can't disable web config or web GUI to WAN

QuantumParadox

Team,

I am on PFsense plus 24.11 and I had my ISP upgraded from 1 GB asymetical to 2 GB and in the process, the ISP tech and I concluded that we can just plug PFsense directly into the ONT without the ISP router and it works. Now because I don't have a modem to my PFsense box, PFsense manages everything which is what I wanted but I had a issue I can't seem to resolve. I can't seem to disable the web GUI for the WAN so anyone with my IP can access my PF sense. I did create rules to block 443 and 80 and I also moved the web login to 8443 and created a rule for that to be blocked. but It will not block the rules and Ive been asking AI for help and it says this:
Go to System > Advanced > Admin Access.
Fnd the setting for WebGUI Listen Interfaces (it may not be visible in your provided list, but it should be there).
Select LAN or another internal interface only—do not select WAN. and apply the settings the issue is I don't have any of those settings.
I also have my PFsense setup with Open VPN and I created a rule to block the ports for openVPN and still nothing.
I need help I am vulnerable and Ive been working on this all day with very little sleep.

Thank you for reading this.

QuantumParadox

Wait, I just discovered that I can access my ext. IP, which sends me to the PFsenseGUI. However, I had one of my friends enter my ext. IP, and he can't access anything, so I think I overreacted.

Gertjan

@QuantumParadox said in can't disable web config or web GUI to WAN:

I can't seem to disable the web GUI for the WAN ... 25.03.b.20250429.1329 ...

The default firewall behavior, for every interface is (roll the drums) is .... (wait for it) : it block everything.
For this very reason, when you install pfSense, you find this on the LAN interface :

Not rules 1 and 2, I've added them myself.
Rule 3 and 4 have to be there, otherwise you wouldn't be able to access your pfSense using the Ethernet, using the LAN NIC.

The issue with the WAN interface is .... the admin, better known as : you.
Let's compare pfSense with your own house.
Some one, a stranger, or even you, without your keys, can not enter the front door : it's locked.
While you are at home, you decided to test the front door : is it locked ? To do this test, you opened the front door from the inside (remember : you are at home) and then you say : "hey, it's open !"

Back to pfSense : you are probably connected with a device on the pfSense LAN, default LAN firewall rule let the traffic flow into the LAN, and you used as a destination IP the WAN interface.
That's like accessing the WAN interface from the inside. Traffic actually never leaves that pfSense WAN interface, to be echoed back to the WAN by magic by some other device behind the NAT (some ISP equipment for example).

@QuantumParadox said in can't disable web config or web GUI to WAN:

I did create rules to block 443 and 80

No need.
My WAN rules :

Normally, when you install pfSense, there are no rules on the WAN firewall.
This means nothing can enter.
I've surfaced this behavior by adding the last two block (red cross) rules.
The six rules I have before these two block rules are there for me, so I can access my NAS (on my pfSense LAN) and VPN (on pfSense).
The VPN can be accessed from any IP address = from everywhere.
My NAS can only be accessed by the device Ips I've listed in the alias called "SYS", and no one else.
I do accept ping (IPv4 and IPv6) on my WAN because "why not ^^".

Go get some sleep, all is well ^^

@QuantumParadox said in can't disable web config or web GUI to WAN:

asking AI for help

Euh ....
That only works if you ask good questions.
Like this : what is the default FreeBSD firewall pf behavior ?

and you see the good answer right away.
Not only valid for pfSense but every firewall.

@QuantumParadox said in can't disable web config or web GUI to WAN:

Go to System > Advanced > Admin Access.
Fnd the setting for WebGUI Listen Interfaces (it may not be visible in your provided list, but it should be there).
Select LAN or another internal interface only—do not select WAN. and apply the settings the issue is I don't have any of those settings.

I wished that was really the case, but my 24.11 - actually 25.03 beta 4 right now, doesn't have that option.
There is no setting over there that controls on what interface the pfSense web GUI is listing.
The reality is that the pfSense web interface listens to all system known interfaces, this includes also the localhost (127.0.0.1) and interfaces like WAN.
Your pfSense doesn't' contain any AI, but it still give you the answer :

[25.03-BETA][root@pfSense.bhf.tld]/root: sockstat -4 | grep 'nginx'
root     nginx      29461 5   tcp4   *:443                 *:*
root     nginx      29461 7   tcp4   *:80                  *:*
root     nginx      29017 5   tcp4   *:443                 *:*
root     nginx      29017 7   tcp4   *:80                  *:*

You see the * : * ? That means : every interface. And that includes WAN, which is, imho, somewhat scary.
So, every interface, using tcp4 or IPv4, on both port 80 (http) and port 443 (https).
Two instances because :

QuantumParadox

thank you so much. I got it configured.

I have one more issue. the iftop keeps crashing when I download large files so I've upgraded from 1 GB fiber to 2 gig fiber and I keep IFtop running on the monitor to see whats happening in realtime and now it seems to crash where I have to restart the whole PFsense. I can't CTRL C to get out and back to command line.

patient0

@QuantumParadox

@QuantumParadox said in can't disable web config or web GUI to WAN:

I have one more issue. the iftop keeps crashing ... I can't CTRL C to get out and back to command line.

Can you open a new SSH connection to pfSense to see what happens. That should still be possible if only iftop crashes.

QuantumParadox

@patient0 Yes, I opened an SSH session and went in and had to kill the IFtop process. So, IFtop seems to crash when I start doing heavy downloading. I just graded my fiber speeds to 2 gigs up and down, and when I download a large file, the download bars go all the way to the right and just hang there, crashing IFtop. I am playing with PFtop, but I don't know all of the arguments.
Here is what I am trying to do: I have a 27 inch LCD just for PFsense and I like to look at realtime data and uploads and downloads and IFtop seems to have it all.

I am trying to play with ntopng and I can't see it get it to run in the command line.

what do you recommend I do?

patient0

@QuantumParadox can you run top -HaSP' before killing iftopto see whatiftop` is doing cpu-wise? Is it running while, consuming lots of resources?

On what does box pfSense+ run, what specs, what NICs? And does iftop hang at all download speeds or only when downloading at full speed?

I am trying to play with ntopng and I can't see it get it to run in the command line.

I don't know about ntopng, maybe someone else can step in?