Stopping my pfsense router from shoing my login page on the internet.
i have finally got my pfsense router fully working, but i have one problem, if i surf in to my own isp ip, i end up with the login page to my pfsense router, how can i stop the router from that?
i dont want to be able to access the router from the web.
thanks in advance.
Are you testing "from outside" ?
Or you are testing from the Lan side ?
im testing from the outside.
Sounds like you are port forwarding you Admin port. Check Firewall > NAT.
You can not access the webgui from the wan by default - you must of created a rule that allows it.. Just not possible by default.
What are your wan rules? By default there there are no allow rules - so it would not be possible to access your web gui.
So either your not actually accessing it from the outside - or you have modified the rules.. If you don't want access from outside - then don't modify the rules ;) to allow it.
i have followed some guides of how to get openvpn to work in this router, i have looked at the settings, but im not so good at this, so i honestly cant figure it out, one other spooky thing is that its possible to run tracert to my vpn ip and it ends back at my isp, and almost the same ip as i have.
i have looked at the NAT and the rules but i dont know whats wrong
i Think i really need some help here.
So what does openvpn have to do with your web gui being open to the public internet?
If you do not understand the rules - post them and we can take a look and explain them too you.
As to your traceroute question - at a loss to what your asking.. Are you connecting so a vpn service, are you using pfsense openvpn server and connecting from a remote location? How are you using openvpn??
sorry for that, im using strongvpn for exchanging my real ip to Another, but the whole idea is falling when i can tracer the "hidden" ip back to my own with tracert.
and i can also use my new "hidden ip" to get to the pfsense router. i have tried to kill rule by rule, and the NAT by NAT, but with no success
"but the whole idea is falling when i can tracer the "hidden" ip back to my own with tracert."
And where are you tracerouting too? So if using strongvpn your IP to the internet would be a strongvpn IP.. How would you possibly be tracing this back to your client pfsense ISP IP?? From your client? From where are you doing the trace - and from where are you seeing what your strongvpn IP is to the internet? Are you going to say whatsmyip ?
What rules are you killing what Nats are you killing - out of the box there is NO rules, out of the box there is NO nats!! So what have you created?? It is impossible to help you without seeing your configuration.. For all we know you created a WAN rule that says any any any to your pfsense wan IP?
Or maybe you created a nat from on the port your gui is listening too to your local pfsense IP?
ok, first of all, sorry for my shitty English.
i have now tried with Another computer in Another home, with a totally different isp an ip than my own, and when i type my real ip in the adress field i end up at my pfsense router, and if i enter my viritual vpn ip (looks like 10.4.20.1) i also ends up at my router, and when i enter the external ip that my vpn provider gives me i end up at my router, and if i use tracert in the computer from that other house im in ,and enter the vpn ip from strongvpn i can trace it all the way back to my own and real ip.
i have used this guide: http://swimminginthought.com/pfsense-routing-traffic-strongvpn-openvpn/#comment-1131
i have used the NAT and rules exactly as in this guide, and i end up like this.
i would really wanted to post a Picture of my NATs and rules, but i dont know how i make a copy of the screen like the others that can be found on this forum.
thank you for all your help
10.x.x.x is a private IP and is not routable on the Internet so I don't know how you got your PfSense Page. If you want any help you are going to have to go to your NAT page and take a screen capture (use something like greenshot) and you will need to take a screen capture of your rules and post them. Anything short of this and we will just be spinning our wheels. Please post the screen shots or it will really be hard helping you.
"i would really wanted to post a Picture of my NATs and rules, but i dont know how i make a copy of the screen like the others that can be found on this forum."
What OS are you using - windows 7 you can use the built in snipping tool.. And then attach it on the forum under attachments and other options.. See attachments on finding snipping tool and adding it to forum post.
And then use the image share button – see next email. Or use the code they provide for putting your image into a forum post.
Or you can use one of the many many screenshot taking tools -- my personal favorite is http://www.faststone.org/FSCaptureDetail.htm but its not free, but there is a free trial. Or do you have dropbox, they have a way of sharing screen captures now with simple print screen button your keyboard. http://betanews.com/2013/09/29/dropbox-adds-screen-capture-sharing/
Really need to see some rules - but as stated it is IMPOSSIBLE for you to gotten to a 10.x.x.x address across the internet.. Since this is a rfc1918 address and not routable - PERIOD!!
Happy to help -- just need some actual info to work with vs your misunderstanding of what is happening.
Ok, now im finally got snipping tool to work, and i was wrong, after a new look i noticed that the internal vpn ip (10.5.21.0 something like that) didnt work the second time, i was pretty tired when i noticed all of the problems.
so here we go.
i needed to set aliases to get the computers to be able to access internet trough the vpn, it wasnt possible to access internet without it, and i just want these computers to connect trough vpn, the rest of my computers dont need to go trough the vpn.
so please explain how i should set up these NATs and rules for it to work.
Idont want to be able to access the router from the "outside" , and i dont want to be able to track down my real ip from the strongvpn ip, and i want to get the ips in the aliases to go through the vpn.
![rules lan.JPG](/public/imported_attachments/1/rules lan.JPG)
![rules lan.JPG_thumb](/public/imported_attachments/1/rules lan.JPG_thumb)
![rules wan.JPG](/public/imported_attachments/1/rules wan.JPG)
![rules wan.JPG_thumb](/public/imported_attachments/1/rules wan.JPG_thumb)
You know what I don't see here? Your NAT rules…
So as how you can access your web gui from the outside.. You have a freaking any any any rule on your wan interface – what the hell do you think is going to be allowed? ;)
From looking at those rules you seem to think they are outbound rules I think? All rules in pfsense are inbound to the interface..
There should be NO rules on your WAN, other than the block bogon or private that are "inbound" rules to the interface. Unless you want to allow unsolicited traffic INBOUND to your pfsense.. See my rules below. I have unchecked the block private and bogon -- was troubleshooting some stuff.. Really need to put those back.. Anyhoo as you can see I allow icmp to my wan IP, And the rest are rules that match up to my nats and openvpn connectivity to my box.. I run openvpn both on tcp 443 and default udp port - since some places udp 1194 is not allowed outbound.. But almost everywhere 443 is open outbound.
You need to read the rules as a packets ingress to the interface, not egress. From top to bottom
Remove that nonsense in your wan - there should only be that bogon rule if you don't want any inbound traffic and your access to your web gui witll be gone.. As to your 10.x address -- again those are NOT routable on the internet.. so not exactly sure what your complaining about. We reread your posts to see if can make heads or tails out of your issue.
btw -- why all the outbound manual nat rules?? Why can you not leave as automatic? Looking at them to see what your trying to accomplish other than more work for yourself.
And can you explain
"and i dont want to be able to track down my real ip from the strongvpn ip, and i want to get the ips in the aliases to go through the vpn."
How do you think you are doing that?? Sorry its NOT possible just the way vpns work does not make any sense that you think your seeing your pfsense end point somehow in tracing what exactly?? If you trace exit point from your vpn connection from the outside - how does it show you your pfsense IP?? Now shit if you trace it from your pfsense side your going to go right through your pfsense -- since you have a tunnel going there ;)
Ok took a quick look at the guide your running - and sorry you did not follow it.. You have all your outbound nats turned OFF?? And in your lan rules your allowing everything, and then you have an allow rule for your vpn connection?? That is NOT how the guide says to do it. And you created aliases -- where are you using them in any rules?
Also just noticed you have 192.168.10 addresses in your aliases -- where are those suppose to hit pfsense? Is your pfsense lan not on 192.168.1.0/24 so where do 192.168.10.x come in?
well as i said, im a totally newbie on this, and i followed that guide of how to install the openvpn and open ports and stuff, so i guess that the guide wasnt that good.
i have deleted all the wan rules, and i can still reach my web interface from the outside, and i can still trace my vpn ip back to my real ip.
i have tried to read as much as i can about this NAT and rules but i dont really understand it.
is there anything else that i need to delete from my NATs and rules?
really apreciate your help
"i have deleted all the wan rules, and i can still reach my web interface from the outside, and i can still trace my vpn ip back to my real ip."
I say BS sorry – did you clear your states once you deleted the rules -- let see your wan rules! And this time your nat rules.
"and i can still trace my vpn ip back to my real ip."
explain what your doing??? PM me if you don't want to post public IPs.. Where are you getting your VPN IP from exactly?? And where are you tracing to that? How do you think you can see your pfsense IP in that??
So here is example.. I connect my box to my host in the UK via vpn.. see my public IP since my traffic flows through the vpn tunnel to get to the internet -- see my public IP via whatsmyip.org
Now see 2nd post when I am not connected to vpn - my box does not get a 10.x address which is MY end of the tunnel and a NON routable address on the internet.. When I am not connected I only have my normal 192.168 address on pfsense -- see how my public IP changed to be comcast IP - my normal ISP vs the network of my exit point of the vpn connection.
So please explain to my how your tracing to your normal isp connection via the IP address of your vpn connection to the public internet??
my first problem was that my computers didnt go through the vpn, they just Went through my ISP ip, so i read that it was possible to ad aliases to get some of the computers to go through the vpn, and that worked.
but the other problem a encounterd was that if i shut down the vpn, then the aliases assigned computer suddenly got Connection with my "real" ip, and i dont want that,i want the internet Connection to stay down to these computers until the vpn connects again, so i read that if i block these computers in the wan rules, they wont get any Connection exept through the vpn, and also that worked.
when i started with this pfsense thing i had even more problems than i have now so i bought a preconfigured backupfile from the maker of that guide that i posted, thats where the 192.168.10… comes from, i havent deleted them.
and as i was saying, i am really not good at these things, so sorry if i seem stupid :-[
so what i really want of this pfsense is:
connect some computers/ip through vpn, and when/if the vpn disconnects i will loose the internet to these computers, not to connect with my "real" ip
and ofcourse a very secure firewall, with no web access.
And are you going to post up your new wan rules.. Sorry if the wan rules do not allow it, then the webgui is not available via the internet.. if the internet is actually connected via your WAN interface..
See my example of tracing to your isp via a vpn IP address – please explain what you think your doing exactly.. Because its not possible what your saying..
From your rules you have NOTHING that points to your aliases at all.. Be it his or yours.. They are not used in any of the wan or lan or even stronvpn interfaces.. So how do you think they come into play??
Can you post up your interfaces so we can see what IPs your on.. Anything that starts with 10.x.x.x, 192.168.x.x, 172.16-31.x.x or 169.254 is NOT routable on the public net and can freely bee shown.. See mine.. If it starts with something else then sure hide the last couple of octets..
Well that looks right – you have a public on your wan and then private on lan.. So 213.64 is
inetnum: 18.104.22.168 - 22.214.171.124
So what is your vpn IP, that 10.8.0 you see is PRIVATE rfc1918 addressing -- that is not traceble or routable on the public net..