If someone accesses the PFSense admin screen, can I put in an attack tool?
-
If PFSense had only two ports, WAN and LAN, if even one of the PCs connected to the hub from LAN were infected, it would be logged in using the admin password by some method, but if this happened, it would be possible to continuously attack other PCs as well, Is it possible for PFSense itself to install attack tools so that it can continuously attack other PCs? I have recently been concerned about this and am considering purchasing a Netgate appliance with WAN/LAN/OPT and creating a system that only allows login to the admin screen from OPT (for admin login).
-
@Yet_learningPFSense you don't really need a netgate appliance to have more than 2 interfaces. Does your current hardware not have a way to add another interface, be it free slot for nic, or say replacing a nic with a dual port or 4 port nic?
You could also create more interfaces via just vlan just would want say a smart switch that can do vlans if your current hardware an not add more physical ports.
-
@Yet_learningPFSense said in If someone accesses the PFSense admin screen, can I put in an attack tool?:
PFSense itself to install attack tools so that it can continuously attack other PCs?
The real question is why are you thinking this way and what experience have you had that led to this thinking?
-
@johnpoz Thank you. My current SG-1100 has WAN/LAN/OPT, but I can't afford the funds to build another new homebrew small PC and it is difficult. If possible, would it be possible to set up 192.168.1.1/24 and 192.168.10.1/24 for LAN and OPT so that the admin screen can only be accessed from the OPT side? When I had previously asked the question elsewhere, I had received an answer that I could set the FW to block access LAN to 192.168.1.1/24 , but allow OPT to 192.168.1.1. but i am searching how to set it to pfsense.
-
@NollipfSense Because I became a target for crackers. It was the beginning of their interest to me.
-
@Yet_learningPFSense you can block/allow access to pfsense gui on any interface. By default sure the lan has a anti-lock out rule, but that can be disabled if desired. Just be careful you don't lock yourself out while your setting up your new rules.
Keep in mind the sg1100 has a switch, so its a bit more difficult to break the opt1 interface off to its own network.
https://docs.netgate.com/pfsense/en/latest/solutions/sg-1100/switch-overview.html
But I think by default on the sg1100 the opt1 is already on its own network? But I am not sure on that.. Check out the link to get started in configuring the opt1 interface for your other network.
-
@johnpoz Thanks for continuing, I really don't understand how VLANs work, but to read the page you presented, it says that VLANs can allow WAN/LAN/OPT to act as separate interfaces (connected to the same switch (although they are connected to the same switch). If that is the case, after setting up the VLAN configuration to handle each port separately, should I configure it so that only OPTVLAN tagged packets are routed to 192.168.1.1, or should I set up something like VLAN_LAN (192.168.1.1/24), VLAN_OPT (192.168.10.1/24) I only use port-based VLANs, so I am almost clueless about VLANs. Can you please give me just a rough direction?
-
@Yet_learningPFSense this switch you have - does it support vlans? This would be step one.
If your switch does not support vlans - then you would need another switch for the other network you want to run on this opt1 interface.
What is the make and model number of your switch?
-
@johnpoz Ah! I thought SG-1100 supports 802.1q VLANs and can be used by itself, I'm currently not familiar with VLANs, but I'm using D-Link DGS-1100-05/B1 switch. It supports other VLANs for port-based VLANs. I just can't imagine combining this with the SG-1100 to create the desired configuration...
-
@Yet_learningPFSense the sg1100 does support vlans, and so does the dgs-1100, so you would have to set them up.
If you do not understand how vlans work - then yeah its going to be a bit of challenge. You could setup the port on the sg1100 to be untagged, and then put the port it connects to into whatever vlan you want on your switch... Or you could go with tags.. Which way you go would be up to you.
edit.. Since you are limited to ports on this 5 port switch.. Depending on how many end point clients you have connecting to this 5 port switch. You might be better off just tagging your new network on the sg110 on whatever port you have connected to the dgs, so you are only using 1 port on the switch. Leaving you 4 for other devices.
-
@johnpoz Thanks, I guess I need to learn a little about VLANs. If I start a topic here again to ask about it, I'll try to learn some of it first.
-
The 1100 switch is configured to separate the ports by default. If you're not using the OPT port already you certainly could configure it as the only interface/subnet allowing access to the management interface.
-
@stephenw10 Really? Thank you, I will look into the method along with learning about VLANs.
-
@stephenw10 yeah thanks for the confirmation - I had thought that out of the box the sg1100 opt was on its own and not part of the lan network.
So @Yet_learningPFSense just need to configure your switch to be a different vlan that you plug into the opt1 interface. That is if you have enough ports to use on the dgs.
-
Or just use the OPT port directly as the only mgmt port.
-
@stephenw10 yup that is a very good viable option.
Or use that opt1 for your normal network, because the "lan" has the anti-lock out rule on it.