• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

WebGUI user login restricted by IP

Scheduled Pinned Locked Moved webGUI
7 Posts 4 Posters 340 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • D
    daxis
    last edited by Jun 3, 2024, 8:41 AM

    Hi,

    Searching for an answer I've found this topic:
    Restrict weGUI login user + ip

    Basically I have the same initial question.
    How to restrict webGUI access to a user based on source IP?

    I've installed FreeRadius for OTP usage, which works fine.
    But I want to have a restricted non-OTP backdoor (local database user), just in case FreeRadius is having issues.
    This user should only be able to login from LAN and not WAN.

    G 1 Reply Last reply Jun 3, 2024, 9:12 AM Reply Quote 0
    • G
      Gertjan @daxis
      last edited by Jun 3, 2024, 9:12 AM

      @daxis said in WebGUI user login restricted by IP:

      This user should only be able to login from LAN and not WAN.

      That's already the default case : nothing can enter WAN ... Login into the GUI over WAN means you've added already a huge security risk.

      @daxis said in WebGUI user login restricted by IP:

      How to restrict webGUI access to a user based on source IP?

      Add a firewall rule on LAN that allows access to the LAN IP (pfSense) with a known source IP, destination http/https.
      Next rule : for any source IP, destination http/https, block the rest.

      pfSense is not a server or something like that. It doesn't need multiple users.
      You can create other, none admin users that have specific reduced rights. Just be careful with what they can access, as most pages need 'admin' right to access 'admin only' editable or viewable resources.

      No "help me" PM's please. Use the forum, the community will thank you.
      Edit : and where are the logs ??

      D 1 Reply Last reply Jun 3, 2024, 9:44 AM Reply Quote 0
      • D
        daxis @Gertjan
        last edited by daxis Jun 3, 2024, 9:49 AM Jun 3, 2024, 9:44 AM

        You're missing the whole point behind the question.

        @Gertjan said in WebGUI user login restricted by IP:

        That's already the default case : nothing can enter WAN ... Login into the GUI over WAN means you've added already a huge security risk.

        The machine is in another location and I stil need to be able to access it when LAN is inaccessible.
        So yes I opened GUI over WAN and yes of course I know it's a huge risk, if no extra measures are taken that is.
        That's exactly why FreeRadius and with that OTP is installed and implemented.

        But there's still an admin user without OTP, just in case FreeRadius should be having issues and therefor an OTP enabled admin can't login.
        So an user for backdoor purposes only. Which I want to restrict to access through LAN only as the backdoor.

        If there's no way to add an IP allow/deny list of some sort to an user it really should be added in a future version! Shouldn't have to be that hard to implement.
        Many other brands do have options like this.

        P 1 Reply Last reply Jun 3, 2024, 10:14 AM Reply Quote 0
        • P
          patient0 @daxis
          last edited by Jun 3, 2024, 10:14 AM

          @daxis I think the pfSense docu could be helpful in your case: https://docs.netgate.com/pfsense/en/latest/recipes/remote-firewall-administration.html

          I'd follow the 'Strict Management' paragraph but instead in LAN you implement it on the WAN interface. Use an network alias for the allowed IPs/Networks.

          And consider changing the port number for the GUI.

          D 1 Reply Last reply Jun 3, 2024, 11:12 AM Reply Quote 0
          • D
            daxis @patient0
            last edited by daxis Jun 3, 2024, 11:13 AM Jun 3, 2024, 11:12 AM

            @patient0 said in WebGUI user login restricted by IP:

            @daxis
            I'd follow the 'Strict Management' paragraph but instead in LAN you implement it on the WAN interface. Use an network alias for the allowed IPs/Networks.

            And consider changing the port number for the GUI.

            Surely an IP accesslist can be set on the GUI WAN rule (and of course the GUI doesn't run on the default port).
            But that's exactly the world up side down.

            Most of the time a VPN will be used, although that's not always a possibility.
            I do need to be able to access the GUI in any circumstance.

            So what if you're away to the other site of the world, don't have VPN available and only have basic internet there?
            You don't know that internet connection's IP address in advance to put in your accesslist.
            How do you plan on managing or troubleshooting your machine then?

            That's why there's no accesslist now.
            And all accounts (not even a handful of only admin accounts) have OTP enabled.
            Except for the one that's intended for backdoor purposes only. And therefor needs to be restricted.

            J P 2 Replies Last reply Jun 3, 2024, 11:24 AM Reply Quote 0
            • J
              johnpoz LAYER 8 Global Moderator @daxis
              last edited by Jun 3, 2024, 11:24 AM

              @daxis said in WebGUI user login restricted by IP:

              You don't know that internet connection's IP address in advance to put in your accesslist.

              Create a dynamic IP fqdn.. And use that in your list. So your off and away to some remote part of the world - make sure you device updates its dynamic fqdn with its current IP..

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • P
                patient0 @daxis
                last edited by Jun 3, 2024, 11:27 AM

                @daxis

                You don't know that internet connection's IP address in advance to put in your accesslist.
                How do you plan on managing or troubleshooting your machine then?

                I use a cloud VM as SSH jump host with port forwarding.

                1 Reply Last reply Reply Quote 0
                7 out of 7
                • First post
                  7/7
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                  This community forum collects and processes your personal information.
                  consent.not_received