WebConfigurator authentication error



  • at the testing stage of firewall we get hit by some scans:

    Apr 10 11:32:14 php-fpm[628]: /index.php: webConfigurator authentication error for 'user' from 194.28.112.169
    Apr 10 11:32:14 php-fpm[628]: /index.php: webConfigurator authentication error for 'admin' from 194.28.112.169

    of course it's not our IP and all https connection from WAN to firewall are blocked by "Default deny rule IPv4". any clues why is it going through?



  • A port forwarding of https to LAN IP?

    It's generally recommended to use another port than 80 or 443 for WebGUI. It can be set in System: Advanced: Admin Access.



  • in the end we're gonna change to other port but there's no port forwarding. to be precise we have only two rules to port forward from net to internal IPs. nothing to firewall.



  • Have you checked this yourself? Tried connecting to the web configurator from the WAN, I mean?


  • Rebel Alliance Global Moderator

    So what rules do you have on wan?  Anything in floating and what port forwards?  And yes with muswellhillbilly here, have you tried to hit your IP yourself from outside?

    I do show that as Russian IP btw.



  • no floating rules and can't access from OUTSIDE.

    PForwarding: one port forwarding rule to forward wan:some_port to some.lan:some_port

    Wan Rules: some_icmp allowance, some_port allowance , and my_home_ip allowance to some_local_ip


  • Rebel Alliance Global Moderator

    What rule is this?

    my_home_ip allowance to some_local_ip

    why not just post up your wan rules.. I have openvpn that listens on 443 on wan, and I also use 443 for my webgui port.  I don't even believe that the webgui listens on wan interface?  Or how could I bind openvpn to it?  I don't see any errors in in log…  But current in with openvpn, and won't be able to turn that off til I get back home later today.

    But if your saying you can not get to it from outside then it seems unlikely that is open, is the log entry at a time you were messing with the rules?  Are you continuing to see entries?



  • pass in log quick on em4 reply-to (em4 WAN2_GW_ip) inet from my_home_ip/32 to wan_net flags S/SA keep state label "USER_RULE: TEST"

    additionally i've greped htttps:

    pfctl -sr | grep https
    block drop in log quick proto tcp from <webconfiguratorlockout>to (self) port = https label "webConfiguratorlockout"
    pass in quick on em1 proto tcp from any to (em1) port = https flags S/SA keep state label "anti-lockout rule"
    pass in quick on em2 reply-to (em2 WAN1_GW_IP) inet proto tcp from any to 192.168.1.96 port = https flags S/SA keep state label "USER_RULE: INET do bots (porty www)"
    pass in quick on em2 reply-to (em2 WAN1_GW_IP) inet proto tcp from any to 192.168.1.0/24 port = https flags S/SA keep state label "USER_RULE: INET do 1.0 (porty www)"
    pass in log quick on em1 inet proto tcp from 192.168.0.0/16 to <negate_networks>port = https flags S/SA keep state label "NEGATE_ROUTE: Negate policy routing for destination"
    pass in log quick on em1 route-to (em4 WAN2_GW_IP) inet proto tcp from 192.168.0.0/16 to any port = https flags S/SA keep state label "USER_RULE: ruch: 0.0/16 do HTTPS"
    pass in log quick on em0 inet proto tcp from any to any port = https flags S/SA keep state label "USER_RULE: ruch: inet (netia) do https"
    pass in log quick on em3 inet proto tcp from 10.254.254.0/24 to 192.168.1.0/24 port = https flags S/SA keep state label "USER_RULE: ruch: 10.254.254.0 do 1.0 HTTPS"
    pass in log quick on em5 inet proto tcp from WAN2_NET/28 to any port = https flags S/SA keep state label "USER_RULE: ruch do https"
    pass in log quick on em6 inet proto tcp from 10.2.2.0/24 to 192.168.1.0/24 port = https flags S/SA keep state label "USER_RULE: ruch: do HTTPS"
    pass in log quick on em6 inet proto tcp from 10.2.2.0/24 to <negate_networks>port = https flags S/SA keep state label "NEGATE_ROUTE: Negate policy routing for destination"
    pass in log quick on em6 route-to (em4 WAN2_GW_IP) inet proto tcp from 10.2.2.0/24 to any port = https flags S/SA keep state label "USER_RULE: ruch: do HTTPS"

    today we've got tested again from these ips: 62.210.252.43 163.172.13.43
    none from above are in our WAN1 or WAN2 network</negate_networks></negate_networks></webconfiguratorlockout>