Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [Solved] Port 53, 80, 443 always open on all interfaces

    Scheduled Pinned Locked Moved Firewalling
    38 Posts 7 Posters 10.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • KOMK Offline
      KOM
      last edited by

      I see the pfSense login screen if I open https://WANIP from a foreign browser.

      While on LAN or WAN?  If you are on LAN and access your public address in a browser, pfSense will give you the GUI even though it isn't accessible from WAN.

      1 Reply Last reply Reply Quote 0
      • D Offline
        dean2028
        last edited by

        @KOM:

        While on LAN or WAN?

        While I'm on WAN on a very different network. So Webconfigurator is exposed to WAN attacks at the moment which really concerns me. I will put WebConfigurator to another port to decrease the risk as 80 and 443 are open from WAN.

        1 Reply Last reply Reply Quote 0
        • DerelictD Offline
          Derelict LAYER 8 Netgate
          last edited by

          That packet capture shows nothing but SYNs.

          Again, if you can get to the WebGUI you have a rule passing the traffic.

          Look at the states. See what's really happening.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • johnpozJ Offline
            johnpoz LAYER 8 Global Moderator
            last edited by

            If he was getting to his gui from his wan, then his packet capture would show answer, ie syn,ack - like derelict says it only shows syn…

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

            1 Reply Last reply Reply Quote 0
            • KOMK Offline
              KOM
              last edited by

              I'm wondering if he's got the bogonsv6 issue and his ruleset has failed to load?

              1 Reply Last reply Reply Quote 0
              • DerelictD Offline
                Derelict LAYER 8 Netgate
                last edited by

                I'm wondering if he's got the bogonsv6 issue and his ruleset has failed to load?

                Already covered.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • D Offline
                  dean2028
                  last edited by

                  @johnpoz:

                  If he was getting to his gui from his wan, then his packet capture would show answer, ie syn,ack - like derelict says it only shows syn…

                  That test with the capture was just a port scan from the mobile phone to WAN IP. There was no Webconfig access from the browser on https://WANIP.  I'm going to do additional tests now.

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ Offline
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    Dude if you send a syn, you would get back a syn,ack if anything was listening o that port.  That is how it works.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                    1 Reply Last reply Reply Quote 0
                    • D Offline
                      dean2028
                      last edited by

                      @KOM:

                      If a scan of your IP always shows open ports for 80,443 then I would tend to believe that it's hitting your ISP's equipment somehow.

                      You made me curious about that scenario, so simply switched off the pfSense box, then did another port scan… well... I would say portscan is not so useful as I saw the same result, 80 and 443 were open. When scanned the VPN_US public IP, I got the same result 53, 80, 443 seemed to be open. You're right, this is some equipment of the provider.

                      However this still doesn't change the fact, I'm able to reach pfSense Webconfigurator on 443 from the WAN. Now, I put WebConfigurator to a high port, therefore at least the login page cannot be called fron the WAN, even if 443 is open.

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ Offline
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        Dude how would that be?  If pfsense is off and something is answer 443 which is NOT pfsense… How exactly are you then access 443 with pfsense webgui?

                        This scenario comes up ever couple of weeks or so where some users says my wan is open.. Either something in front of it, or they are checking from the lan side.  Or they actually opened it on their wan rules.

                        Here is the thing about your VPN as well - there are a few vpns that will port forward down the tunnel.  But it will NEVER be the standard ports.. Its always some high port that you have to configure on their site for your account, etc.

                        Send me your IP and port your listening on in a PM and will check if can get to your web gui..

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                        1 Reply Last reply Reply Quote 0
                        • GrimsonG Offline
                          Grimson Banned
                          last edited by

                          Did you try to log into the WebUI, maybe your provider is using pfSense too.

                          1 Reply Last reply Reply Quote 0
                          • D Offline
                            dean2028
                            last edited by

                            @johnpoz:

                            Dude how would that be?  If pfsense is off and something is answer 443 which is NOT pfsense… How exactly are you then access 443 with pfsense webgui?

                            Sorry, if I was not clear. Those were different tests otherwise I had to be drunk or something…

                            1. pfSense box off - start portscan from a mobile provider IP to WAN IP - result: 80, 443 seems to be open.
                            2. pfSense box on - start portscan from a mobile provider IP to WAN IP - result: 80, 443 seems to be open.
                            3. pfsense box on - open https://WANIP from a mobile provider IP from the browser of the phone - result: pfSense login page

                            1 Reply Last reply Reply Quote 0
                            • johnpozJ Offline
                              johnpoz LAYER 8 Global Moderator
                              last edited by

                              Send me this wanIP and port your using… I want to see this... Since your rules do not show anything open.  And they are intercepting it clearly since you say you show it open when pfsense is off..

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                              1 Reply Last reply Reply Quote 0
                              • D Offline
                                dean2028
                                last edited by

                                @Grimson:

                                Did you try to log into the WebUI, maybe your provider is using pfSense too.

                                I tried to call http://VPN_US_IP again from the mobile browser and I still see this nginx forbidden page. So there is no magic here, that page comes from the box of the provider. In the meantime I got a very different public IP when reconnected to VPN_US, so it's not my pfSense box for sure. Apologise to everyone, this completely confused me as I thought the error page comes from the pfSense box.

                                1 Reply Last reply Reply Quote 0
                                • johnpozJ Offline
                                  johnpoz LAYER 8 Global Moderator
                                  last edited by

                                  Yeah scanning your IP I don't see 80 or 443 open at all… Nothing comes back on those ports.. NOTHING!!!

                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                  If you get confused: Listen to the Music Play
                                  Please don't Chat/PM me for help, unless mod related
                                  SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                                  1 Reply Last reply Reply Quote 0
                                  • D Offline
                                    dean2028
                                    last edited by

                                    @dean2028:

                                    3. pfsense box on - open https://WANIP from a mobile provider IP from the browser of the phone - result: pfSense login page

                                    I simply cannot reproduce this anymore since I put the webconfigurator to high port then back to 443. I'm just wondering, maybe I was distrait and my mobile connected back to the local network when tested… don't have a better idea.

                                    Ok, let me summarize what's figured out so far:

                                    Symptom1:
                                      Portscan shows ports 80, 443 open when WAN IP scanned from the internet
                                      Portscan shows ports 53, 80, 443 open when VPN_US_IP scanned from the internet

                                    Cause1 (probably): this comes from the boxes of the ISP and VPN provider as portscan gives the same result with powered off pfSense box.

                                    Symptom2:
                                      when http://VPN_US_IP called from a browser from the internet, nginx 403 forbidden error page appears

                                    Cause2 (at least that's my understanding): the error page comes from the box of the VPN provider

                                    Symptom3: when https://WAN_IP called from an external browser, pfSense login page visible
                                      Cause3: the test was not accurate, the client probably connected back to the access point while testing, then pfSense catched that (even if the WAN IP used).

                                    1 Reply Last reply Reply Quote 0
                                    • D Offline
                                      dean2028
                                      last edited by

                                      @johnpoz:

                                      Yeah scanning your IP I don't see 80 or 443 open at all… Nothing comes back on those ports.. NOTHING!!!

                                      but why I see this then from the app when scanning? Should I throw this app away then? How did you scan me?
                                      I use the iOS version of Net Analyzer, and it shows these ports open, even if I turn off pfSense.

                                      Anyway, thanks a lot for your effort to check that.

                                      IMG_0396.PNG
                                      IMG_0396.PNG_thumb

                                      1 Reply Last reply Reply Quote 0
                                      • D Offline
                                        dean2028
                                        last edited by

                                        @Grimson:

                                        Did you try to log into the WebUI, maybe your provider is using pfSense too.

                                        This did not came to my mind at all at that point as I became upset. Now, I think that page came from internal as I'm not able to reproduce it anymore. No idea at all. As usually there is no magic, I think maybe I was not careful enough to make sure my mobile is completely on external IP and doesn't connected back to the AP.

                                        1 Reply Last reply Reply Quote 0
                                        • D Offline
                                          dean2028
                                          last edited by

                                          I tried to check again ports 80 and 443 on the WAN IP with telnet. So I disconnected my notebook from the access point, then connected to the phone. The phone was a hotspot. I'm sure it was not connected to the AP this time.

                                          result:

                                          telnet WANIP 443
                                          Trying WANIP…
                                          Connected to WANIP.
                                          Escape character is '^]'.
                                          Connection closed by foreign host.

                                          telnet WANIP 80
                                          Trying WANIP...
                                          Connected to WANIP.
                                          Escape character is '^]'.
                                          Connection closed by foreign host.

                                          Why does telnet able to connect?

                                          If I open http://WANIP from the browser, I get an empty white page after 5-10 seconds.
                                          https://WANIP doesn't give me anything back, it times out.

                                          1 Reply Last reply Reply Quote 0
                                          • pttP Offline
                                            ptt Rebel Alliance
                                            last edited by

                                            Try with one "external" (online) Tool/Scanner

                                            https://mxtoolbox.com/PortScan.aspx

                                            http://nmap.online-domain-tools.com/

                                            https://pentest-tools.com/network-vulnerability-scanning/tcp-port-scanner-online-nmap

                                            https://www.yougetsignal.com/

                                            https://www.grc.com/x/ne.dll?bh0bkyd2

                                            And while you're scanning, check the  " WAN Firewall Logs"

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.