Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN allows webConfigurator

    Scheduled Pinned Locked Moved OpenVPN
    12 Posts 5 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      iampowerslave
      last edited by

      Hi. New to this, wanted to solve other topic before entering more and more into the depths of rule mastering.

      I like that I can enter the webConfigurator from home using OpenVPN. The strange thing is

      I have added a LAN rule to

      IPv4 TCP ManagementAccess * This Firewall ManagementPorts * none

      And then went to System->Advanced and checked "Disable webConfigurator anti-lockout rule"

      ManagementAccess only allows two IPs from the LAN to enter the webConfigurator, but I'm connected from home using OpenVPN (all default) and I can access and login to the webConfigurator.

      Is that right?

      Extending the question. When I create a VPN of any type shouldn't it add a new Interface with its own rules? Or everything that happens on the openvs1 acts as a local firewall address? (like firewall IP)

      Thanks in advance.

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned
        last edited by

        OpenVPN firewall rules go to OpenVPN tab, not LAN.

        1 Reply Last reply Reply Quote 0
        • I
          iampowerslave
          last edited by

          Yes… they are there... I haven't seen them before. How could I... they have magically appeared after I read your message...

          :-[

          1 Reply Last reply Reply Quote 0
          • D
            divsys
            last edited by

            Typically you just add a rule under OpenVPN that allows all OpenVPN traffic and you're done.

            After that you can just open the WebGUI across the tunnel by it's IP address just as if you were physically connected to it's LAN network.

            No extra rules needed.

            -jfp

            1 Reply Last reply Reply Quote 0
            • I
              iampowerslave
              last edited by

              This is strange, in fact I can enter the webConfigurator from ANY host in the LAN…

              I assume the first rule below which appeared by default is the one that allows that.

              The rule above it is the one that I have added when removed the anti-lockout rule.

              (see attachment)

              I need to understand how this works... and I'll be abusing the forum for a while... in the good way.

              Capture.PNG
              Capture.PNG_thumb

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                That rule is completely pointless because you have a rule below it that allows any any.. which includes the stuff you have in your rule.  There is nothing blocking traffic for stuff that is not your management access.

                If you want it to be of any good you need rule below that says hey if your going to the firewall management ports - block.  so if your in management access alias you rule would allow.  But if your not in that alias then the next block rule would trigger if your going to pfsense management ports.  If you were going anywhere else then the allow any any rule would allow you.

                Or you could do it with 1 rule by using ! management access, block

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • I
                  iampowerslave
                  last edited by

                  This is taking me to a much prior stage of firewall configuration.

                  It is supposed that the first rule to rule them all is "Everything is blocked" (which is implicit and not shown) but then, the Firewall for each new interface creates this rule allowing everything.

                  Should I consider removing it?

                  1 Reply Last reply Reply Quote 0
                  • D
                    doktornotor Banned
                    last edited by

                    @iampowerslave:

                    It is supposed that the first rule to rule them all is "Everything is blocked" (which is implicit and not shown)

                    No, that's the LAST one. Please, read some docs on the wiki.

                    https://doc.pfsense.org/index.php/Firewall_Rule_Processing_Order
                    https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting

                    1 Reply Last reply Reply Quote 0
                    • I
                      iampowerslave
                      last edited by

                      Yes sorry… the one on the "bottom" would be the right term maybe. I was saying it as "the first rule that exists"

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        only the first lan interface  creates a any any rule by default.  When you add more interfaces opt1, 2, 3 etc.. there are no rules other than the default deny rule.

                        Rules are evaluated top down, traffic into that interface. first rule wins

                        So while yes your rule would allow the traffic you want, the rule below it allows also allows it since its an any any.  So your top rule is meaningless.

                        So while your rule would not trigger if I was not in your magement access alias going to pfsense management port.  The next one would fire and let me in.

                        So would never get to the default deny.

                        So you need to put in a block below that rule for anyone going to your management ports that would trigger before the any any.  Or you need to rewrite your rule to block people that are not in your management alias.  Again first rule wins, rules below that not looked at once a rule matches criteria and either allows or blocks.

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • I
                          iampowerslave
                          last edited by

                          That's OK. Really clear and most of what I knew from other fire walls.

                          Now that I'm trying to make things tighter should I kill the any any default rule?

                          Not taking about the Web config anymore.

                          But as rule management. Should start a new thread I guess in the right sub forum

                          r

                          1 Reply Last reply Reply Quote 0
                          • DerelictD
                            Derelict LAYER 8 Netgate
                            last edited by

                            Generally, on interface rules that are evaluated top down - first match wins, if you want to limit what the users can do you go from most specific to least specific:

                            Pass what your users need to access - DNS to DNS servers, pings to gateway for troubleshooting/comfort, etc.
                            Block what you do not want your users to access - DMZ to LAN or other local networks, webConfig (don't forget WAN address or This firewall (self)), etc.
                            Pass everything else - (the internet)

                            Chattanooga, Tennessee, USA
                            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                            Do Not Chat For Help! NO_WAN_EGRESS(TM)

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.