- help- how i can block access to webgui manager from interface wireless?



  • hello to everybody
    i need to block access from interface wireless to pfsense i explain better:

    my pfsense is 192.168.2.1
    wireless client dhcp (192.168.2.2-254)

    so i want to block from any client wireless to access pfsense (192.168.2.1)

    thanks in advances



  • I assume you have a rule on your WLAN interface looking something like:
    allow; source: wlan-subnet, destination: any

    change this rule to three rules:
    #1: allow, source: any, destination: WLAN-interface, destination-port: 68-69
    #2: allow, source: wlan-subnet, destination: WLAN-interface, destination-port: 53
    #3: allow, source: wlan-subnet, destination: !WLAN-interface
    –> destination: NOT WLAN-interface

    With rule 3 you allow access to everywhere (internet) except the WLAN-interface.
    With the rules 1 and 2 you allow DHCP and DNS to the pfSense.
    You can combine the rules 1 and 2 if you use aliases.



  • thanks a lot GruensFroeschli I will try this evening



  • hello GruensFroeschli,
    my setup is this:
    allow, tcp/udp, wireless net, any, any, 53
    allow tcp, wireless net, any, any 80
    allow tcp, wireless net, any, any, 443

    so in this case, from any wireless is possible to see pfsense (192.168.2.1).
    I dont know how I can block it.
    Can u help me?
    thanks



  • change the destination of your rules with ports 80 and 443 from any to !WLAN-interface



  • thanks a lot I will try later



  • hello GruensFroeschli,
    sorry i continue to have problems.. :(
    can u help me if I dont disturb?

    thanks!


  • Rebel Alliance

    Please post a Screenshot of your LAN Rules

    (You can attach the IMG directly to the forum,in "post reply" just use the "Advanced options" –> Attach)



  • hello ptt!
    I did screenshot so I hope now better…

    thanks



  • Rebel Alliance

    Just add a rule (on top of all others):

    Action: Block

    Proto: TCP

    SRC: Wireless Net

    Port: Any ( * )

    Destination: Wireless Address

    Port: 80

    PS: from where you are ?



  • well yeah that would work too.
    but a more elegant solution is to simply change the third rule in your screenshot.
    change the destination from "any" to "WLAN-interface" and check the "NOT" checkbox.



  • Thanks!
    I did following instructions GruensFroeschi and now is working!!!

    thanks again!



  • @GruensFroeschli:

    well yeah that would work too.
    but a more elegant solution is to simply change the third rule in your screenshot.
    change the destination from "any" to "WLAN-interface" and check the "NOT" checkbox.

    GruensFroeschli,

    There is no "WLAN-interface" option from the destination type dropdown.  Please explain what it is that you're talking about as I would like to try your method.  Thanks.


  • Rebel Alliance

    Which name have your WLAN interface ?



  • What?


  • Rebel Alliance

    You should choose your assigned interface name as destination of the rule

    You never will see "WLAN-interface" unless you give that name to your WLAN interface…



  • @ptt:

    You should choose your assigned interface name as destination of the rule

    You never will see "WLAN-interface" unless you give that name to your WLAN interface…

    My wireless interface is named WAP.  The only options that I get from the "destination type" dropdown are: any, Single host or alias, Network, PPTP clients, PPPoE clients, L2TP clients, WAN subnet, WAN address, LAN subnet, LAN address, WAP subnet, and WAP address.  No option is given to select the WAP interface.


  • Rebel Alliance

    WLAN-interface = WAP address

    wlan-subnet = WAP subnet



  • Thanks ptt, but if that is so then why GruensFroeschli not just say so?  Why use ambiguous terminology?  He said "change the destination from "any" to "WLAN-interface" and check the "NOT" checkbox," and that is what confused me to no end.  Anyhow, I'll give this a try and see if it works.  I'd rather have allow rules than block rules.


  • Rebel Alliance

    Maybe he should say "WLAN-address " instead of "WLAN-interface"

    change the destination from "any"

    to "WLAN-address" and check the "NOT" checkbox

    Using the "NOT" you have a "2in1" rule, it "Allow" and also "Block" at the same time ;)

    But, anyway it is understandable, IMHO



  • I certainly didn't get it.  I was looking for "WLAN-interface," but what I needed was "WLAN-address," which would have made perfect sense.  Why make stuff even more cryptic?  Anyway, I'm over it now.  I set up the rules and it's working; WebGUI access is blocked from my WLAN.  Unfortunately, it only blocks the IP address.  If I type the hostname into my browser, the WebGUI still comes up.  Any ideas how to block it completely?



  • if you type the host name it most probably resolves to the address on your WAN interface.
    add a new BLOCK rule at the top (above all other rules) on the LAN-tab.
    set the destination to WAN-address.


Log in to reply