How to block config page over WAN!!! BIGGG issue!!
-
Hello Guys!
I have pfsense over soekris it's running version 2.1.5 of pfsense.
I have 2 internal network and 2 wans…they are many rules and VPN ... one of the biggest issue that I have is that with the PUBLIC IP I can reach the pfsense webpage..
not only with 1 ip.. I have like 5 public ip and all of them reach the pfsense http..
I already try to block ... on rules.. over internet.. over WAN... but still I can see the page..
IDEAS??
this should be really easy to solve.. any cisco router do not allow you to access the webconfig over internet..
Please help!!thanks!
-
You most likely have a WAN rule that allows it since this is not the default behaviour for pfSense.
-
Explicitly allow inside only, rule on top of list after blocks or rejects:
IPv4 TCP LAN net * This Firewall 80 * none
-
Nothing is allowed in via WAN by default. Either you added pass rule(s) on WAN that are allowing it, or you're actually trying it from LAN (where it's being passed by your LAN rule) and it's not actually open from the Internet.
-
And how about you post up your rules from your wan interfaces and lan interfaces.. So you say once you vpn you can access the wan IPs? Or I can from say the public IP you give me via PM?
Post up your rules, wan(s), floating and lans, etc..
-
On all of your inside interfaces (including VPN) you need to:
reject tcp source any dest WAN address port 22,80,443
(or whatever you have ssh and webconfigurator listening on.)
If you are not explicitly blocking from one LAN to another you need to block the same to those interface addresses as well.
For example, on LAN:
reject tcp source any dest OPT1 address port 22,80,443
Or make an alias with all your interface addresses in it and block to that.
This is a lot easier on 2.2 with a destination of This firewall (self) being available.
-
Hello All
thanks for your help!!
I am at home now and I can access the pfsense from here (I am NOT connected to VPN or nothing similar) so… there is and allowing rule.
I create a rule over "internet"
reject tcp source any dest OPT1 "public IP" port HTTP.
but Didn't work... I don't know if because the rule is at the bottom or is because the rule should be on "Wan" instead than on internet? or should go over LAN??most of the rules are over "internet" tab..
THanks all for your comments... I am still REALLY NEW with pfSense!!
-
https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting
-
Just post up a screen shot of your rules if you want any help… I can understand why dok gets so passionate... Talk about frustration, it would take you all of 2 freaking seconds to post up your rules..
Here are mine -- is it really that hard??
-
Hi Guys!
There some of my configuration..
as you can see
source * port * destination WAN ´port 80 *all ips …
but I AM STILL able to access thru the pfsense over internet...
(using on of the Wan IP)what I am doing wrong??
-
as you can see
source * port * destination WAN ´port 80 *all ips …That's not what I can see there. You told us you "have like 5 public ip" and are "blocking" access to one. Plus, in a wrong way. That is a NAT rule. Really no idea what are you doing there (just disable the NAT altogether if you don't want it), plus what does "thru the pfsense over internet" mean??? Move your management GUI outta 80/443 if you have webservers behind NAT!
And what's INTERNET? WAN? LAN? God knows? You told us you have two WANS, yet I can see 3. What are the rules on the remaining WANs?
You know what?
- Produce a network diagram.
- Post screenshot of rules for ALL your WANs.
-
Why would you have dest of wan_metrotel, but not on the wan_metrotel interface?
With dok here - lets see a drawing, even if picture with a phone on something you scratched out on napkin. And then screenshots of all your interface rules. And the status of your interfaces wouldn't hurt either. So we can see what IP schemes your running on each of your interfaces.
-
some comments..
first when I get to the company the rules was already in place.. this is my first time with pfsense :P …as I mention I have no idea about it..
I am a Certified WINDOWS guy not a CCNA :( unfortunately for me...we have here.. is
4 nics..
2 are for WAN, metrotel and IPLAN.
2 are for LAN 2 differnet segment than can see each other..regarding of 5 public IP, well over the interfaces metrol and iplan I have only 2 ips ... but over "Virtual IPs I have like 15 ip" example:
123.115.232.147/32 WAN_METROTEL ip alias METROTEL - IP - 123.115.232.147
edit delete
223.222.156.130/32 WAN_IPLAN ip alias IPLAN - IP - 223.222.156.130
edit delete
223.222.156.131/32 WAN_IPLAN ip alias IPLAN - IP - 223.222.156.131
edit delete
223.222.156.132/32 WAN_IPLAN ip alias IPLAN - IP - 223.22.156.132(those are not the real ip)
the case is that from ANY of those IP I can reach the pfsense OUTSIDE the company..
I also tested this (Screenshot)
and It didn't work..
-
Dude. Is "INTERNET" an interface group? That takes priority before individual interface rules. Please, do not use features you don't fully understand. Also, it makes no sense when used in this way. You'd use it as shortcut for the rules that are supposed to be identical on all interfaces in the group. Otherwise, you can just bringing a huge mess into things, confusing yourself and shooting yourself in the foot. Plus, WTH is that "allow all" rule on the WAN_METROTEL??? :o ???
but over "Virtual IPs I have like 15 ip" …. the case is that from ANY of those IP I can reach the pfsense OUTSIDE the company..
You make absolutely ZERO sense. From?! Those are on your pfSense WAN, right? Not OUTSIDE. Where are you "reaching"?!
Let me say this again: Produce a network diagram. Draw it on a piece of paper. Then re-read what you've posted and see how it just makes totally NO sense.
-
…as I mention I have no idea about it..
...State your hardware, draw a logistical network diagram. Write an operational specification for the flows. Prepare to rewrite the pfSense config.
Meanwhile temporary you have to block all WAN's ingress to (22,80,443) or do at least [System: Advanced: Admin Access (TCP port)] not on 80 or 443 as doktornotor said already.
