Remote Administration (possible to restrict to certain port?)
I have a custom port setup for accessing the main login page, but I've noticed when connecting remotely that just using the default port 80 redirects to SSL at the actual port I configured. Main reason I used custom port was to make it harder to find. How can I block off the port 80 and redirect from happening?
System > Advanced
Uncheck WebGUI Redirect.
But nothing would happen if you weren't passing port 80 inbound WAN.
It sounds like you really could use a re-thinking about what to pass inbound and would probably be far more secure if you set up OpenVPN for access like this and closed all those holes you placed on WAN.
Thanks. Taken care of. I never set up the passing of port 80 inbound WAN, so I don't know why that was like that.
Yes you did or it would have been blocked.
Assuming you were really connecting inbound WAN from the outside and not just to the WAN address from the inside. Those are two completely different things. (The former regulated by rules on WAN, the latter by rules on LAN).
Thanks for mentioning the WAN vs LAN. It made be realize I was connecting from inside my LAN. I hadn't thought about it. So false alarm, it's working as it should.
See it all the time - pretty much every single thread that says pfsense is open from the wan to the gui is them hitting it from the lan side ;)
Out of the box there are no rules on the wan - all unsolicited traffic to your wan IP from the wan side (internet) would be dropped.. So you hitting your web gui from the internet is you either opened up the firewall, or are hitting it from inside. Or you you turned of firewall completely, etc.
Thanks for the help. I have a follow up question on this. If I connect from inside my LAN to another device on my LAN, but use the external IP, does my connection stay inside my LAN or does it go out and back in?
One thing I'd like to do is use my external addresses to connect to avoid the SSL warning as my internal addresses don't have the proper certificates, but when connecting externally, they do. This would prevent me from clicking through the warning prompts.
To your browser, the IP address does not matter. The name does. Split DNS is the best way to accomplish that.
Thanks. I tried the Split DNS for about an hour, couldn't get it to work. I couldn't access my server through the public IP. I have services on different ports on it. I read some other people with issues, closest thing i saw was that it might be because the only thing separating the different services on my server are the ports. I don't have any example.myserver. Just myserver:port.
Yeah that gets harder especially if the server you are looking to access is on the same subnet as the clients.
If they are on different subnets you can just do the same port forwards on the client interface.
Or if you have say:
outside_address:8443 forwarded to inside_address_0:443
outside_address:8444 forwarded to inside_address_1:443
outside_address:8445 forwarded to inside_address_2:443
Then perhaps you can make those web servers listen on 443 and 8443, 443 and 8444, 443 and 8445, etc. Then both the URL port and the forwarded port will respond.