Can other users on the same subnet access my pfsense web interface ?
-
Hi,
Let me describe my network. My ISP provides Internet using regular ethernet cable. There is no cable modem. They have given me a static IP address (172.16.197.xxx).
There are other users in this subnet like my neighbours. They use the same IP address range only a different IP so 172.16.197 remains the same only xxx changes.
When I run a nmap scan on my WAN (local) IP I get
$ nmap 172.16.197.xxx
Starting Nmap 7.40 ( https://nmap.org ) at 2018-04-22 22:56 IST
Nmap scan report for 172.16.197.xxx
Host is up (0.012s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
53/tcp open domain
80/tcp open httpNmap done: 1 IP address (1 host up) scanned in 7.39 seconds
I know that the address 172.16.197.xxx is not reachable from the Internet but my question is can other users of my ISP who belong to the same subnet
access my pfsense box's Web Interface ?
Note: They have the same IP address range as I do i.e. 172.16.197.xxx
-
How are you testing ?
From where are you running nmap ? LAN side ?
Post/attach a screenshot of your WAN Firewall Rules
https://forum.pfsense.org/index.php?topic=142679.msg777814#msg777814
-
They have given me a static IP address (172.16.197.xxx)
So, they gave you a NAT, rather than public address.
I don't think you can access the web interface from the WAN side, unless specifcally enabled.
-
@ptt:
How are you testing ?
From where are you running nmap ? LAN side ?
Post/attach a screenshot of your WAN Firewall Rules
https://forum.pfsense.org/index.php?topic=142679.msg777814#msg777814
Yes I am running nmap from LAN side.
Please see attachment.
-
They have given me a static IP address (172.16.197.xxx)
So, they gave you a NAT, rather than public address.
I don't think you can access the web interface from the WAN side, unless specifcally enabled.
Thanks. I can relax now.
-
Yes I am running nmap from LAN side.
Please see attachment.
You have to test from WAN side.
You have all WAN inbound traffic blocked, so no one can Access your pfSense (from WAN side).
Please take some time to check/read the "Docs"
https://doc.pfsense.org/index.php/Main_Page
https://doc.pfsense.org/index.php/Firewall_Rule_Basics
-
You can always do a port scan by going to www.grc.com and running"Shields Up". That will show what ports are open, closed or stealth. If not open, then others can't connect.
-
@ptt & jKnott
My ISP blocks all ports by default. No customer of my ISP can play any online games.
If I scan my ports using grc.com its actually scanning my ISP's "GLOBAL FIREWALL"
Still I installed pfsense to stay as much secure as possible
-
You can also run nmap on another computer connected to the WAN port to do a port scan.
-
You can also run nmap on another computer connected to the WAN port to do a port scan.
My pfsense box is on the other room connected via a wireless AP. I guess I will have to borrow a friend's laptop for the test.
Thanks for the idea.
