pfSense on VPS - Setup issue



  • Hi all,

    I've installed pfSense on a VPS and partly configured it. I did this by accessing the Web GUI over the WAN port (LAN port was deactivated). Now I activated the LAN port and I cannot access the Web GUI over the WAN port anymore. I tried to ping from another VPS on the same subnet, that didn't work either. I suppose when I remove the LAN port again I'll get access to the Web GUI again over the WAN port, but that's not the point. What I would like to do, is to access the Web GUI securely i.e. not over the WAN port.

    I couldn't find any "good" guide to setup pfSense on a VPS. The guides I have found were suggesting to disable the firewall for a while until the setup is finished, which I find pretty insecure.

    So, can someone please a provide a link for a good guide or give some guidance how to solve this problem?



  • @sensori said in pfSense on VPS - Setup issue:

    I've installed pfSense on a VPS and partly configured it

    I was about to ask you! This has been on my to do list but keep getting bumped. I had been looking on these sources:
    https://blog.kylemanna.com/cloud/pfsense-on-google-cloud/

    https://medium.com/@silasthomas/how-to-import-a-pfsense-firewall-into-google-cloud-platform-ad62257a143a


  • LAYER 8 Netgate

    Why? What do you intend to protect on a single VPS?



  • @NollipfSense : Thanks for the response!
    From the first link:

    Disable the firewall
    Disable the firewall so that the SSH can be accessed and configured:
    
    pfctl -d
    Yes, this is a massive hole, I assume you know what you are doing. This will get re-enabled after the WebUI configuration.
    

    I have pfSense online for only 1 day and there are dozens of unknown IPs in the firewall log.

    The 2nd link doesn't deal with the configuration of pfSense at all.

    @Derelict : Thanks for the response!

    Why? What do you intend to protect on a single VPS?
    

    I want to protect at least one VPS with a Web Server and one with a DB.

    Meanwhile I have removed the LAN interface and gained again access to the Web GUI over WAN. I have added 2 rules in the firewall, one for HTTPS and one SSH, to have access from my Public IP only. However I still can't access pfSense from another machine in LAN. I've found somewhere that I have to change the IP of the Web GUI and put a rule in the firewall but I can't even find where I can make this change.


  • LAYER 8 Netgate

    I would just use the firewall on the VPS host itself (think iptables) or whatever the VPS provider has available in front of it.



  • @Derelict : Interesting!
    My VPS provider doesn't provide a firewall.
    It's clear that pfSense would increase the security. So why I shouldn't use it?


  • LAYER 8 Global Moderator

    Pfsense is installed as the OS.. its not a server, its a router/firewall distro designed to do that firewall/route.. Unless you have multiple devices behind it, you wouldn't use it on a single VPS.. So as Derelict stated - just use the firewall that comes with whatever OS your VPS is running.. If its a vps running OS XYZ.. just use the host firewall that you can run on that xyz OS to protect it.

    What OS is your VPS running?



  • @sensori said in pfSense on VPS - Setup issue:

    I want to protect at least one VPS with a Web Server and one with a DB.

    So, you already have an OS with stuff and service...the link I provided assumed VPS is an empty hard drive with no OS. Are you running CentOS? It seems that to do what you want to do a virtual pfSense machine may work if you have the memory...adds complexity though.



  • I would like to use pfSense in front of a Web Server - with it come some other components like nginx (Load Balancer, Reverse Proxy), a VCS (GitLab), 2 DBMSs and some other stuff. I assume, I could put all in one big machine but I thought it is better to have several small machines instead and separate them. With the current VPS provider I can create subnets. So the idea is to have a subnet where all machines can communicate with each other easily and pfSense in front of them as firewall to protect them. Of course only the Web Server would be open to the public, access to all other machines is meant only for me. Maybe it is better to put the Web Server in front of pfSense, I'm not sure.

    At the moment I'm just experimenting with pfSense to see how I can achieve what I want. I created only 2 machines, on one of them I've installed pfSense and on the other one (Ubuntu) I haven't installed nothing so far. This is only for testing purposes only. In the final architecture I would like to use CentOS on all machines if I can (I don't have any experience with CentOS).


  • Netgate Administrator

    Just add firewall rules to allow the access you need (to the webgui, to ssh etc) on the WAN before you enable another interface. Doing that moves the default allow rule to LAN and blocks any traffic you have not explicitly allowed on WAN.#

    Steve


  • LAYER 8 Netgate

    Sounds like a VPC not a VPS.


Log in to reply