How Access Web GUI over Wan through Strict Access?

nprog · Apr 13, 2021, 6:45 AM

Re: Remote Access to WebUI

Gertjan · Apr 13, 2021, 6:48 AM

That's a very old thread.
Nothing actually changed.

What do you mean by "Strict access" ?

nprog · Apr 13, 2021, 6:50 AM

@gertjan How to rstrict just a few IPs and should I be needing a VPN to access?

Gertjan · Apr 13, 2021, 6:57 AM

@nprog said in How Access Web GUI over Wan through Strict Access?:

How to rstrict just a few IPs

You need a firewall.
The good news is : pfSense is a firewall.
So : set up an Alias ( Firewall > Aliases > IP ) and give it a name.
Use this Alias name in the Source filed in a firewall rule to restrict access only to the IPs listed in the Alias :

Example :

My Alias "SYS" which is a collection of IPv4.
Same thing for "he.net".
So, only "he.net" or "SYS" can pass.
And everybody else, if it's VPN on port 1194, UDP.

@nprog said in How Access Web GUI over Wan through Strict Access?:

should I be needing a VPN to access?

Noop. It depends your needs. When the day comes that you need to access pfSense or your LAN from an IP not listed in the Alias, you will know ;)

nprog · Apr 13, 2021, 8:43 AM

@gertjan thanx a lot for your reply I am considering configuring SSH tunnel and apply for some strict wan access as I have to move between two to three locations mostly while I have a setup at my main office which is a location X.
I am looking forward to using your suggestion plus I have found this post regarding ssh tunneling to open web interface from wan.

NogBadTheBad · Apr 13, 2021, 12:14 PM

@nprog Just set up a vpn and be done with it.

Gertjan · Apr 13, 2021, 5:19 PM

@nogbadthebad said in How Access Web GUI over Wan through Strict Access?:

Just set up a vpn and be done with it.

I might as well +1 that.
Hosting your own VPN access is since march 2020 very popular.
It's totally 'free' ;)

nprog · Apr 13, 2021, 5:20 PM

@gertjan which one is easy , is it ssh tunneling or set up a remote access openvpn or IPsec VPN what do you suggest for a newbie?

akuma1x · Apr 13, 2021, 7:54 PM

@nprog said in How Access Web GUI over Wan through Strict Access?:

@gertjan which one is easy , is it ssh tunneling or set up a remote access openvpn or IPsec VPN what do you suggest for a newbie?

For a newbie? Setup remote access with a firewall rule to the webgui and a limited set of source IP addresses. It's easy. Don't set it to be open to the world, that would be bad.

Let us know if you want screenshots of the rules on how to set this up. I do this from home to work (2 netgate pfsense boxes). Like I said, it's really easy.

nprog · Apr 14, 2021, 6:02 AM

@akuma1x I am following this post, which says allowing HTTPS `wan access to WebGUI is a pretty bad idea ...while using a local SSL cert ....Its better to use either a VPN (That involves some learning curve) or ssh tunnel ....but I don't see ssh tunnel much in the searches, most return the results related to enable HTTPS over wan with a firewall rule, I am confused ...can you guys recommend.

here is the link:
ssh tunnel pfsense

Gertjan · Apr 14, 2021, 6:17 AM

@nprog said in How Access Web GUI over Wan through Strict Access?:

which one is easy

Again, this is 2021.
Setting up a remote OpenVPN access is what people do these days. Remember the terms like "lock down" etc ?
Setting uo a remote access is like buying that car and taking care of the licence to drive it. We all just do it. There is only THE way, dono of there are hard ways, or easy ways.

Go here : Youtube : Netgate : all the videos
and locate the two special OpenVPN video's, the basic one, and the advanced one.
Take also a look at the OpenVPN Export video.
There are many more pfSense OpenVPN video's on the net (thousands ?).

Now, just do it.

Remember : you control both sides : pfSense and your PC/MAC/phone so you have full control.
I'll call it easy ;)

Dmc · Jan 29, 2025, 8:12 AM

@Gertjan On a separate note

Thank you for sharing the screenshot. I had been pulling my hair for the past few days trying to figure out why I could not access my WAN GUI from a external network.

I had followed the steps and setup the rule. But your screenshot showed me that I also needed to specify the port within the rule to allow access rather than a choosing HTTP or HTTPS as the destination port

FYI for anyone reading this, you need to pick Port Range as "other" and insert the Port you chose for your GUI which was set in System>Advanced> TCP Port

I'm enjoying learning about all this all thanks to you @Gertjan. On behalf of all the newbies and rookies, thank you for all your contributions