Disable the Web GUI



  • Hi there

    I'm setting up a core router using PFsense with CARP enabled.

    I want to disable NAT and the Firewall on my core PFsense Router….. I have a /24 public IP range that is routed to me from my ISP... My setup is like this.....

    WAN = 88.98.139.xx8
    WAN Gateway = 88.98.139.xx7

    LAN = 192.168.10.7/24 (this is my GUI access interface)

    OPT1 = 51.148.61.xx4 (router IP from my routed subnet from my ISP)

    With this setup I can access the PFSense Web GUI from 88.98.139.xx8 and 51.148.61.xx4 from anywhere on the internet.

    I just want to access the GUI from the 192.168.10.xxx subnet which is my management VLAN. I would like to disable GUI access on both WAN and LAN subnets....

    How can I do this?

    Thanks!

    Andy



  • I'm not an expert, but I'm pretty sure you can't do this, since pfSense is really just an operating system; if you disable the firewall entirely it will listen on all active interfaces for all services running on the machine, just like any other operating system.

    Also like a normal operating system, you can block access to the GUI ports on your WAN interfaces with the firewall, which will effectively prevent them from being accessible. By default if an interface does not have a gateway defined in the Interfaces > Static IP Configuration section, there is an automatic rule that allows management ports through. You can disable this automatic rule by defining a gateway as per above (don't do this on your LAN port unless there is another router behind pfSense), or you can disable this automatically generated "anti-lockout" rule globally under System > Advanced > Admin Access > Anti-Lockout (uncheck the box).

    BEFORE you disable the "Anti-lockout" rule you MUST add a manual allow rule to the interface you want to manage pfSense from (your actual LAN interface most likely) that allows TCP traffic to your management ports (by default ports 22,80,443) on that interface, else you will lock yourself out of the GUI entirely and will need to reset pfSense to factory defaults to recover when you uncheck the "Anti-lockout" rule.

    You can disable NAT by choosing NAT > Outbound > and choosing "Manual Outbound NAT Rule Generation" and simply deleting all of the entries it creates by default the first time you choose this radio box. Do note this will open your LAN up to all Internet traffic, and you will get hacked quickly by a drive-by if you don't have another firewall in place.



  • humanism you said it's not possible and then you show how to do it.  8)

    Do note this will open your LAN up to all Internet traffic, and you will get hacked quickly by a drive-by if you don't have another firewall in place.

    IF you did not disable firewall completely and only NAT why do you think your LAN will be accessible to internet?

    senate014
    On default install WEB GUI is always accessible on LAN and not on WAN.
    https://doc.pfsense.org/index.php/How_can_I_access_the_webGUI_from_the_WAN
    If you want to disable NAT you should not disable firewall completely but NAT only.
    https://doc.pfsense.org/index.php/Outbound_NAT#Disable_NAT


  • LAYER 8 Global Moderator

    I am not aware of being able to pick what inferface gui listens on, it listens on all interfaces.  So if you disable the firewall then yeah it would be available to any interface that can be gotten too.

    As already mentioned, just disable nat and leave the firewall running.  You can then block what you want to block, and then under those blocks just put in any any rules that pretty much means your just routing.  Other then the stuff you want to block, like the webgui - ssh from the internet as well.



  • @w0w:

    humanism you said it's not possible and then you show how to do it.  8)

    Do note this will open your LAN up to all Internet traffic, and you will get hacked quickly by a drive-by if you don't have another firewall in place.

    IF you did not disable firewall completely and only NAT why do you think your LAN will be accessible to internet?

    senate014
    On default install WEB GUI is always accessible on LAN and not on WAN.
    https://doc.pfsense.org/index.php/How_can_I_access_the_webGUI_from_the_WAN
    If you want to disable NAT you should not disable firewall completely but NAT only.
    https://doc.pfsense.org/index.php/Outbound_NAT#Disable_NAT

    Thanks for the responses everyone…..

    I understand what you're all saying and It would be much appreciated if you could let me know your opinions on the following setup.....

    I'm setting up a small hosting suite for up to 30x racks. I have just had a 1Gbit Lease Line installed and my ISP is routing a /24 subnet to me 51.148.61.xxx

    The Lease Line access switch terminates in one of my racks. I've then connected this to my core network switch which is VLAN'd (VLAN100) on the same VLAN as my Core PFSense Router WAN port (VLAN100). This is the same core router I asked about disabling the GUI on.

    The core PFSense router's WAN Port has the IP 88.98.139.xx8/30 which talks to my ISP's gateway 88.98.139.xx7 to get to the outside world, internet access....
    I have then set my LAN Interface IP on the core PFsense router as 51.61.148.254 which is the router IP for my /24 range that my ISP has given me.
    I then dish out IP addresses on that subnet (51.61.148.xxx/24) to my customers that rent rack space from me in my hosting suite, who are either using their own Router/Firewall devices or will be renting a managed PFsense router/firewall that I (my company) will manage for them. Behind the customers firewall will reside their servers on their own private LAN subnet either on 192. 172. or 10. private subnets.

    My question to you all is, how would you set this up?

    Would you disable NAT and the Firewall on the Core PFsense Router or would you just disable NAT and set a firewall rule on the WAN and LAN to "any, any" to allow all traffic but block port 80, 443 and 22 on the LAN and WAN, then create an OPT interface for management of the Core router, say on a subnet of 192.168.10.x/30 which routes to my management VLAN of 10.10.1.x/24

    I would be hugely appreciative if you could let me know your thoughts on the above :D

    Many thanks!

    Andy



  • I do not have any experience using public subnet as LAN on pfSense, but according to this https://doc.pfsense.org/index.php/How_can_I_use_public_IPs_on_the_LAN it should be possible without disabling firewall completely.

    Would you disable NAT and the Firewall on the Core PFsense Router or would you just disable NAT and set a firewall rule on the WAN and LAN to "any, any" to allow all traffic but block port 80, 443 and 22 on the LAN and WAN, then create an OPT interface for management of the Core router, say on a subnet of 192.168.10.x/30 which routes to my management VLAN of 10.10.1.x/24

    This is definitely good idea to try, IMHO.



  • Would you disable NAT and the Firewall on the Core PFsense Router or would you just disable NAT and set a firewall rule on the WAN and LAN to

    Don´t do so! Create a DMZ in pfSense and then put this 30 racks inside of this firewall and set up there the public IP addresses
    on this servers directly if you want. This might be also better saving your customers devices. And on that LAN you may set up
    your admin stuff. Now you can access this pfSense firewall from outside with VPN and inside over the internal IP address. If
    you want to admin your firewall only over CLI please use putty here in that case and secure it over a SSH key.

    I'm setting up a small hosting suite for up to 30x racks. I have just had a 1Gbit Lease Line installed and my ISP is routing a /24 subnet to me 51.148.61.xxx

    This should be arriving at the pfSense firewall first and not the switch there, ok? And then you may be able to
    configure it out that all your clients will be able to access their public IP that is given to each server in the racks.

    I then dish out IP addresses on that subnet (51.61.148.xxx/24) to my customers that rent rack space from me in my hosting suite,

    They will be able to get connected to that IP addresses from outside without any pain.

    who are either using their own Router/Firewall devices or

    No problem.

    will be renting a managed PFsense router/firewall that I (my company) will manage for them.

    Could also be nice running well.



  • I agree with Blue. This is pretty much what DMZs are made for.

    Another thing you could do is.

    Created the DMZ.

    Put all your devices on the DMZ interface then make a policy to block PFSense Web UI on the DMZ. (best to put web ui on a custom port and just block that port on the DMZ)

    This should block PFSense Web UI from the DMZ side but with rules, you should be able to allow it on the local LAN only, at which point I'd do as you laid out earlier and create a management interface for that traffic.

    Another option would be leave it enabled but force HTTPS and change the port number to something totally out of the norm. While it would still be enabled. It would be very difficult for someone to figure out what port it is on and pull it up.

    Just a thought.


Log in to reply