Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Block webgui from public ip

    Scheduled Pinned Locked Moved webGUI
    4 Posts 3 Posters 681 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      Andreas3
      last edited by

      Hi

      I have one WAN net, one LAN net and three VLAN:s net on my pfsense. Version 2.6.0

      I have PIMD, UPnP and NAT PMP enable.

      Somehow, is my firewall exposed via my public IP.

      In system/advanced/admin access:
      Protocol HTTPS is marked

      I have tried to change the TCP port, both to 80, 443 and xxxx but I can still get access to my firewall via my public IP. I have also tried to block port, 80, 443 and xxxx, but no luck.

      I have tried port forward via Firewall/NAT/Port forward both port (depends on which port I have set in admin access/TCP) 80, 443 and xx to my local web server 10.x.x.x:80, but I can't reach my web server. I get just access to my firewall.

      What can I do, so I can disable my firewall so it is not exposed via my public IP.

      Thank you!

      johnpozJ A 2 Replies Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @Andreas3
        last edited by

        @andreas3 are you accessing your wan IP from the lan side? Or a vlan? Those would normally fall under typical internet rule of any any.

        From the "wan" side or internet - unless you specifically create a rule to allow the access those would be blocked by the default deny rule.

        Lan would have a antilock out rule that would always allow access to the gui an any IP of pfsense. If you want to block access from lan you would need to disable that rule.

        If you want to block access to your wan IP from lan side network, you would have to create rules to block that before a rule that would allow it like an any any internet rule.

        "this firewall" is a good alias to use that would include your wan IP, or you would use the wan address as destination in your rule.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • A
          akuma1x @Andreas3
          last edited by akuma1x

          @andreas3 On a default install of pfsense, the webgui is NOT open and exposed to the internet or your public IP address. It is, however, open and accessible on your default LAN network.

          If you are connected to your LAN interface, it is technically possible to type in your public IP address that your ISP gave you, and you can get to the webgui. This is because your "any to any" rule on your LAN network also includes your WAN address, and in return, the webgui access. This is NOT the same as a computer, out on the big old bad internet, typing in your public IP address and getting to your webgui. You can see that this doesn't work if you instead test from a computer or phone or tablet that is off of your internal LAN network. Use your phone's cell network to do the test.

          @johnpoz edit - missed your post and you beat me by "that" much... https://www.youtube.com/watch?v=oPwrodxghrw

          1 Reply Last reply Reply Quote 0
          • A
            Andreas3
            last edited by

            My mistake.

            Yes. I had my phone on the same LAN.

            No it is disable

            Thank you !

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.