Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Architecture for securing home network with exposed web server

    Scheduled Pinned Locked Moved General pfSense Questions
    37 Posts 3 Posters 2.3k Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F Offline
      forumate @stephenw10
      last edited by forumate

      @stephenw10 thank you, got it. didn't think about updates, so I will do what you said.

      But, someone told me that even with what I did now, it's still not really isolated, because traffic still must go through the home router. So even if the only open port is 80 for the web, and even if my VM is on a different IP range, the initial traffic must still go through the router.

      I am curious now because it does seem true - but I don't have cyber security knowledge to know what attackers today are capable of

      What do you think - is there a way a hacker can go through the tunnel (through the open port 80 on the 172.16.20.1/24 IP range), and somehow instead of going straight from the router to the VM, it will stop at the router, and escape to the home network?

      This is a drawing of what I see in my head:

      alt text

      1 Reply Last reply Reply Quote 0
      • stephenw10S Online
        stephenw10 Netgate Administrator
        last edited by

        Unlikely.

        More likely would be they find some exploit with the ISP router and can connect to that directly. From there they could access anything on your network. That would have nothing to do wit the port 80 forward though.

        Or they find some exploit in the web server VM and gain access to that. The VM has no outbound access though it wouldn't help them much.

        But, yes, it's not real isolation because the traffic to the VM is routed across the LAN. They should really be separated at the edge router/firewall.

        F 1 Reply Last reply Reply Quote 1
        • F Offline
          forumate @stephenw10
          last edited by

          @stephenw10 thank you!

          When you said it has nothing to do with port 80 - then how? Just because of the tunnel itself?

          1 Reply Last reply Reply Quote 0
          • stephenw10S Online
            stephenw10 Netgate Administrator
            last edited by

            Nope just because ISP supplied routers regularly see exploits if they are not updated. If you have added a port forward to it that's a config the vast majority of users likely don't use so that may expose something there potentially. It's a relatively low risk IMO.

            F 1 Reply Last reply Reply Quote 1
            • F Offline
              forumate @stephenw10
              last edited by forumate

              @stephenw10 oh, so that risk would only happen if i forwarded a port on my isp router? Because I didn't

              In order to use my web server I'm using a cloudflare tunnel which doesn't require any port forwarding

              1 Reply Last reply Reply Quote 0
              • stephenw10S Online
                stephenw10 Netgate Administrator
                last edited by

                Some level of increased risk yes.

                How is the tunnel connected? Something is connecting out to Clouflare I assume. But not from the VM since the firewall rules you have prevent that.

                F 1 Reply Last reply Reply Quote 1
                • F Offline
                  forumate @stephenw10
                  last edited by forumate

                  @stephenw10 It really is weird now that you say that.

                  Because the only open port is 80. Could that be done through port 80?

                  Because in Cloudflare I only set the IP of the Ubuntu VM and nothing else, on port 80:

                  172.16.20.100:80

                  Is Cloudflare tunnel based on Wireguard? If so, could it be that the initial handshake to the Cloudflare tunnel was done before I created the firewall rules, and that was able to do that initial handshake? So if for example I now create a new tunnel, I won't be able to get that first handshake?

                  Or, I have something misconfigured :)

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S Online
                    stephenw10 Netgate Administrator
                    last edited by

                    I believe it is based on Wireguard, yes. Where are you running the client?

                    That IP address for the VM is a private address so Cloudfllare would only be able to access it across a tunnel.

                    Where exactly is port 80 open?

                    F 1 Reply Last reply Reply Quote 1
                    • F Offline
                      forumate @stephenw10
                      last edited by forumate

                      @stephenw10 it's the rule in the picture in the above comment where it shows the destination is the OPTX Address and the Port is 80 so I think that's it?

                      I also checked other things like updating the server (sudo apt-get update) and indeed I cannot update. So if I recall correctly, WireGuard only needs the first handshake with the peer and then it sends keep alive pings all the time.

                      I can do a test and create a new tunnel to see if this is really it

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S Online
                        stephenw10 Netgate Administrator
                        last edited by

                        That's the anti-lockout rule. It added by pfSense to allow hosts, on what would normally be the LAN, to always have access to the pfSense webgui.
                        It would not allow the VM to connect too Cloudflare. Nor Couldflre to connect to the VM.

                        F 1 Reply Last reply Reply Quote 0
                        • F Offline
                          forumate @stephenw10
                          last edited by

                          When you say connect to the tunnel, you mean the peer handshake? For example, if the initial connection was done on port 51820 - this is what you mean by not allow the connection?

                          1 Reply Last reply Reply Quote 0
                          • stephenw10S Online
                            stephenw10 Netgate Administrator
                            last edited by

                            Yes. The rule you have there would block all outbound traffic from the VM to cloudflare.

                            It's possible it had already connected before you added the rule in which case the connection would remain until the state is lost at reboot for example.

                            F 1 Reply Last reply Reply Quote 1
                            • F Offline
                              forumate @stephenw10
                              last edited by forumate

                              It's so weird (and annoying). Everything was working, and then I removed the firewall rule, so actually opened everything, and now nothing works - the tunnel stopped working and I can't even ping to the WAN anymore, and can't do sudo apt-get update.

                              How?! I removed the firewall rule, then how it did the opposite?

                              Last time it happened, I switched from DNS resolver to DNS forwarder and it started working. But now - the DNS forwarder is still the one enabled. so now I'm lost as to what happened.

                              Edit: I now created a "pass" rule for Any/Any and I can ping to the WAN again. However, DNS still doesn't work again.

                              1 Reply Last reply Reply Quote 0
                              • stephenw10S Online
                                stephenw10 Netgate Administrator
                                last edited by

                                Yes you would need a pass rule to allow it.

                                If it's pass all and any protocol then DNS should work as long as it's configured in the VM correctly.

                                F 1 Reply Last reply Reply Quote 1
                                • F Offline
                                  forumate @stephenw10
                                  last edited by

                                  @stephenw10 said in Architecture for securing home network with exposed web server:

                                  Yes you would need a pass rule to allow it.

                                  If it's pass all and any protocol then DNS should work as long as it's configured in the VM correctly.

                                  thank you.

                                  I am curious though now regarding the previous discussion - so in the case where I closed all ports earlier (after the handshake), and then only port 80 was open.

                                  So surfing the website on my domain was possible according my theory. But, the HTTP request needs a response - and the response needs to go out from the server to the world via port 80. But the Anti-Lockout rule is only from source (*) and destination OPTX address. but not opposite - so how did the response go back out to whoever go to the domain? Or, it all happens in the same connection - request in port 80 - response goes back in this connection?

                                  1 Reply Last reply Reply Quote 0
                                  • stephenw10S Online
                                    stephenw10 Netgate Administrator
                                    last edited by

                                    Nope that rule would not have allowed an outbound connection. But none of those prevent inbound connections and once the state is open the replies can use that.

                                    However that would require something allowing inbound connection to reach the pfSense VM. So a port forward on the ISP router and another port forward on the pfSense VM to reach the server.

                                    You don't have those as far as I know so if you were able to browse the site hosted on the server coming from some external IP address then the connection must have been coming over the tunnel to Cloudflare. That tunnel must have been created outbound from the server when you had a rule to allow it at some point. I would bet that if you had rebooted the server or pfSense at that point the connection would have failed.

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.