Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Why is pfSense running on the WAN interface?

    Scheduled Pinned Locked Moved General pfSense Questions
    16 Posts 8 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      ryanrowe
      last edited by

      I noticed that pfSense is accessible on my WAN interface. This was a bit surprising… what is the pfSense way of disallowing this? I'm guessing I don't need a firewall rule because it's a checkbox somewhere. Thanks.

      1 Reply Last reply Reply Quote 0
      • GrimsonG
        Grimson Banned
        last edited by

        Incoming connections are blocked by default, so unless you create an allow rule the WebUI can't be reached from WAN.

        1 Reply Last reply Reply Quote 0
        • ?
          Guest
          last edited by

          You can do this over SSH or VPN from the outside but as mentioned before, it is not turned on or allowed by default!
          you must turn it on or set it up in the right manner you need it.

          1 Reply Last reply Reply Quote 0
          • H
            hbauer
            last edited by

            are you sure you are testing from the outside?

            1 Reply Last reply Reply Quote 0
            • K
              kejianshi
              last edited by

              If a normal install of pfsense is accessible on the WAN, it is broken. 
              Reinstall.  Try try again

              1 Reply Last reply Reply Quote 0
              • KOMK
                KOM
                last edited by

                I'm betting he's testing from LAN.

                1 Reply Last reply Reply Quote 0
                • K
                  kejianshi
                  last edited by

                  I'm actually running a install of pfssense that is wide open on the WAN now, behind nat with a port forward into a vpn.  After a pfctl - d and a reboot.

                  However - I'm weird.

                  If he is able to hit the WAN and access the interface without meticulously planning for it, I must assume his install is busted.

                  Orrrrrrr…  He is testing from the LAN and doesn't know it...

                  1 Reply Last reply Reply Quote 0
                  • R
                    ryanrowe
                    last edited by

                    You are right, I am testing from the LAN. I tried to access the web ui on both the LAN-interface IP address (192.168.5.x), and on the WAN-interface IP address (192.168.0.x next hop is a proprietary cable modem with an external IP). I was surprised when both responded.

                    1 Reply Last reply Reply Quote 0
                    • DerelictD
                      Derelict LAYER 8 Netgate
                      last edited by

                      That is normal and many people do not expect it.

                      If you want to block access to the pfSense gui from a particular interface, block connections with a destination of This firewall (self).

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • K
                        kejianshi
                        last edited by

                        I'm not sure how its normal when the WAN default is drop all and reject private networks.

                        1 Reply Last reply Reply Quote 0
                        • DerelictD
                          Derelict LAYER 8 Netgate
                          last edited by

                          Because he is connecting from the inside.

                          Chattanooga, Tennessee, USA
                          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                          1 Reply Last reply Reply Quote 0
                          • K
                            kejianshi
                            last edited by

                            Inside is private right?

                            I often plan to access via the wan and it takes work - every time I do it.

                            I've never just had access upon install.

                            1 Reply Last reply Reply Quote 0
                            • DerelictD
                              Derelict LAYER 8 Netgate
                              last edited by

                              He probably has a default pass source LAN net to dest any on LAN.

                              any includes the WAN interface address.

                              Rules on WAN (no pass rules, block RFC1918, etc) do not apply because the traffic didn't enter WAN.

                              Come on. You've been gone a while but you know this. :P

                              Chattanooga, Tennessee, USA
                              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                              Do Not Chat For Help! NO_WAN_EGRESS(TM)

                              1 Reply Last reply Reply Quote 0
                              • K
                                kejianshi
                                last edited by

                                haha - So he is actually accessing by tyipng in the LAN IP.

                                Got ya.  He will get it.

                                I wasn't gone…  I was watching quietly since there are many who know more.  Traveling...  Washing dishes...  etc.

                                1 Reply Last reply Reply Quote 0
                                • johnpozJ
                                  johnpoz LAYER 8 Global Moderator
                                  last edited by

                                  "haha - So he is actually accessing by tyipng in the LAN IP."

                                  No he is prob putting in the WAN IP but from the lan side.

                                  The rules on wan do not get evaluated for traffic coming from pfsense or the lan side of pfsense.  Rules are evaluated ingress into the interface from the network they are attached too..

                                  You have this

                                  internet –- wan 1.2.3.4 (pfsense) 192.168.1.1 lan --- 192.168.1.100 PC

                                  If you have a any any rule on lan that is default... And user hits 1.2.3.4 from his PC that will be allowed..

                                  Now if some IP on the internet 4.5.6.7 hits the 1.2.3.4 it would be blocked... If some IP 192.168.14.47 somehow hit 1.2.3.4 coming from the wan then it would be blocked as well.  Not because of the default denied.. even if the port was open on the wan rules.. Because the address is rfc1918 and blocked by the private rule that is default on the wan..

                                  This comes up all the time.. Like prob once a week or so, someone asking why can I get to my web gui from the wan.. When they really are coming from the lan side..

                                  If you do not want lan side users to hit wan IP then you should block that on the lan rules... This where the this firewall alias comes in real handy.  Since this built in alias is any IP on the firewall.

                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                  If you get confused: Listen to the Music Play
                                  Please don't Chat/PM me for help, unless mod related
                                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                                  1 Reply Last reply Reply Quote 0
                                  • K
                                    kejianshi
                                    last edited by

                                    I see - I've never entered the wan IP unless it was a VM and I had no lan access so I did no know that.  I've learned something new.

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.