Browser page?

rcfa

I just thought of something that might be useful:
a page in pfSense UI where one can enter a URL, and that's loaded within a frame of that page.

Why would I want that?

Example: I have admin access to pfSense from the public internet, but in the private network there are network devices, such as switches that have their own web interfaces, or there may be home automation devices with web interfaces, etc.

Occasionally, even just to test accessability, one may want to access one of these devices, but one may not want to do port forwarding etc. to limit what's exposed to the outside.

Anyone else thinks that's a useful idea?

DaddyGo

@rcfa said in Browser page?:

Example: I have admin access to pfSense from the public internet, but in the private network there are network devices, such as switches that have their own web interfaces, or there may be home automation devices with web interfaces, etc.

Hi,

NGFW is a serious IT front...
the more unnecessary features we build into it, further I go, .... the more vulnerable it is

if you want to manage multiple devices at once, like switches, VOIP ATA, APs, other tools with webservers...

use OpenVPN remote access and access devices on the same subnet smoothly from your browser in multi-window mode

https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/openvpn-remote-access-server.html

@rcfa "Anyone else thinks that's a useful idea?"
in my opinion, definitely NO, sorry for my honesty

rcfa

@DaddyGo Will your suggestion work over an IPsec link?

My WAN is actually an IPSec tunnel, I know, a bit non-standard, but the only way I could get my block of addresses routed.

So I’d need to run OpenVPN through IPSec

As for the security implications: There’s of course the issue that pfSense has two distinct types of users.

Type one uses pfSense as corporate firewall, this is an environment with plenty of special purpose servers (VoIP, mail, private cloud, etc.)

The other is private home or home-office users. They can’t afford the money or time to maintain a slew of separate systems or they don’t even have the IP address space to support a variety of servers. So they would like to host all internet facing services on one system rather than maintaining multiple systems and a set of complicated forwarding rules, because that increases failure points and maintenance nightmares. As a matter of fact, the suggestion grew out of just such a nightmare, because to access the mail server, traffic needs to go through (managed) switch which is causing issues right now. Were my e.g. mail server on the pfSense unit, critical services would continue uninterrupted by some hardware acting up, which I can’t fix from afar.

There is of course the option of using devices like FritzBox or Synology but they are much less transparent in what they do.

So, obviously, packing everything into pfSense as standard makes no sense, but it does make sense to have modules for people who use pfSense as a border system on a small network and need some internet facing services, as not everyone is running a corporate firewall.

While security is key, “convenience” is sometimes more important, because with one end (and sometimes both ends, when I’m traveling) of my connection being thousands miles away, administering things locally often isn’t an option. Everything must be accessible globally and if that means somewhat decreased security, it can’t be helped.

JeGr

way I could get my block of addresses routed.

If you get IPs routed, then you sure can use it on your firewall, can you not?
And if you can use one of them on your firewall, you should be able to configure OpenVPN to listen to it.

rcfa

@JeGr I’ll try...

...hope I’m not going to hang myself doing it, because that would require a very long trip.

DaddyGo

@rcfa said in Browser page?:

Will your suggestion work over an IPsec link?

Sure...

The whole IT world is remotely administered somehow, if you are worried use OpenVPN with a higher cipher.
Currently, I consider it one of the best methods for remote management, except where that there are with completely separate mng. subnet, the latter is not typical in SOHO.

Or where, in which device you can do separate the mng. option for a separate VLAN and access this mng. VLAN with OpenVPN.