access GUI from unused port?

buggz

Hello,

Can you access the GUI from an unused port?
If so, how would you do this?

Thanks!

viragomann

@buggz
What do you mean with "unused port" exactly?

buggz

@viragomann

Hello,

I recently changed my network to all 2.5G
On my pfsense box, I have installed a QNAP QXG-2G2T-I225 Dual Port 2.5GbE 4-Speed Network Card.
2.5G WAN, 2.5G LAN
Everything has been been working great, TP-Link TL-SG108-M2, 8 Port Multi-Gigabit Unmanaged Network Switch.

I have on my pfsense box the unused built in NIC.
I have successfully used it in the past as my WAN device.
Right now, it is idle, not even defined.
I would like to use this as a separate subnet LAN for GUI access.

Hah, I think I just answered my own question.
Let me try this...

viragomann

@buggz
Basically you can do this, but it makes no sense.
You have just to ensure that a rule on the incoming interface is passing the traffic for accessing the webGUI.
And pfSense has to be the default gateway or you even need a route on the accessing device, so that the packets are directed to pfSense.

Say the unused interface is WAN1 and you want to access the GUI from LAN, you have add the proper rule on LAN.

However, you can also assign the additional IP to the LAN interface directly als virtual IP alias and use it to access the GUI.

buggz

@viragomann
Thanks for your reply!
The details remain a bit over my understanding right now, but I did get something to work.
Though, noticed a WHOLE bunch of outside IPs trying to connect, gah!
They were all denied, though, I disabled the port, not feeling too comfortable...

Gertjan

@buggz said in access GUI from unused port?:

Can you access the GUI from an unused port?

First, assign the not used port :
Goto System > Assign interfaces :

Click on Add.

Now Click on the newly created OPT4.

Give it a name, like LAN4 - select "Static IPv4" and further below give it a network, like
192.168.4.1
and change /32 to /24
Don't set/touch the gateway !
Then Save and Apply.

Next : goto the Services > DHCP Server > LAN page and select your newly created "LAN4" instance.
Set up a DHCP pool, like 192.168.4.10 to 192.168.4.100
Save and Apply.

Last : add a firewall rule on this new LAN4 interface. By default, there will be no rules what so ever, so it will block (nearly) all traffic.
Add generic pass rule :

Where you change "LAN subnets" for "LAN4 subnets".
Save and Apply.

Get a device, hook it up to your port LAN4, and enjoy.

See also : Interface Configuration

@buggz said in access GUI from unused port?:

Though, noticed a WHOLE bunch of outside IPs trying to connect, gah!

Goto Status > System Logs > Settings and remove the checks from :

Save.

This is like removing the power of your front door doorbell.
Right now, a couple of zillion are in front of your door, and there always be some one that wants to press the ring button. just get used to it that these guys always exist, just shut down the door bell. Don't worry, you can control who enters with NAT rules (if needed).

buggz

@Gertjan

Thank you for this!

I did perform this almost exactly by poking around.
I guess I was afraid of all the denied flood of external IPs.
I do remember that I did say to log.

I will look into this more.

Gertjan

@buggz said in access GUI from unused port?:

I guess I was afraid of all the denied flood

I know.
You have to learn not to look over the wall.

Youtube Video

JeGr

@Gertjan said in access GUI from unused port?:

I guess I was afraid of all the denied flood

I know.
You have to learn not to look over the wall.

If that unused Port is a Port used internally for you to connect to, there simply shouldn't be other traffic that is logged, otherwise something is very fishy.

I don't understand why there shoould be external traffic on an unused port (until now) when you set up a private IP space on it. That sounds like you push public traffic there via your switch or something, and that's definetly wrong and nothing to be ignored!

buggz

I haven't used the link since the test.
I found my client VPN did not allow access to the the network devices GUIs.
If I have the VPN OFF, I can access all network devices from the clients.

 - ISP router -  2.5GB LAN
     |
2.5GB WAN
 - pfsense -
2.5GB LAN - 192.168.2.2
     |
2.5GB WAN - 192.168.2.4
 - OpenWRT -
2.5GB LAN1 - 192.168.4.1
     |
 - 2.5GB switch -
     |
 - 2.5GB clients -