Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to block config page over WAN!!! BIGGG issue!!

    Scheduled Pinned Locked Moved General pfSense Questions
    15 Posts 7 Posters 2.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kiyu
      last edited by

      Hello Guys!

      I have pfsense over soekris  it's running version 2.1.5 of pfsense.
      I have 2 internal network and 2 wans…

      they are many rules and VPN ... one of the biggest issue that I have is that with the PUBLIC IP I can reach the pfsense webpage..

      not only with 1 ip.. I have like 5 public ip and all of them reach the pfsense http..

      I already try to block ... on rules.. over internet.. over WAN... but still I can see the page..

      IDEAS??

      this should be really easy to solve.. any cisco router do not allow you to access the webconfig over internet..
      Please help!!

      thanks!

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        You most likely have a WAN rule that allows it since this is not the default behaviour for pfSense.

        1 Reply Last reply Reply Quote 0
        • H
          hda
          last edited by

          Explicitly allow inside only, rule on top of list after blocks or rejects:

          IPv4 TCP LAN net * This Firewall 80 * none

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            Nothing is allowed in via WAN by default. Either you added pass rule(s) on WAN that are allowing it, or you're actually trying it from LAN (where it's being passed by your LAN rule) and it's not actually open from the Internet.

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              And how about you post up your rules from your wan interfaces and lan interfaces.. So you say once you vpn you can access the wan IPs?  Or I can from say the public IP you give me via PM?

              Post up your rules, wan(s), floating and lans, etc..

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                On all of your inside interfaces (including VPN) you need to:

                reject tcp source any dest WAN address port 22,80,443

                (or whatever you have ssh and webconfigurator listening on.)

                If you are not explicitly blocking from one LAN to another you need to block the same to those interface addresses as well.

                For example, on LAN:

                reject tcp source any dest OPT1 address port 22,80,443

                Or make an alias with all your interface addresses in it and block to that.

                This is a lot easier on 2.2 with a destination of This firewall (self) being available.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • K
                  kiyu
                  last edited by

                  Hello All

                  thanks for your help!!

                  I am at home now and I can access the pfsense from here (I am NOT connected to VPN or nothing similar) so… there is and allowing rule.

                  I create a rule over "internet"

                  reject tcp source any dest OPT1 "public IP" port HTTP.
                  but Didn't work... I don't know if because the rule is at the bottom or is because the rule should be on "Wan" instead than on internet? or should go over LAN??

                  most of the rules are over "internet" tab..

                  THanks all for your comments... I am still REALLY NEW with pfSense!!

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      Just post up a screen shot of your rules if you want any help…  I can understand why dok gets so passionate...  Talk about frustration, it would take you all of 2 freaking seconds to post up your rules..

                      Here are mine -- is it really that hard??

                      fwrules.png
                      fwrules.png_thumb

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • K
                        kiyu
                        last edited by

                        Hi Guys!

                        There some of my configuration..

                        as you can see
                        source * port * destination WAN ´port 80 *all ips …
                        but I AM STILL able to access thru the pfsense over internet...
                        (using on of the Wan IP)

                        what I am doing wrong??

                        rules.png
                        rules.png_thumb

                        1 Reply Last reply Reply Quote 0
                        • D
                          doktornotor Banned
                          last edited by

                          @kiyu:

                          as you can see
                          source * port * destination WAN ´port 80 *all ips …

                          That's not what I can see there. You told us you "have like 5 public ip" and are "blocking" access to one. Plus, in a wrong way. That is a NAT rule. Really no idea what are you doing there (just disable the NAT altogether if you don't want it), plus what does "thru the pfsense over internet" mean??? Move your management GUI outta 80/443 if you have webservers behind NAT!

                          And what's INTERNET? WAN? LAN? God knows? You told us you have two WANS, yet I can see 3. What are the rules on the remaining WANs?

                          You know what?

                          • Produce a network diagram.
                          • Post screenshot of rules for ALL your WANs.
                          1 Reply Last reply Reply Quote 0
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator
                            last edited by

                            Why would you have dest of wan_metrotel, but not on the wan_metrotel interface?

                            With dok here - lets see a drawing, even if picture with a phone on something you scratched out on napkin.  And then screenshots of all your interface rules.  And the status of your interfaces wouldn't hurt either.  So we can see what IP schemes your running on each of your interfaces.

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            1 Reply Last reply Reply Quote 0
                            • K
                              kiyu
                              last edited by

                              some comments..

                              first when I get to the company the rules was already in place.. this is my first time with pfsense :P …as I mention I have no idea about it..
                              I am a Certified WINDOWS guy not a CCNA :( unfortunately for me...

                              we have here.. is

                              4 nics..
                              2 are for WAN, metrotel and IPLAN.
                              2 are for LAN 2 differnet segment than can see each other..

                              regarding of 5 public IP, well over the interfaces metrol and iplan I have only 2 ips ... but over "Virtual IPs I have like 15 ip"  example:
                              123.115.232.147/32 WAN_METROTEL ip alias METROTEL - IP - 123.115.232.147
                              edit delete
                              223.222.156.130/32 WAN_IPLAN ip alias IPLAN - IP - 223.222.156.130
                              edit delete
                              223.222.156.131/32 WAN_IPLAN ip alias IPLAN - IP - 223.222.156.131
                              edit delete
                              223.222.156.132/32 WAN_IPLAN ip alias IPLAN - IP - 223.22.156.132

                              (those are not the real ip)

                              the case is that from ANY of those IP I can reach the pfsense OUTSIDE the company..

                              I also tested this (Screenshot)

                              and It didn't work..

                              rules2.png
                              rules2.png_thumb

                              1 Reply Last reply Reply Quote 0
                              • D
                                doktornotor Banned
                                last edited by

                                Dude. Is "INTERNET" an interface group? That takes priority before individual interface rules. Please, do not use features you don't fully understand. Also, it makes no sense when used in this way. You'd use it as shortcut for the rules that are supposed to be identical on all interfaces in the group. Otherwise, you can just bringing a huge mess into things, confusing yourself and shooting yourself in the foot. Plus, WTH is that "allow all" rule on the WAN_METROTEL???  :o ???

                                but over "Virtual IPs I have like 15 ip"  …. the case is that from ANY of those IP I can reach the pfsense OUTSIDE the company..

                                You make absolutely ZERO sense. From?! Those are on your pfSense WAN, right? Not OUTSIDE. Where are you "reaching"?!

                                Let me say this again: Produce a network diagram. Draw it on a piece of paper. Then re-read what you've posted and see how it just makes totally NO sense.

                                1 Reply Last reply Reply Quote 0
                                • H
                                  hda
                                  last edited by

                                  @kiyu:

                                  …as I mention I have no idea about it..
                                  ...

                                  State your hardware, draw a logistical network diagram. Write an operational specification for the flows. Prepare to rewrite the pfSense config.

                                  Meanwhile temporary you have to block all WAN's ingress to (22,80,443) or do at least [System: Advanced: Admin Access (TCP port)] not on 80 or 443 as doktornotor said already.

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.