Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Allowing selected Ip or System to access Pfsense via WAN

    Scheduled Pinned Locked Moved Firewalling
    12 Posts 5 Posters 6.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      networkinggeek
      last edited by

      Hello Forum,
      I have setup a pfsense where access to WebUI via WAN is not allowed from any system. But, if any problem occurs then as a admin I should be able to access the pfsense webui from only my system or you can say particular ip configured system. So is it possible to provide privileged access via WAn only to that IP address or that system? If yes, then how to configure it?

      "Mastery isn't a natural gift. Its a daily devotion"

      1 Reply Last reply Reply Quote 0
      • W
        Wolf666
        last edited by

        First thing comes in my mind:
        Port Forwarding, putting as source the IP you are connecting from and letting pfSense make the associated firewall rule, by default WAN Firewall rules are deny all.

        Modem Draytek Vigor 130
        pfSense 2.4 Supermicro A1SRi-2558 - 8GB ECC RAM - Intel S3500 SSD 80GB - M350 Case
        Switch Cisco SG350-10
        AP Netgear R7000 (Stock FW)
        HTPC Intel NUC5i3RYH
        NAS Synology DS1515+
        NAS Synology DS213+

        1 Reply Last reply Reply Quote 0
        • N
          networkinggeek
          last edited by

          @Wolf666:

          First thing comes in my mind:
          Port Forwarding, putting as source the IP you are connecting from and letting pfSense make the associated firewall rule, by default WAN Firewall rules are deny all.

          Okay here is what I think you are trying to say
          In NAT rules I need to select interface as WAN
          Protocol as TCP
          Source Adress port range: any
          Destination "NOT" WAN address
          Destination port range: any
          Redirect IP address: ??  Getting Confused here  :-
          Redirect port: ??  :-\

          Kindly correct me where I am going wrong

          "Mastery isn't a natural gift. Its a daily devotion"

          1 Reply Last reply Reply Quote 0
          • K
            kejianshi
            last edited by

            when you are setting up port forwarding fro that NAT rule do everything as usual EXCEPT:

            you see the source field?  Click "advanced button".  Then select single host or alias as type.  Then enter the IP of the remote machine you wish to have access to your pfsense.

            1 Reply Last reply Reply Quote 0
            • N
              networkinggeek
              last edited by

              @kejianshi:

              when you are setting up port forwarding fro that NAT rule do everything as usual EXCEPT:

              you see the source field?  Click "advanced button".  Then select single host or alias as type.  Then enter the IP of the remote machine you wish to have access to your pfsense.

              Okay then what IP do I need to enter in "Redirect IP" option?

              "Mastery isn't a natural gift. Its a daily devotion"

              1 Reply Last reply Reply Quote 0
              • K
                kejianshi
                last edited by

                The local private IP of the machine you are trying to allow access to.

                1 Reply Last reply Reply Quote 0
                • W
                  Wolf666
                  last edited by

                  @kejianshi:

                  The local private IP of the machine you are trying to allow access to.

                  Means  IP of pfSense WEBGUI access.

                  Modem Draytek Vigor 130
                  pfSense 2.4 Supermicro A1SRi-2558 - 8GB ECC RAM - Intel S3500 SSD 80GB - M350 Case
                  Switch Cisco SG350-10
                  AP Netgear R7000 (Stock FW)
                  HTPC Intel NUC5i3RYH
                  NAS Synology DS1515+
                  NAS Synology DS213+

                  1 Reply Last reply Reply Quote 0
                  • N
                    networkinggeek
                    last edited by

                    Sorry for the late reply.
                    The above method is working fine. One more doubt or you can say just curious to know whether the Source IP and MAC can be bound to access web GUI?

                    "Mastery isn't a natural gift. Its a daily devotion"

                    1 Reply Last reply Reply Quote 0
                    • chpalmerC
                      chpalmer
                      last edited by

                      Truthfully its as easy as making a WAN rule.  No port forwarding needed.

                      To do it with just a WAN rule- create a WAN rule with your public IP as the source (any port) and your WAN Address (whatever port your firewall gui answers to) as the destination.

                      But your really better off security wise creating a VPN from your (home?) connection to your office network behind your firewall.

                      Untitled.jpg
                      Untitled.jpg_thumb

                      Triggering snowflakes one by one..
                      Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                      1 Reply Last reply Reply Quote 0
                      • P
                        P3R
                        last edited by

                        @networkinggeek:

                        One more doubt or you can say just curious to know whether the Source IP and MAC can be bound to access web GUI?

                        Well you need to specify the source ip address (WAN-address if behind NAT) in the rule to whatever you have at the location you intend to do the remote management from. Not doing that would totally compromise the security of your firewall.

                        The only proper way to do remote management though is to set up a VPN. It is available in pfSense so why not make use of it?

                        MAC-addressing filtering isn't possible in a routed (internet) environment.

                        1 Reply Last reply Reply Quote 0
                        • N
                          networkinggeek
                          last edited by

                          @P3R:

                          @networkinggeek:

                          One more doubt or you can say just curious to know whether the Source IP and MAC can be bound to access web GUI?

                          Well you need to specify the source ip address (WAN-address if behind NAT) in the rule to whatever you have at the location you intend to do the remote management from. Not doing that would totally compromise the security of your firewall.

                          The only proper way to do remote management though is to set up a VPN. It is available in pfSense so why not make use of it?

                          MAC-addressing filtering isn't possible in a routed (internet) environment.

                          Well thank you for the idea about VPN and I will try to set it up.
                          VPN concept brought me ask you another question.
                          I have set some filtering rules like blocking social networking sites for the clients in Pfsense.
                          The client has to go through proxy and all the filtering rules are applied. What if client connects to a different VPN server and bypass the firewall?

                          "Mastery isn't a natural gift. Its a daily devotion"

                          1 Reply Last reply Reply Quote 0
                          • P
                            P3R
                            last edited by

                            @networkinggeek:

                            VPN concept brought me ask you another question.
                            I have set some filtering rules like blocking social networking sites for the clients in Pfsense.
                            The client has to go through proxy and all the filtering rules are applied. What if client connects to a different VPN server and bypass the firewall?

                            That shouldn't be an issue at all when solving the topic of this thread.

                            If your question is in general if VPN can be used to bypass filtering the answer is yes. You as the administrator need to prevent that if necessary.

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.