Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can other users on the same subnet access my pfsense web interface ?

    Scheduled Pinned Locked Moved Firewalling
    10 Posts 3 Posters 721 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      security_paranoid
      last edited by

      Hi,

      Let me describe my network. My ISP provides Internet using regular ethernet cable. There is no cable modem. They have given me a static IP address (172.16.197.xxx).

      There are other users in this subnet like my neighbours. They use the same IP address range only a different IP so 172.16.197 remains the same only xxx changes.

      When I run a nmap scan on my WAN (local) IP I get

      $ nmap 172.16.197.xxx

      Starting Nmap 7.40 ( https://nmap.org ) at 2018-04-22 22:56 IST
      Nmap scan report for 172.16.197.xxx
      Host is up (0.012s latency).
      Not shown: 998 filtered ports
      PORT  STATE SERVICE
      53/tcp open  domain
      80/tcp open  http

      Nmap done: 1 IP address (1 host up) scanned in 7.39 seconds

      I know that the address 172.16.197.xxx is not reachable from the Internet but my question is can other users of my ISP who belong to the same subnet

      access my pfsense box's Web Interface ?

      Note: They have the same IP address range as I do i.e. 172.16.197.xxx

      1 Reply Last reply Reply Quote 0
      • pttP
        ptt Rebel Alliance
        last edited by

        How are you testing ?

        From where are you running nmap ? LAN side ?

        Post/attach a screenshot of your WAN Firewall Rules

        https://forum.pfsense.org/index.php?topic=142679.msg777814#msg777814

        1 Reply Last reply Reply Quote 0
        • JKnottJ
          JKnott
          last edited by

          They have given me a static IP address (172.16.197.xxx)

          So, they gave you a NAT, rather than public address.

          I don't think you can access the web interface from the WAN side, unless specifcally enabled.

          PfSense running on Qotom mini PC
          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
          UniFi AC-Lite access point

          I haven't lost my mind. It's around here...somewhere...

          1 Reply Last reply Reply Quote 0
          • S
            security_paranoid
            last edited by

            @ptt:

            How are you testing ?

            From where are you running nmap ? LAN side ?

            Post/attach a screenshot of your WAN Firewall Rules

            https://forum.pfsense.org/index.php?topic=142679.msg777814#msg777814

            Yes I am running nmap from LAN side.

            Please see attachment.

            wan.png
            wan.png_thumb

            1 Reply Last reply Reply Quote 0
            • S
              security_paranoid
              last edited by

              @JKnott:

              They have given me a static IP address (172.16.197.xxx)

              So, they gave you a NAT, rather than public address.

              I don't think you can access the web interface from the WAN side, unless specifcally enabled.

              Thanks. I can relax now.

              1 Reply Last reply Reply Quote 0
              • pttP
                ptt Rebel Alliance
                last edited by

                @security_paranoid:

                Yes I am running nmap from LAN side.

                Please see attachment.

                You have to test from WAN side.

                You have all WAN inbound traffic blocked, so no one can Access your pfSense (from WAN side).

                Please take some time to check/read  the "Docs"

                https://doc.pfsense.org/index.php/Main_Page

                https://doc.pfsense.org/index.php/Firewall_Rule_Basics

                1 Reply Last reply Reply Quote 0
                • JKnottJ
                  JKnott
                  last edited by

                  You can always do a port scan by going to www.grc.com and running"Shields Up".  That will show what ports are open, closed or stealth.  If not open, then others can't connect.

                  PfSense running on Qotom mini PC
                  i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                  UniFi AC-Lite access point

                  I haven't lost my mind. It's around here...somewhere...

                  1 Reply Last reply Reply Quote 0
                  • S
                    security_paranoid
                    last edited by

                    @ptt & jKnott

                    My ISP blocks all ports by default. No customer of my ISP can play any online games.

                    If I scan my ports using grc.com its actually scanning my ISP's "GLOBAL FIREWALL"

                    Still I installed pfsense to stay as much secure as possible

                    1 Reply Last reply Reply Quote 0
                    • JKnottJ
                      JKnott
                      last edited by

                      You can also run nmap on another computer connected to the WAN port to do a port scan.

                      PfSense running on Qotom mini PC
                      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                      UniFi AC-Lite access point

                      I haven't lost my mind. It's around here...somewhere...

                      1 Reply Last reply Reply Quote 0
                      • S
                        security_paranoid
                        last edited by

                        @JKnott:

                        You can also run nmap on another computer connected to the WAN port to do a port scan.

                        My pfsense box is on the other room connected via a wireless  AP. I guess I will have to borrow a friend's laptop for the test.

                        Thanks for the idea.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.