How to block WebGUI access from WAN

OBXJeepGuy · Apr 19, 2022, 9:25 PM

I have searched this, and there's even a topic with the same title (I trunicated it a bit).

The thread I found still doesn't answer the question of how to NOT let the WebGUI show itself when you put your public IP address in a browser. It does this whether I am on my LAN, or anywhere else in the WAN (my office, for example).

It does this by default, which is bothersome to me. I do not want the WebGUI logon page to show if someone puts my IP address in.

Any help would be appreciated!

keyser · Apr 19, 2022, 9:39 PM

@obxjeepguy said in How to block WebGUI access from WAN:

I have searched this, and there's even a topic with the same title (I trunicated it a bit).

The thread I found still doesn't answer the question of how to NOT let the WebGUI show itself when you put your public IP address in a browser. It does this whether I am on my LAN, or anywhere else in the WAN (my office, for example).

It does this by default, which is bothersome to me. I do not want the WebGUI logon page to show if someone puts my IP address in.

Any help would be appreciated!

I do it by creating a floating rule that blocks access to WAN (pfsense WebUI ports) from all other interfaces.

johnpoz · Apr 19, 2022, 9:47 PM

@obxjeepguy said in How to block WebGUI access from WAN:

I do not want the WebGUI logon page to show if someone puts my IP address in.

Well that wouldn't be open on the wan unless you allowed it. The default rules on the wan are DENY.. So coming from your wan or the internet they would not be able to access the web gui, unless you created a rule to allow it.

From the lan side, the default is any any allow. So yes your lan side devices would be able to access the gui using your wan IP.. Just like they are allowed to access the web gui via the lan IP via the antilock out rule.

If you do not want lan side network to access your web gui, then you would have to setup your rules to not allow it

OBXJeepGuy · Apr 22, 2022, 5:45 PM

@johnpoz Okay, I got it. I did indeed create an allow rule in WAN in a panic because when I first set this up, it would not pass any traffic from the LAN to the WAN. I just “suspended” the allow rule, and now the WebGUI cannot be accessed from the WAN. And oddly enough I can also still access “the internet” like I couldn’t at first.

Thanks again!

stephenw10 · Apr 22, 2022, 5:45 PM

@obxjeepguy said in How to block WebGUI access from WAN:

oddly enough I can also still access “the internet” like I couldn’t at first.

That's expected. Rules on WAN only prevent/allow traffic coming into the WAN interface from some external IP. Traffic from an internal subnet like LAN is always allowed out.

Steve

OBXJeepGuy · Apr 22, 2022, 7:29 PM

@stephenw10 Yeah when I first set this thing up, I could get ZERO traffic to pass at all. That’s when I panicked, and made the WAN rule. It was probably coincidence that it started working after that. Now that I think about it, the WAN side probably hadn’t found my public IP yet.