Login protection for webGUI

  • Hi,

    There's "login protection" section in the Advanced menu and it seems like configurations for sshguard rather than for the webGUI as the xml configurations are all prefixed with sshguard_.

    Does the protection work similarly for the webGUI or are there any other means to protect webGUI?


  • WebGUI requires a login, obviously. You can create firewall rules that block access to pfSense entirely for everyone but you.

  • LAYER 8 Global Moderator

    If locking it down via firewall rules is not enough. Sure you could point the login to freeradius (install the package) and then setup 2FA with that.

    But to be honest if you local access to the gui down to managment network via firewall rules... Only trusted admin sort of people should be able to access this network.. So that is 1st Factor or even multiple just to get on that network. Secured location, auth to even access network from specific device and 802.1x auth, etc. Then knowing the username and password to auth would be 2nd or MFA.. Adding yet another hurdle seems a bit overkill IMHO.

    If your gui is open to your normal user network already then your not actually doing it right in the first place ;)

    If you have some policy that requires 2FA on via the actual gui and doesn't take into account that other methods of controlled access that becomes 1st factor and needs it somehow in the gui to check off a box in some audit... Then sure do the freeradius 2FA thing..

  • Thanks for the replies.

    Yes, we can create firewall rules to filter out everyone but the admins.

    The problem is that we'd like to be able to access the webGUI from remote locations that have no static global IP addresses. We have a VPN server so we can access it from the private network if the VPN is up. But sometimes bad things happen. In case of a VPN failure direct access to the webGUI is quite useful to troubleshoot network issues remotely.

    I'll take a look at the 2FA solution.


  • @maoe-tsuru said in Login protection for webGUI:

    But sometimes bad things happen ...

    In that case, the entire 2FA chain will not work anymore (neither).
    If I had to choose among a VPN server process, and a Radius auth setup ... ;)
    OpenVPN server, ones started is pretty stable and solid.
    True, it needs a client side program and settings.

  • LAYER 8 Global Moderator

    @maoe-tsuru said in Login protection for webGUI:

    But sometimes bad things happen

    This is why you setup out of band access.. Not expose your gui to the internet and thinks it ok because you use some 2fA.

  • OpenVPN server, ones started is pretty stable and solid.

    I just read the OpenVPN section of the pfSense book. It seems like OpenVPN on pfSense with multi-WAN is the way to go.

Log in to reply