Configuring webConfigurator port and IP?



  • Hi All,

    Just installed pfsense on an ALIX board that has 3 nics - WAN, LAN and OPT1.  I'm setting up pfsense to be a transparently bridged firewall.  There will be no routing, DHCP, NAT or any other services.  It will be strictly packet filtering firewall services.

    I was planning that WAN would be the internet side, LAN would be the internal network to the servers.  I thought I'd use OPT1 to have management access to the webconfigurator for administering the firewall.  I'm not seeing anything in the webConfigurator that allows me to specify what interface the webConfigurator listens on or what port it uses.  Right now webConfigurator can only be access from the LAN port.

    Can I set it up the way I want and if so where do I go to configure the webConfigurator IP and port?  I assume its like any web server that listens on a specific interface.

    If I can't do the above, I suppose I could have WAN be the internet side, OPT1 be the internal network to the servers (bridge those two) and then use the LAN interface for administrative purposes.  Just seems backwards to me.



  • webConfigurator can be accessed from lan or wan or other so it really just a matter of putting in the ip of whatever interface and will take you to the webConfigurator then its just the matter of blocking access from the interfaces that u don't want have to the webConfigurator, hope this help you out or put some light on what your trying to do.



  • @motodude:

    Hi All,

    Just installed pfsense on an ALIX board that has 3 nics - WAN, LAN and OPT1.   I'm setting up pfsense to be a transparently bridged firewall.  There will be no routing, DHCP, NAT or any other services.  It will be strictly packet filtering firewall services.

    I was planning that WAN would be the internet side, LAN would be the internal network to the servers.  I thought I'd use OPT1 to have management access to the webconfigurator for administering the firewall.  I'm not seeing anything in the webConfigurator that allows me to specify what interface the webConfigurator listens on or what port it uses.  Right now webConfigurator can only be access from the LAN port.

    Can I set it up the way I want and if so where do I go to configure the webConfigurator IP and port?  I assume its like any web server that listens on a specific interface.

    If I can't do the above, I suppose I could have WAN be the internet side, OPT1 be the internal network to the servers (bridge those two) and then use the LAN interface for administrative purposes.  Just seems backwards to me.

    You will need to configure the static IP subnet for the OPT1 interface (assuming it's not bridged).

    Assuming it is 10.0.0.0/24 and the address of OPT1 is 10.0.0.1, then:
    You must go to Firewall: Alias
    Create a new Port alias with ports 80, 443, 22 (Optional for SSH).

    Then head to Firewall: Rules
    In OPT1 tab, create a new rule.
    Set as Allow.
    Specify Protocol as UDP/TCP.
    Source Port 'Any'
    Source Subnet '10.0.0.0/24'
    Destination Port using the Alias created.
    Destination IP (Single Host): 10.0.0.1
    Save the rule and make sure it is at the top of the list.

    Once this is done, you can head over to System: Advanced.
    Disable the WebGUI anti-lockout rule and remove it from the Firewall:Rules Lan tab.



  • DreamSlacker,

    Hey, thanks so much.  I appreciate the excellent and concise instructions.  That helped a lot!



  • Well, I'm not having any luck getting this working.

    I set the interface IP for opt1 to a static IP of 192.168.1.10.  In Firewall > Rules, I have one rule defined.  It (temporarily for testing) allows tcp/udp from any source and from any port to destination 192.168.1.10 and to ports > WebServerPorts (my alias).

    I disabled the WebGUI anti-lockout rule.  There was no rule for that defined in the Firewall:Rules Lan tab

    I can ping 192.168.1.10 and get a reply.  I also see the NIC lights on OPT1 flash when I try and access the webConfigurator via OPT1.

    I've restarted pfsense and done everything I can to narrow down the problem.  Is there possibly some other setting that needs to be changed?



  • @motodude:

    I've restarted pfsense and done everything I can to narrow down the problem.

    Maybe you have done these and haven't reported the outcome:

    • Is the pfSense web server running? What does the pfSense shell command ps ax | grep  lighttpd report?

    • Are your access attempts reported in the firewall log? What does the pfSense shell command clog /var/log/filter.log report?

    • Are you trying to access the web server on a port it is listening on? What does the pfSense shell command netstat -a -f inet report? (Maybe you configured the web server for https and you are trying to access it on http.)



  • @motodude:

    Well, I'm not having any luck getting this working.

    I set the interface IP for opt1 to a static IP of 192.168.1.10.  In Firewall > Rules, I have one rule defined.  It (temporarily for testing) allows tcp/udp from any source and from any port to destination 192.168.1.10 and to ports > WebServerPorts (my alias).

    I disabled the WebGUI anti-lockout rule.  There was no rule for that defined in the Firewall:Rules Lan tab

    I can ping 192.168.1.10 and get a reply.  I also see the NIC lights on OPT1 flash when I try and access the webConfigurator via OPT1.

    I've restarted pfsense and done everything I can to narrow down the problem.  Is there possibly some other setting that needs to be changed?

    What is your configuration?

    OPT1 should be a separate subnet from LAN (and WAN).

    e.g.

    If WAN is public IP (DHCP or static doesn't matter) and LAN is 192.168.1.0/24, then OPT1 must reside on another subnet such as 10.0.0.0/24 with address 10.0.0.1.
    The firewall rule will then have to be on the OPT1 tab with source 10.0.0.0/24 subnet and destination as 10.0.0.1, dest. port as the alias.



  • This post has helped:

    http://forum.pfsense.org/index.php/topic,43983.msg228156.html#msg228156

    I still don't have it working but I think I'm really close.

    I swapped OPT and LAN with each other.  They now have different roles.

    I now have interfaces:

    OPT type=none (no IP)
    WAN type=none (no IP)
    BRIDGE type=none (no IP)
    LAN_ADMIN type=static.  IP 192.168.0.100

    OPT and WAN are bridged

    LAN_ADMIN is working and its used to access the pfSense webGUI.

    I have no gateway defined.

    I have rules set to pass everything on WAN and OPT.

    This is similar to how I've configured transparently bridged OpenBSD firewalls in the past.  The two interfaces and the bridge didn't need IPs.


Log in to reply