Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    WebGUI user login restricted by IP

    Scheduled Pinned Locked Moved webGUI
    7 Posts 4 Posters 329 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      daxis
      last edited by

      Hi,

      Searching for an answer I've found this topic:
      Restrict weGUI login user + ip

      Basically I have the same initial question.
      How to restrict webGUI access to a user based on source IP?

      I've installed FreeRadius for OTP usage, which works fine.
      But I want to have a restricted non-OTP backdoor (local database user), just in case FreeRadius is having issues.
      This user should only be able to login from LAN and not WAN.

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @daxis
        last edited by

        @daxis said in WebGUI user login restricted by IP:

        This user should only be able to login from LAN and not WAN.

        That's already the default case : nothing can enter WAN ... Login into the GUI over WAN means you've added already a huge security risk.

        @daxis said in WebGUI user login restricted by IP:

        How to restrict webGUI access to a user based on source IP?

        Add a firewall rule on LAN that allows access to the LAN IP (pfSense) with a known source IP, destination http/https.
        Next rule : for any source IP, destination http/https, block the rest.

        pfSense is not a server or something like that. It doesn't need multiple users.
        You can create other, none admin users that have specific reduced rights. Just be careful with what they can access, as most pages need 'admin' right to access 'admin only' editable or viewable resources.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        D 1 Reply Last reply Reply Quote 0
        • D
          daxis @Gertjan
          last edited by daxis

          You're missing the whole point behind the question.

          @Gertjan said in WebGUI user login restricted by IP:

          That's already the default case : nothing can enter WAN ... Login into the GUI over WAN means you've added already a huge security risk.

          The machine is in another location and I stil need to be able to access it when LAN is inaccessible.
          So yes I opened GUI over WAN and yes of course I know it's a huge risk, if no extra measures are taken that is.
          That's exactly why FreeRadius and with that OTP is installed and implemented.

          But there's still an admin user without OTP, just in case FreeRadius should be having issues and therefor an OTP enabled admin can't login.
          So an user for backdoor purposes only. Which I want to restrict to access through LAN only as the backdoor.

          If there's no way to add an IP allow/deny list of some sort to an user it really should be added in a future version! Shouldn't have to be that hard to implement.
          Many other brands do have options like this.

          patient0P 1 Reply Last reply Reply Quote 0
          • patient0P
            patient0 @daxis
            last edited by

            @daxis I think the pfSense docu could be helpful in your case: https://docs.netgate.com/pfsense/en/latest/recipes/remote-firewall-administration.html

            I'd follow the 'Strict Management' paragraph but instead in LAN you implement it on the WAN interface. Use an network alias for the allowed IPs/Networks.

            And consider changing the port number for the GUI.

            D 1 Reply Last reply Reply Quote 0
            • D
              daxis @patient0
              last edited by daxis

              @patient0 said in WebGUI user login restricted by IP:

              @daxis
              I'd follow the 'Strict Management' paragraph but instead in LAN you implement it on the WAN interface. Use an network alias for the allowed IPs/Networks.

              And consider changing the port number for the GUI.

              Surely an IP accesslist can be set on the GUI WAN rule (and of course the GUI doesn't run on the default port).
              But that's exactly the world up side down.

              Most of the time a VPN will be used, although that's not always a possibility.
              I do need to be able to access the GUI in any circumstance.

              So what if you're away to the other site of the world, don't have VPN available and only have basic internet there?
              You don't know that internet connection's IP address in advance to put in your accesslist.
              How do you plan on managing or troubleshooting your machine then?

              That's why there's no accesslist now.
              And all accounts (not even a handful of only admin accounts) have OTP enabled.
              Except for the one that's intended for backdoor purposes only. And therefor needs to be restricted.

              johnpozJ patient0P 2 Replies Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator @daxis
                last edited by

                @daxis said in WebGUI user login restricted by IP:

                You don't know that internet connection's IP address in advance to put in your accesslist.

                Create a dynamic IP fqdn.. And use that in your list. So your off and away to some remote part of the world - make sure you device updates its dynamic fqdn with its current IP..

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                1 Reply Last reply Reply Quote 0
                • patient0P
                  patient0 @daxis
                  last edited by

                  @daxis

                  You don't know that internet connection's IP address in advance to put in your accesslist.
                  How do you plan on managing or troubleshooting your machine then?

                  I use a cloud VM as SSH jump host with port forwarding.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.