Allowing selected Ip or System to access Pfsense via WAN



  • Hello Forum,
    I have setup a pfsense where access to WebUI via WAN is not allowed from any system. But, if any problem occurs then as a admin I should be able to access the pfsense webui from only my system or you can say particular ip configured system. So is it possible to provide privileged access via WAn only to that IP address or that system? If yes, then how to configure it?



  • First thing comes in my mind:
    Port Forwarding, putting as source the IP you are connecting from and letting pfSense make the associated firewall rule, by default WAN Firewall rules are deny all.



  • @Wolf666:

    First thing comes in my mind:
    Port Forwarding, putting as source the IP you are connecting from and letting pfSense make the associated firewall rule, by default WAN Firewall rules are deny all.

    Okay here is what I think you are trying to say
    In NAT rules I need to select interface as WAN
    Protocol as TCP
    Source Adress port range: any
    Destination "NOT" WAN address
    Destination port range: any
    Redirect IP address: ??  Getting Confused here  :-
    Redirect port: ??  :-\

    Kindly correct me where I am going wrong



  • when you are setting up port forwarding fro that NAT rule do everything as usual EXCEPT:

    you see the source field?  Click "advanced button".  Then select single host or alias as type.  Then enter the IP of the remote machine you wish to have access to your pfsense.



  • @kejianshi:

    when you are setting up port forwarding fro that NAT rule do everything as usual EXCEPT:

    you see the source field?  Click "advanced button".  Then select single host or alias as type.  Then enter the IP of the remote machine you wish to have access to your pfsense.

    Okay then what IP do I need to enter in "Redirect IP" option?



  • The local private IP of the machine you are trying to allow access to.



  • @kejianshi:

    The local private IP of the machine you are trying to allow access to.

    Means  IP of pfSense WEBGUI access.



  • Sorry for the late reply.
    The above method is working fine. One more doubt or you can say just curious to know whether the Source IP and MAC can be bound to access web GUI?



  • Truthfully its as easy as making a WAN rule.  No port forwarding needed.

    To do it with just a WAN rule- create a WAN rule with your public IP as the source (any port) and your WAN Address (whatever port your firewall gui answers to) as the destination.

    But your really better off security wise creating a VPN from your (home?) connection to your office network behind your firewall.




  • @networkinggeek:

    One more doubt or you can say just curious to know whether the Source IP and MAC can be bound to access web GUI?

    Well you need to specify the source ip address (WAN-address if behind NAT) in the rule to whatever you have at the location you intend to do the remote management from. Not doing that would totally compromise the security of your firewall.

    The only proper way to do remote management though is to set up a VPN. It is available in pfSense so why not make use of it?

    MAC-addressing filtering isn't possible in a routed (internet) environment.



  • @P3R:

    @networkinggeek:

    One more doubt or you can say just curious to know whether the Source IP and MAC can be bound to access web GUI?

    Well you need to specify the source ip address (WAN-address if behind NAT) in the rule to whatever you have at the location you intend to do the remote management from. Not doing that would totally compromise the security of your firewall.

    The only proper way to do remote management though is to set up a VPN. It is available in pfSense so why not make use of it?

    MAC-addressing filtering isn't possible in a routed (internet) environment.

    Well thank you for the idea about VPN and I will try to set it up.
    VPN concept brought me ask you another question.
    I have set some filtering rules like blocking social networking sites for the clients in Pfsense.
    The client has to go through proxy and all the filtering rules are applied. What if client connects to a different VPN server and bypass the firewall?



  • @networkinggeek:

    VPN concept brought me ask you another question.
    I have set some filtering rules like blocking social networking sites for the clients in Pfsense.
    The client has to go through proxy and all the filtering rules are applied. What if client connects to a different VPN server and bypass the firewall?

    That shouldn't be an issue at all when solving the topic of this thread.

    If your question is in general if VPN can be used to bypass filtering the answer is yes. You as the administrator need to prevent that if necessary.