Question about OpenVPN running on HA cluster on the CARP WAN on port 443
-
Hi all,
I have the following setup :
2x PfSense running in HA pair they have public WAN IP address of x.x.x.91 and x.x.x.92 and a CARP WAN public IP address of x.x.x.90. On the CARP WAN I am running OpenVPN on port 443
I have noticed that the webgui is not accessible on the x.x.x.90 under https://x.x.x.90, however on the
https://x.x.x.91 and https://x.x.x.92 I can get to the webgui which I don't really want.
The OpenVPN setup was done via the wizard and for some reason in the firewall rules I have both the
WAN IP address and CARP with allow access on 443.
My question is what is the best practice to disable webgui access on the wan interfaces? Do I disable the rule that allows it on the wan interface but leave the rule enabled that allows for the CARP to be accessible?
Do the WAN interface need to be accessible for the OpenVPN on the CARP to work? Any input is welcome!
Thank you in advance. -
@AlexMercer Move the webgui to 4443. Disable webConfigurator anti-lockout rule. Disable webConfigurator redirect rule. Add a specific rule for the internal interface (any LANish is good, preferrably the one which is your dedicated management LAN) to port 4443.
This hardening and consistency ensures whatever goes wrong, any public WAN/443 combination won't ever reveal the webgui.
Always remove excess rules- if you don't know why it is there, get rid of it.