WebGUI user login restricted by IP
-
Hi,
Searching for an answer I've found this topic:
Restrict weGUI login user + ipBasically I have the same initial question.
How to restrict webGUI access to a user based on source IP?I've installed FreeRadius for OTP usage, which works fine.
But I want to have a restricted non-OTP backdoor (local database user), just in case FreeRadius is having issues.
This user should only be able to login from LAN and not WAN. -
@daxis said in WebGUI user login restricted by IP:
This user should only be able to login from LAN and not WAN.
That's already the default case : nothing can enter WAN ... Login into the GUI over WAN means you've added already a huge security risk.
@daxis said in WebGUI user login restricted by IP:
How to restrict webGUI access to a user based on source IP?
Add a firewall rule on LAN that allows access to the LAN IP (pfSense) with a known source IP, destination http/https.
Next rule : for any source IP, destination http/https, block the rest.pfSense is not a server or something like that. It doesn't need multiple users.
You can create other, none admin users that have specific reduced rights. Just be careful with what they can access, as most pages need 'admin' right to access 'admin only' editable or viewable resources. -
You're missing the whole point behind the question.
@Gertjan said in WebGUI user login restricted by IP:
That's already the default case : nothing can enter WAN ... Login into the GUI over WAN means you've added already a huge security risk.
The machine is in another location and I stil need to be able to access it when LAN is inaccessible.
So yes I opened GUI over WAN and yes of course I know it's a huge risk, if no extra measures are taken that is.
That's exactly why FreeRadius and with that OTP is installed and implemented.But there's still an admin user without OTP, just in case FreeRadius should be having issues and therefor an OTP enabled admin can't login.
So an user for backdoor purposes only. Which I want to restrict to access through LAN only as the backdoor.If there's no way to add an IP allow/deny list of some sort to an user it really should be added in a future version! Shouldn't have to be that hard to implement.
Many other brands do have options like this. -
@daxis I think the pfSense docu could be helpful in your case: https://docs.netgate.com/pfsense/en/latest/recipes/remote-firewall-administration.html
I'd follow the 'Strict Management' paragraph but instead in LAN you implement it on the WAN interface. Use an network alias for the allowed IPs/Networks.
And consider changing the port number for the GUI.
-
@patient0 said in WebGUI user login restricted by IP:
@daxis
I'd follow the 'Strict Management' paragraph but instead in LAN you implement it on the WAN interface. Use an network alias for the allowed IPs/Networks.And consider changing the port number for the GUI.
Surely an IP accesslist can be set on the GUI WAN rule (and of course the GUI doesn't run on the default port).
But that's exactly the world up side down.Most of the time a VPN will be used, although that's not always a possibility.
I do need to be able to access the GUI in any circumstance.So what if you're away to the other site of the world, don't have VPN available and only have basic internet there?
You don't know that internet connection's IP address in advance to put in your accesslist.
How do you plan on managing or troubleshooting your machine then?That's why there's no accesslist now.
And all accounts (not even a handful of only admin accounts) have OTP enabled.
Except for the one that's intended for backdoor purposes only. And therefor needs to be restricted. -
@daxis said in WebGUI user login restricted by IP:
You don't know that internet connection's IP address in advance to put in your accesslist.
Create a dynamic IP fqdn.. And use that in your list. So your off and away to some remote part of the world - make sure you device updates its dynamic fqdn with its current IP..
-
You don't know that internet connection's IP address in advance to put in your accesslist.
How do you plan on managing or troubleshooting your machine then?I use a cloud VM as SSH jump host with port forwarding.