Why is pfSense running on the WAN interface?



  • I noticed that pfSense is accessible on my WAN interface. This was a bit surprising… what is the pfSense way of disallowing this? I'm guessing I don't need a firewall rule because it's a checkbox somewhere. Thanks.


  • Banned

    Incoming connections are blocked by default, so unless you create an allow rule the WebUI can't be reached from WAN.



  • You can do this over SSH or VPN from the outside but as mentioned before, it is not turned on or allowed by default!
    you must turn it on or set it up in the right manner you need it.



  • are you sure you are testing from the outside?



  • If a normal install of pfsense is accessible on the WAN, it is broken. 
    Reinstall.  Try try again



  • I'm betting he's testing from LAN.



  • I'm actually running a install of pfssense that is wide open on the WAN now, behind nat with a port forward into a vpn.  After a pfctl - d and a reboot.

    However - I'm weird.

    If he is able to hit the WAN and access the interface without meticulously planning for it, I must assume his install is busted.

    Orrrrrrr…  He is testing from the LAN and doesn't know it...



  • You are right, I am testing from the LAN. I tried to access the web ui on both the LAN-interface IP address (192.168.5.x), and on the WAN-interface IP address (192.168.0.x next hop is a proprietary cable modem with an external IP). I was surprised when both responded.


  • LAYER 8 Netgate

    That is normal and many people do not expect it.

    If you want to block access to the pfSense gui from a particular interface, block connections with a destination of This firewall (self).



  • I'm not sure how its normal when the WAN default is drop all and reject private networks.


  • LAYER 8 Netgate

    Because he is connecting from the inside.



  • Inside is private right?

    I often plan to access via the wan and it takes work - every time I do it.

    I've never just had access upon install.


  • LAYER 8 Netgate

    He probably has a default pass source LAN net to dest any on LAN.

    any includes the WAN interface address.

    Rules on WAN (no pass rules, block RFC1918, etc) do not apply because the traffic didn't enter WAN.

    Come on. You've been gone a while but you know this. :P



  • haha - So he is actually accessing by tyipng in the LAN IP.

    Got ya.  He will get it.

    I wasn't gone…  I was watching quietly since there are many who know more.  Traveling...  Washing dishes...  etc.


  • LAYER 8 Global Moderator

    "haha - So he is actually accessing by tyipng in the LAN IP."

    No he is prob putting in the WAN IP but from the lan side.

    The rules on wan do not get evaluated for traffic coming from pfsense or the lan side of pfsense.  Rules are evaluated ingress into the interface from the network they are attached too..

    You have this

    internet –- wan 1.2.3.4 (pfsense) 192.168.1.1 lan --- 192.168.1.100 PC

    If you have a any any rule on lan that is default... And user hits 1.2.3.4 from his PC that will be allowed..

    Now if some IP on the internet 4.5.6.7 hits the 1.2.3.4 it would be blocked... If some IP 192.168.14.47 somehow hit 1.2.3.4 coming from the wan then it would be blocked as well.  Not because of the default denied.. even if the port was open on the wan rules.. Because the address is rfc1918 and blocked by the private rule that is default on the wan..

    This comes up all the time.. Like prob once a week or so, someone asking why can I get to my web gui from the wan.. When they really are coming from the lan side..

    If you do not want lan side users to hit wan IP then you should block that on the lan rules... This where the this firewall alias comes in real handy.  Since this built in alias is any IP on the firewall.



  • I see - I've never entered the wan IP unless it was a VM and I had no lan access so I did no know that.  I've learned something new.


Log in to reply