        *                          *              none                        Default allow LAN to any rule

One thing, what is the difference between LAN net and any? I only have one subnet on LAN interface on one on OPT1 interface with the WAN port.

-Thanks

NOYB

@louisg00:

One thing, what is the difference between LAN net and any?

Any is just that.  anything (0.0.0.0 - 255.255.255.255)
LAN net is anything within the LAN net.  x.x.x.x/n

phil.davis

On an ordinary LAN, all the devices should have IP addresses in LANnet (the LAN subnet defined by the pfSense LAN IP/CIDR). In any case, the firewall is only going to receive and respond usefully to devices in LANnet. So packets in LANnet are all that needs to be passed.

If you have a more complex setup for some reason, that has other private subnets reached via static routes to another router that is on LANnet, then pfSense LAN could receive packets with source addresses that are not in LANnet. So for that case you need a pass rule wider than just LANnet to let traffic through.