Can other users on the same subnet access my pfsense web interface ?

security_paranoid

Hi,

Let me describe my network. My ISP provides Internet using regular ethernet cable. There is no cable modem. They have given me a static IP address (172.16.197.xxx).

There are other users in this subnet like my neighbours. They use the same IP address range only a different IP so 172.16.197 remains the same only xxx changes.

When I run a nmap scan on my WAN (local) IP I get

$ nmap 172.16.197.xxx

Starting Nmap 7.40 ( https://nmap.org ) at 2018-04-22 22:56 IST
Nmap scan report for 172.16.197.xxx
Host is up (0.012s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
53/tcp open domain
80/tcp open http

Nmap done: 1 IP address (1 host up) scanned in 7.39 seconds

I know that the address 172.16.197.xxx is not reachable from the Internet but my question is can other users of my ISP who belong to the same subnet

access my pfsense box's Web Interface ?

Note: They have the same IP address range as I do i.e. 172.16.197.xxx

ptt

How are you testing ?

From where are you running nmap ? LAN side ?

Post/attach a screenshot of your WAN Firewall Rules

https://forum.pfsense.org/index.php?topic=142679.msg777814#msg777814

JKnott

They have given me a static IP address (172.16.197.xxx)

So, they gave you a NAT, rather than public address.

I don't think you can access the web interface from the WAN side, unless specifcally enabled.

security_paranoid

@ptt:

How are you testing ?

From where are you running nmap ? LAN side ?

Post/attach a screenshot of your WAN Firewall Rules

https://forum.pfsense.org/index.php?topic=142679.msg777814#msg777814

Yes I am running nmap from LAN side.

Please see attachment.

wan.png_thumb

security_paranoid

@JKnott:

They have given me a static IP address (172.16.197.xxx)

So, they gave you a NAT, rather than public address.

I don't think you can access the web interface from the WAN side, unless specifcally enabled.

Thanks. I can relax now.

ptt

@security_paranoid:

Yes I am running nmap from LAN side.

Please see attachment.

You have to test from WAN side.

You have all WAN inbound traffic blocked, so no one can Access your pfSense (from WAN side).

Please take some time to check/read the "Docs"

https://doc.pfsense.org/index.php/Main_Page

https://doc.pfsense.org/index.php/Firewall_Rule_Basics

JKnott

You can always do a port scan by going to www.grc.com and running"Shields Up". That will show what ports are open, closed or stealth. If not open, then others can't connect.

security_paranoid

@ptt & jKnott

My ISP blocks all ports by default. No customer of my ISP can play any online games.

If I scan my ports using grc.com its actually scanning my ISP's "GLOBAL FIREWALL"

Still I installed pfsense to stay as much secure as possible

JKnott

You can also run nmap on another computer connected to the WAN port to do a port scan.

security_paranoid

@JKnott:

You can also run nmap on another computer connected to the WAN port to do a port scan.

My pfsense box is on the other room connected via a wireless AP. I guess I will have to borrow a friend's laptop for the test.

Thanks for the idea.