Portforward 8443 (wan ip) to 443 (wan ip) - Gui access Hack
-
I have a pfsense firewall behind a corp firewall , connected with a 10.129.x.0/30.
It's running openVPN L2L (/30) towards my central pfsense box , and is working excellent.I would like to be able to access the pfsense gui (on the Wan IP) from my central pfsense public ip.
If i ever FSCK up my L2L VPN.And was "given" 8443 as portforward in the corp firewall , to my remote pfsense.
I can see "deny's" if i try to contact my remote firewall on corp-ip:8443 , so portforwarding is working.Initially i would just switch the remote pfsense gui to 8443 , but got this "brilliant idea" what if ...
What if i could portforward 8443 to 443 on my remote wan interface ??
Then i didn't even have to change the Gui port , and could still use just plain https , when accessing via Inside/L2L.Looking at portforward it asks for a "Nat Inside IP" , and that's where i have a bit of doubt ....
Could i specify the "Wan IP" in that field , and have it do the the portforwarding only on the wan-ip ?I did this trick on iptables in the old days when my ISP started to block port 25 , and i had a remite mailserver. i just xlated incomming 2525 to 25 on my mailserver.
ISTR Inbound NAT was before routing.I'm not sure i'd like to portforward "Wan 8443" to ie. "Lan 443 , a real inside" , as i'm not sure if i'm letting the Devil in by doing that.
Or should i just change the GUI to 8443 , and make it "non standard" to the other 5 sites , "inside access".
TIA
/Bingo -
Well to answer my own Q'
It worked , portforwarding 8443 to 443 , and use the WAN ip address as the NAT ip address.
As i accessed the "site" via https://x.x.x.x:8443 , i got hit by a: HTTP_REFERER Error (and a RED Screen , leaving me "dead there") , after authenticating on the login page.
Luckily i could still access the GUI via L2L VPN , but you might want think about that issue, to not be locked out.
I had to add x.x.x.x to System -> Advanced -> Admin access -> Alternate Hostnames
As i did not want to disable : Browser HTTP_REFERER enforcement
/Bingo