Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Remote Administration (possible to restrict to certain port?)

    Firewalling
    3
    10
    423
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      Iceman24 last edited by

      I have a custom port setup for accessing the main login page, but I've noticed when connecting remotely that just using the default port 80 redirects to SSL at the actual port I configured. Main reason I used custom port was to make it harder to find. How can I block off the port 80 and redirect from happening?

      1 Reply Last reply Reply Quote 0
      • Derelict
        Derelict LAYER 8 Netgate last edited by

        System > Advanced

        Uncheck WebGUI Redirect.

        But nothing would happen if you weren't passing port 80 inbound WAN.

        It sounds like you really could use a re-thinking about what to pass inbound and would probably be far more secure if you set up OpenVPN for access like this and closed all those holes you placed on WAN.

        Chattanooga, Tennessee, USA
        The pfSense Book is free of charge!
        DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • I
          Iceman24 last edited by

          Thanks. Taken care of. I never set up the passing of port 80 inbound WAN, so I don't know why that was like that.

          1 Reply Last reply Reply Quote 0
          • Derelict
            Derelict LAYER 8 Netgate last edited by

            Yes you did or it would have been blocked.

            Assuming you were really connecting inbound WAN from the outside and not just to the WAN address from the inside. Those are two completely different things. (The former regulated by rules on WAN, the latter by rules on LAN).

            Chattanooga, Tennessee, USA
            The pfSense Book is free of charge!
            DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • I
              Iceman24 last edited by

              Thanks for mentioning the WAN vs LAN. It made be realize I was connecting from inside my LAN. I hadn't thought about it. So false alarm, it's working as it should.

              1 Reply Last reply Reply Quote 0
              • johnpoz
                johnpoz LAYER 8 Global Moderator last edited by

                See it all the time - pretty much every single thread that says pfsense is open from the wan to the gui is them hitting it from the lan side ;)

                Out of the box there are no rules on the wan - all unsolicited traffic to your wan IP from the wan side (internet) would be dropped..  So you hitting your web gui from the internet is you either opened up the firewall, or are hitting it from inside.  Or you you turned of firewall completely, etc.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

                1 Reply Last reply Reply Quote 0
                • I
                  Iceman24 last edited by

                  Thanks for the help. I have a follow up question on this. If I connect from inside my LAN to another device on my LAN, but use the external IP, does my connection stay inside my LAN or does it go out and back in?

                  One thing I'd like to do is use my external addresses to connect to avoid the SSL warning as my internal addresses don't have the proper certificates, but when connecting externally, they do. This would prevent me from clicking through the warning prompts.

                  1 Reply Last reply Reply Quote 0
                  • Derelict
                    Derelict LAYER 8 Netgate last edited by

                    To your browser, the IP address does not matter. The name does. Split DNS is the best way to accomplish that.

                    https://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks

                    Chattanooga, Tennessee, USA
                    The pfSense Book is free of charge!
                    DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • I
                      Iceman24 last edited by

                      Thanks. I tried the Split DNS for about an hour, couldn't get it to work. I couldn't access my server through the public IP. I have services on different ports on it. I read some other people with issues, closest thing i saw was that it might be because the only thing separating the different services on my server are the ports. I don't have any example.myserver. Just myserver:port.

                      1 Reply Last reply Reply Quote 0
                      • Derelict
                        Derelict LAYER 8 Netgate last edited by

                        Yeah that gets harder especially if the server you are looking to access is on the same subnet as the clients.

                        If they are on different subnets you can just do the same port forwards on the client interface.

                        Or if you have say:

                        outside_address:8443 forwarded to inside_address_0:443
                        outside_address:8444 forwarded to inside_address_1:443
                        outside_address:8445 forwarded to inside_address_2:443

                        Then perhaps you can make those web servers listen on 443 and 8443, 443 and 8444, 443 and 8445, etc. Then both the URL port and the forwarded port will respond.

                        Chattanooga, Tennessee, USA
                        The pfSense Book is free of charge!
                        DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post