How to disable webgui connection on LAN IP?



  • Hi,

    I preferred to access my webGUI via WAN. Have settled that already and I am now enjoying acessing my pf server via remote using WAN IP. Now I need to disable the webGUI link to the LAN IP. As you can see, LAN IP is set to DHCP so I don't want to somebody with weird thinking to play with my webGUI via LAN IP.

    Any idea?

    Thanks!

    Nubee


  • Banned

    System - Advanced - Admin Access - Anti-lockout



  • Ok, I decided to disable webgui access from WAN, I feel like my pf box will be vulnerable if I do that. Regarding the Anti-Lockout, it says

    "access to the webConfigurator is controlled by the user-defined firewall rules (ensure you have a firewall rule in place that allows you in, or you will lock yourself out!)"

    Where can I configure a firewall rule that will allow me in? A simple step by step is much appreciated.

    Nubee


  • Banned

    In the same place where the antilock-out rules are… It's also documented in the wiki. If you are not sure, then leave the thing alone.



  • That's my whole reason why I queried the forum since I am not sure what to do. If me knowing it, I wouldn't bother posting.

    The thing is, I wish to learn how to do it.


  • Banned

    Yeah, so read the wiki and come back with some specific question. Noone's interested in rewriting already documented procedure.



  • Ok, I've gone with the WIKI, and have followed the steps and I was always lock out. By the way I already upgraded to 2.1.

    I was able to create alises "ManagementAccess" and "ManagementPorts". My problem is whenever I configure the "Rules" I can find where to invoke the "ManagementPorts" to appear under "Ports" column. Unlike the Source column I was able to invoke the "ManagementAccess" under "Source". But the "Port" column, I can't find where to invoke the "ManagementPorts".

    Can you help?


  • Banned

    Sorry, I don't understand your question. What's "invoke"?



  • I created an alias ManagementAccess with the value of 192.168.13.143/32, 192.168.13.1/22. I'm not really sure if these values are the proper values. I'm trying to figure out how to limit the access to the management functionality such that I am the only one who knows what IP can I access the WebGUI.

    I also created ManagementPorts with a value of 443, 22.

    Firewall: Rules
    Action : Pass
    Interface : LAN
    TCP/IP Version : IPv4
    Protocol: TCP
    Source: Here is the invoke thing. When I dropdown to select "Single Host or Alias" I was given an address box and when I started typing letter "M" it auto complete to "ManagementAccess" - sorry for misusing the word "invoke" here as I was thinking this drop down arrow invokes the alias I created earlier.

    Destination: LAN Address
    Port: Here lies my problem - on the wiki it shows "ManagementPorts" under the "Port" column just after "Destination" column. I just can't find where to INVOKE (sorry  ;) ) or find any drop down arrow or any address box to type "managementports"

    Sorry, English is not my first lang… :P


  • Banned

    As for your destination ports, there's "Destination port range" where you type the ManagementPorts alias. Cannot really see the problem with that.

    Finally - please, if you are unsure what IPs are you accessing the management GUI from… Leave the thing well alone. The only thing you'll achieve is locking yourself out. The settings there are NOT the IP you type to the browser. The settings are the client IPs which will be allowed access!!!



  • 192.168.13.143/32, 192.168.13.1/22
    

    The first entry is inside the 2nd subnet. The 2nd subnet with "/22" actually goes from-to:
    192.168.12.0 - 192.168.15.255
    So this seems very odd.
    Like doktornotor says, if you really do not understand your subnets and what is needed, then leave the anti-lockout rule as it is. Put a good password on your pfSense admin account/s. Your guest users can have lots of fun trying to guess the password :)
    If you really want to proceed, then post your LAN subnet+mask, pfSense LAN IP and the IP addresses you want to allow to the webGUI, and we can help guide you.



  • Why is this so hard?  You just put pfsense web gui on a slightly off port and then you block access to the IP:port of the interface(s) where the GUI is.

    I don't know why people feel a need to do it very complicated ways?



  • @kejianshi:

    Why is this so hard?  You just put pfsense web gui on a slightly off port and then you block access to the IP:port of the interface(s) where the GUI is.

    I don't know why people feel a need to do it very complicated ways?

    Sir please don't be hard on me. I am just a new guy so very interested and have been appreciating pfsense and I want to learn it and from you Heroes.  I  may appear complicating the issue  maybe perhaps the way I present my issue is a bit odd to you, but I am trying to uncomplicate it so I need the forum.

    TO: phil.davis

    Sorry I should have mistype 22 instead of 24.

    LAN IP: 192.168.13.1/24
    Mask: 255.255.255.0

    I wish to access my WebGUI at  192.168.13.143

    (I wonder is it possible to have my GUI accessed from an odd IP like 10.20.30.40? if not then its ok, just want to know if its possible  :) )


  • Banned

    @onlineph:

    I wish to access my WebGUI at  192.168.13.143
    (I wonder is it possible to have my GUI accessed from an odd IP like 10.20.30.40? if not then its ok, just want to know if its possible  :) )

    OMG. Again. This is NOT how it works. This has absolutely NOTHING to do with the LAN antilockout rule. Leave it alone until you have fully understood the feature! You cannot protect your router by making its IP secret, ever. It's the default GW required to be visible and accessible from every computer that is supposed to have proper connectivity. You can limit the IP addresses of other computers that are allowed to access the WebGUI. That's all. No security by obscurity nonsense!



  • Ok, never mind. Thanks anyway.



  • I wish to access my WebGUI at  192.168.13.143

    I am hoping you mean:

    I wish to access my WebGUI from  192.168.13.143

    If that is correct, then (very carefully, only do each step when you understand it - there is no point doing this if you don't understand something, because it will make trouble for you):
    a) Make an alias for 192.168.132.143 - ManagementAccess
    b) Add a ports alias for 22 (SSH), 80 (HTTP) and 443 (HTTPS) - ManagementPorts
    c) Add a rule at the top of the LAN Firewall rules, pass source ManagementAccess, destination LAN Address ,destination ports ManagementPorts.
    d) Make sure the new rule destination looks reasonably like the anti-lockout rule, and that you have access to the console for when it all goes wrong.
    e) Say a quick prayer and disable the anti-lockout rule.

    You should be able to get to the webGUI and SSH to pfSense from 192.168.13.143.
    Of course, a guest user on your LAN who guesses 192.168.13.143 can set their IP to that and get the webGUI login screen. So you still always want to use a secure password.



  • @kejianshi:

    Why is this so hard?  You just put pfsense web gui on a slightly off port and then you block access to the IP:port of the interface(s) where the GUI is.

    I don't know why people feel a need to do it very complicated ways?

    Thanks I've found the simple way to do it.



  • What was the simple way?



  • Easy !
    Use the LAN interface non-connected - and use it as the 'administer' interface.
    All users/clients/visitors are hooked up to the second interface (OPT1).
    On this interface, assign an IP, block with a firewall rule all access to (IP-OF-OPT1):80 (and 443 if you use https to acces your box) and done.

    I haven't even checked, but it might be so that the GUI web server isn't even listening the the IP of OPT, so the rule isn't even needed.

    Rule of thumb: all non-trusted persons/devices/equipment shouldn't be on the LAN interface anyway.
    Another rule (mine): a pfSense box should always have 3 interface at least: WAN (logic) - LAN(needed) and a "sheep and wolfs shelter" (the ones you work for).



  • @Gertjan:

    Easy !
    Use the LAN interface non-connected - and use it as the 'administer' interface.
    All users/clients/visitors are hooked up to the second interface (OPT1).
    On this interface, assign an IP, block with a firewall rule all access to (IP-OF-OPT1):80 (and 443 if you use https to acces your box) and done.

    I haven't even checked, but it might be so that the GUI web server isn't even listening the the IP of OPT, so the rule isn't even needed.

    Rule of thumb: all non-trusted persons/devices/equipment shouldn't be on the LAN interface anyway.
    Another rule (mine): a pfSense box should always have 3 interface at least: WAN (logic) - LAN(needed) and a "sheep and wolfs shelter" (the ones you work for).

    caution. webConfigurator is accessible from every interface.



  • I don't know how you do it accessing webGUI to all interface but I did try in my end and it can't be, anyway, I'm not techie enough to see those tricks but, I am now happy because I am now able to de-access my webGUI from the LAN IP but I am able to access it alone, maybe it's too risky but I have not yet realized the risk.

    While I really appreciate all the suggestions and steps and thumbs up for that, I just discovered this simple for me.


Log in to reply