Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Remote Administration (possible to restrict to certain port?)

    Firewalling
    3
    10
    419
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      Iceman24 last edited by

      I have a custom port setup for accessing the main login page, but I've noticed when connecting remotely that just using the default port 80 redirects to SSL at the actual port I configured. Main reason I used custom port was to make it harder to find. How can I block off the port 80 and redirect from happening?

      1 Reply Last reply Reply Quote 0
      • Derelict
        Derelict LAYER 8 Netgate last edited by

        System > Advanced

        Uncheck WebGUI Redirect.

        But nothing would happen if you weren't passing port 80 inbound WAN.

        It sounds like you really could use a re-thinking about what to pass inbound and would probably be far more secure if you set up OpenVPN for access like this and closed all those holes you placed on WAN.

        1 Reply Last reply Reply Quote 0
        • I
          Iceman24 last edited by

          Thanks. Taken care of. I never set up the passing of port 80 inbound WAN, so I don't know why that was like that.

          1 Reply Last reply Reply Quote 0
          • Derelict
            Derelict LAYER 8 Netgate last edited by

            Yes you did or it would have been blocked.

            Assuming you were really connecting inbound WAN from the outside and not just to the WAN address from the inside. Those are two completely different things. (The former regulated by rules on WAN, the latter by rules on LAN).

            1 Reply Last reply Reply Quote 0
            • I
              Iceman24 last edited by

              Thanks for mentioning the WAN vs LAN. It made be realize I was connecting from inside my LAN. I hadn't thought about it. So false alarm, it's working as it should.

              1 Reply Last reply Reply Quote 0
              • johnpoz
                johnpoz LAYER 8 Global Moderator last edited by

                See it all the time - pretty much every single thread that says pfsense is open from the wan to the gui is them hitting it from the lan side ;)

                Out of the box there are no rules on the wan - all unsolicited traffic to your wan IP from the wan side (internet) would be dropped..  So you hitting your web gui from the internet is you either opened up the firewall, or are hitting it from inside.  Or you you turned of firewall completely, etc.

                1 Reply Last reply Reply Quote 0
                • I
                  Iceman24 last edited by

                  Thanks for the help. I have a follow up question on this. If I connect from inside my LAN to another device on my LAN, but use the external IP, does my connection stay inside my LAN or does it go out and back in?

                  One thing I'd like to do is use my external addresses to connect to avoid the SSL warning as my internal addresses don't have the proper certificates, but when connecting externally, they do. This would prevent me from clicking through the warning prompts.

                  1 Reply Last reply Reply Quote 0
                  • Derelict
                    Derelict LAYER 8 Netgate last edited by

                    To your browser, the IP address does not matter. The name does. Split DNS is the best way to accomplish that.

                    https://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks

                    1 Reply Last reply Reply Quote 0
                    • I
                      Iceman24 last edited by

                      Thanks. I tried the Split DNS for about an hour, couldn't get it to work. I couldn't access my server through the public IP. I have services on different ports on it. I read some other people with issues, closest thing i saw was that it might be because the only thing separating the different services on my server are the ports. I don't have any example.myserver. Just myserver:port.

                      1 Reply Last reply Reply Quote 0
                      • Derelict
                        Derelict LAYER 8 Netgate last edited by

                        Yeah that gets harder especially if the server you are looking to access is on the same subnet as the clients.

                        If they are on different subnets you can just do the same port forwards on the client interface.

                        Or if you have say:

                        outside_address:8443 forwarded to inside_address_0:443
                        outside_address:8444 forwarded to inside_address_1:443
                        outside_address:8445 forwarded to inside_address_2:443

                        Then perhaps you can make those web servers listen on 443 and 8443, 443 and 8444, 443 and 8445, etc. Then both the URL port and the forwarded port will respond.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post

                        Products

                        • Platform Overview
                        • TNSR
                        • pfSense
                        • Appliances

                        Services

                        • Training
                        • Professional Services

                        Support

                        • Subscription Plans
                        • Contact Support
                        • Product Lifecycle
                        • Documentation

                        News

                        • Media Coverage
                        • Press
                        • Events

                        Resources

                        • Blog
                        • FAQ
                        • Find a Partner
                        • Resource Library
                        • Security Information

                        Company

                        • About Us
                        • Careers
                        • Partners
                        • Contact Us
                        • Legal
                        Our Mission

                        We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                        Subscribe to our Newsletter

                        Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                        © 2021 Rubicon Communications, LLC | Privacy Policy