Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    If someone accesses the PFSense admin screen, can I put in an attack tool?

    Scheduled Pinned Locked Moved General pfSense Questions
    16 Posts 4 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Yet_learningPFSenseY
      Yet_learningPFSense
      last edited by

      If PFSense had only two ports, WAN and LAN, if even one of the PCs connected to the hub from LAN were infected, it would be logged in using the admin password by some method, but if this happened, it would be possible to continuously attack other PCs as well, Is it possible for PFSense itself to install attack tools so that it can continuously attack other PCs? I have recently been concerned about this and am considering purchasing a Netgate appliance with WAN/LAN/OPT and creating a system that only allows login to the admin screen from OPT (for admin login).

      johnpozJ NollipfSenseN 2 Replies Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @Yet_learningPFSense
        last edited by

        @Yet_learningPFSense you don't really need a netgate appliance to have more than 2 interfaces. Does your current hardware not have a way to add another interface, be it free slot for nic, or say replacing a nic with a dual port or 4 port nic?

        You could also create more interfaces via just vlan just would want say a smart switch that can do vlans if your current hardware an not add more physical ports.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        Yet_learningPFSenseY 1 Reply Last reply Reply Quote 1
        • NollipfSenseN
          NollipfSense @Yet_learningPFSense
          last edited by NollipfSense

          @Yet_learningPFSense said in If someone accesses the PFSense admin screen, can I put in an attack tool?:

          PFSense itself to install attack tools so that it can continuously attack other PCs?

          The real question is why are you thinking this way and what experience have you had that led to this thinking?

          pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
          pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

          Yet_learningPFSenseY 1 Reply Last reply Reply Quote 1
          • Yet_learningPFSenseY
            Yet_learningPFSense @johnpoz
            last edited by

            @johnpoz Thank you. My current SG-1100 has WAN/LAN/OPT, but I can't afford the funds to build another new homebrew small PC and it is difficult. If possible, would it be possible to set up 192.168.1.1/24 and 192.168.10.1/24 for LAN and OPT so that the admin screen can only be accessed from the OPT side? When I had previously asked the question elsewhere, I had received an answer that I could set the FW to block access LAN to 192.168.1.1/24 , but allow OPT to 192.168.1.1. but i am searching how to set it to pfsense.

            johnpozJ 1 Reply Last reply Reply Quote 0
            • Yet_learningPFSenseY
              Yet_learningPFSense @NollipfSense
              last edited by

              @NollipfSense Because I became a target for crackers. It was the beginning of their interest to me.

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator @Yet_learningPFSense
                last edited by johnpoz

                @Yet_learningPFSense you can block/allow access to pfsense gui on any interface. By default sure the lan has a anti-lock out rule, but that can be disabled if desired. Just be careful you don't lock yourself out while your setting up your new rules.

                Keep in mind the sg1100 has a switch, so its a bit more difficult to break the opt1 interface off to its own network.

                https://docs.netgate.com/pfsense/en/latest/solutions/sg-1100/switch-overview.html

                But I think by default on the sg1100 the opt1 is already on its own network? But I am not sure on that.. Check out the link to get started in configuring the opt1 interface for your other network.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                Yet_learningPFSenseY 1 Reply Last reply Reply Quote 1
                • Yet_learningPFSenseY
                  Yet_learningPFSense @johnpoz
                  last edited by

                  @johnpoz Thanks for continuing, I really don't understand how VLANs work, but to read the page you presented, it says that VLANs can allow WAN/LAN/OPT to act as separate interfaces (connected to the same switch (although they are connected to the same switch). If that is the case, after setting up the VLAN configuration to handle each port separately, should I configure it so that only OPTVLAN tagged packets are routed to 192.168.1.1, or should I set up something like VLAN_LAN (192.168.1.1/24), VLAN_OPT (192.168.10.1/24) I only use port-based VLANs, so I am almost clueless about VLANs. Can you please give me just a rough direction?

                  johnpozJ 1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator @Yet_learningPFSense
                    last edited by johnpoz

                    @Yet_learningPFSense this switch you have - does it support vlans? This would be step one.

                    If your switch does not support vlans - then you would need another switch for the other network you want to run on this opt1 interface.

                    What is the make and model number of your switch?

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    Yet_learningPFSenseY 1 Reply Last reply Reply Quote 0
                    • Yet_learningPFSenseY
                      Yet_learningPFSense @johnpoz
                      last edited by

                      @johnpoz Ah! I thought SG-1100 supports 802.1q VLANs and can be used by itself, I'm currently not familiar with VLANs, but I'm using D-Link DGS-1100-05/B1 switch. It supports other VLANs for port-based VLANs. I just can't imagine combining this with the SG-1100 to create the desired configuration...

                      johnpozJ 1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator @Yet_learningPFSense
                        last edited by johnpoz

                        @Yet_learningPFSense the sg1100 does support vlans, and so does the dgs-1100, so you would have to set them up.

                        If you do not understand how vlans work - then yeah its going to be a bit of challenge. You could setup the port on the sg1100 to be untagged, and then put the port it connects to into whatever vlan you want on your switch... Or you could go with tags.. Which way you go would be up to you.

                        edit.. Since you are limited to ports on this 5 port switch.. Depending on how many end point clients you have connecting to this 5 port switch. You might be better off just tagging your new network on the sg110 on whatever port you have connected to the dgs, so you are only using 1 port on the switch. Leaving you 4 for other devices.

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        Yet_learningPFSenseY 1 Reply Last reply Reply Quote 1
                        • Yet_learningPFSenseY
                          Yet_learningPFSense @johnpoz
                          last edited by

                          @johnpoz Thanks, I guess I need to learn a little about VLANs. If I start a topic here again to ask about it, I'll try to learn some of it first.

                          1 Reply Last reply Reply Quote 0
                          • stephenw10S
                            stephenw10 Netgate Administrator
                            last edited by

                            The 1100 switch is configured to separate the ports by default. If you're not using the OPT port already you certainly could configure it as the only interface/subnet allowing access to the management interface.

                            Yet_learningPFSenseY johnpozJ 2 Replies Last reply Reply Quote 1
                            • Yet_learningPFSenseY
                              Yet_learningPFSense @stephenw10
                              last edited by

                              @stephenw10 Really? Thank you, I will look into the method along with learning about VLANs.

                              1 Reply Last reply Reply Quote 0
                              • johnpozJ
                                johnpoz LAYER 8 Global Moderator @stephenw10
                                last edited by

                                @stephenw10 yeah thanks for the confirmation - I had thought that out of the box the sg1100 opt was on its own and not part of the lan network.

                                So @Yet_learningPFSense just need to configure your switch to be a different vlan that you plug into the opt1 interface. That is if you have enough ports to use on the dgs.

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                SG-4860 24.11 | Lab VMs 2.8, 24.11

                                1 Reply Last reply Reply Quote 1
                                • stephenw10S
                                  stephenw10 Netgate Administrator
                                  last edited by

                                  Or just use the OPT port directly as the only mgmt port.

                                  johnpozJ 1 Reply Last reply Reply Quote 1
                                  • johnpozJ
                                    johnpoz LAYER 8 Global Moderator @stephenw10
                                    last edited by johnpoz

                                    @stephenw10 yup that is a very good viable option.

                                    Or use that opt1 for your normal network, because the "lan" has the anti-lock out rule on it.

                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                    If you get confused: Listen to the Music Play
                                    Please don't Chat/PM me for help, unless mod related
                                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                                    1 Reply Last reply Reply Quote 1
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.