pfSense becomes unresponsive
-
Yes this is me from WAN 443, and there is only one rule in my Firewall>Rules that I added using this post:
https://www.joe0.com/2019/11/11/how-to-implement-remote-management-in-pfsense-2-4-4-by-using-a-duckdns-dynamic-dns-domain/
Other then that, my pfSense system is totally stock and I guess there is no SSH remote enabled on pfSense out of the box
-
@amaanx5a said in pfSense becomes unresponsive:
https://www.joe0.com/2019/11/11/how-to-implement-remote-management-in-pfsense-2-4-4-by-using-a-duckdns-dynamic-dns-domain/
This :
STEP 3 – Allow remote access to WAN port 443
combined with this :
Source: Any (or restrict by IP/subnet)
is exactly the reason why you should never do that.
The pfSense WebGUI isn't meant to be "open and visible" to the entire Internet. Its a major security flaw.Use OpenVPN for that.
(edit : same thing for the SSH port)
-
@amaanx5a said in pfSense becomes unresponsive:
The firewall still has to read that traffic, process it and send it back out on all the interfaces. All of that requires CPU cycles.
Even if I use a switch?
No, if you use a bridge as a switch.
There is a common misconception that bridging somehow requires less CPU cycles and won't affect firewall performance for some reason. Not really sure where that comes from but just to be clear it does.If you use a switch the traffic never goes through the firewall and it can happily use all it's CPU cycles for more important things like VPNs.
And, yes, use OpenVPN for remote access if you can. It the very least move your webgui to a different port to reduce the drive-by connection attempts.
https://docs.netgate.com/pfsense/en/latest/recipes/remote-firewall-administration.htmlSteve
-
This post is deleted!