Accessing FW Internally using the WAN IP

CyberTechGuy

I don't know if this is a DNS or firewall misconfiguration or even standard behavior. I followed the documentation for Strict Managment and removed the Anti-Lockout rule. The ManagementAccess alias only has three specific hosts IP's allowed. I have tested this internally and externally using a VPN connection and it works. Internally, hosts not defined in the alias cannot access the Firewall GUI using the FQDN of the firewall. And get a DNS_PROBE_FINISHED_BAD_CONFIG. Externally, using FQDN on the Firewall. I cannot access the FW GUI as expected and get a DNS_PROBE_FINISHED_BAD_CONFIG. Using it without a VPN connection, I get a connection timed out. So I'm getting the results I want.

But what I don't understand is, why, if I'm on my internal network(s) on a host that is not defined in the management access alias. Can I access the firewall using my public IP address? If I put HTTPS://<public WAN IP>, I can get to the Web GUI. Of course, I have an invalid certificate but that's expected. NAT Reflection is disabled because I'm not doing any port forwarding. There are no rules on the WAN passing traffic in. Just the standard block RFC1918 and Bogon Networks.

If I open up a VPN connection on the host and try to access it with the public IP. I get a connection closed not a connection timed out.

So it's doing everything expected but I just don't understand why internally I can use the public IP to reach the Firewall on a host that is not allowed to.

CyberTechGuy

This post is deleted!

johnpoz

@cybertechguy said in Accessing FW Internally using the WAN IP:

I can use the public IP to reach the Firewall on a host that is not allowed to

And where did you block access to the wan IP? The default any any rule that is on lan, is not your public IP part of "any"

You should use the "this firewall" built in alias to block access to any an all pfsense IPs after you have allowed what you want to all, say icmp and or dns to your pfsense IP on the lan.. Then before you any any rule block access "this firewall"

Its right there in the doc you linked too

This exactly directly blocks access just to the management IPs, but would allow for access to say dns or icmp via the any any rule.

stephenw10

Traffic from internal networks only needs to pass the internal interface rules to hit the webgui on the WAN IP. Or IP on the firewall.

What are your LAN rules?

Steve

CyberTechGuy

@johnpoz I am using This Firewall at the top of my rule list. It's allowing specific IPs to This Firewall and below that rule, its source is any to This Firewall. I'd upload a picture but it won't let me.

CyberTechGuy

@stephenw10 Truthfully, complex rules. There are multiple VLANs but each one, including the default LAN, is allowing traffic for things I need. All other access is being blocked on a per-interface basis. I am not using the default IPV4+IPV6 ANY/ANY rule. Plus IPV6 is disabled.

CyberTechGuy

@cybertechguy Okay, I found the issue, it was a firewall misconfiguration.