Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    WebConfigurator authentication error

    Scheduled Pinned Locked Moved Firewalling
    8 Posts 4 Posters 3.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sobol
      last edited by

      at the testing stage of firewall we get hit by some scans:

      Apr 10 11:32:14 php-fpm[628]: /index.php: webConfigurator authentication error for 'user' from 194.28.112.169
      Apr 10 11:32:14 php-fpm[628]: /index.php: webConfigurator authentication error for 'admin' from 194.28.112.169

      of course it's not our IP and all https connection from WAN to firewall are blocked by "Default deny rule IPv4". any clues why is it going through?

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        A port forwarding of https to LAN IP?

        It's generally recommended to use another port than 80 or 443 for WebGUI. It can be set in System: Advanced: Admin Access.

        1 Reply Last reply Reply Quote 0
        • S
          sobol
          last edited by

          in the end we're gonna change to other port but there's no port forwarding. to be precise we have only two rules to port forward from net to internal IPs. nothing to firewall.

          1 Reply Last reply Reply Quote 0
          • M
            muswellhillbilly
            last edited by

            Have you checked this yourself? Tried connecting to the web configurator from the WAN, I mean?

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              So what rules do you have on wan?  Anything in floating and what port forwards?  And yes with muswellhillbilly here, have you tried to hit your IP yourself from outside?

              I do show that as Russian IP btw.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • S
                sobol
                last edited by

                no floating rules and can't access from OUTSIDE.

                PForwarding: one port forwarding rule to forward wan:some_port to some.lan:some_port

                Wan Rules: some_icmp allowance, some_port allowance , and my_home_ip allowance to some_local_ip

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  What rule is this?

                  my_home_ip allowance to some_local_ip

                  why not just post up your wan rules.. I have openvpn that listens on 443 on wan, and I also use 443 for my webgui port.  I don't even believe that the webgui listens on wan interface?  Or how could I bind openvpn to it?  I don't see any errors in in log…  But current in with openvpn, and won't be able to turn that off til I get back home later today.

                  But if your saying you can not get to it from outside then it seems unlikely that is open, is the log entry at a time you were messing with the rules?  Are you continuing to see entries?

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • S
                    sobol
                    last edited by

                    pass in log quick on em4 reply-to (em4 WAN2_GW_ip) inet from my_home_ip/32 to wan_net flags S/SA keep state label "USER_RULE: TEST"

                    additionally i've greped htttps:

                    pfctl -sr | grep https
                    block drop in log quick proto tcp from <webconfiguratorlockout>to (self) port = https label "webConfiguratorlockout"
                    pass in quick on em1 proto tcp from any to (em1) port = https flags S/SA keep state label "anti-lockout rule"
                    pass in quick on em2 reply-to (em2 WAN1_GW_IP) inet proto tcp from any to 192.168.1.96 port = https flags S/SA keep state label "USER_RULE: INET do bots (porty www)"
                    pass in quick on em2 reply-to (em2 WAN1_GW_IP) inet proto tcp from any to 192.168.1.0/24 port = https flags S/SA keep state label "USER_RULE: INET do 1.0 (porty www)"
                    pass in log quick on em1 inet proto tcp from 192.168.0.0/16 to <negate_networks>port = https flags S/SA keep state label "NEGATE_ROUTE: Negate policy routing for destination"
                    pass in log quick on em1 route-to (em4 WAN2_GW_IP) inet proto tcp from 192.168.0.0/16 to any port = https flags S/SA keep state label "USER_RULE: ruch: 0.0/16 do HTTPS"
                    pass in log quick on em0 inet proto tcp from any to any port = https flags S/SA keep state label "USER_RULE: ruch: inet (netia) do https"
                    pass in log quick on em3 inet proto tcp from 10.254.254.0/24 to 192.168.1.0/24 port = https flags S/SA keep state label "USER_RULE: ruch: 10.254.254.0 do 1.0 HTTPS"
                    pass in log quick on em5 inet proto tcp from WAN2_NET/28 to any port = https flags S/SA keep state label "USER_RULE: ruch do https"
                    pass in log quick on em6 inet proto tcp from 10.2.2.0/24 to 192.168.1.0/24 port = https flags S/SA keep state label "USER_RULE: ruch: do HTTPS"
                    pass in log quick on em6 inet proto tcp from 10.2.2.0/24 to <negate_networks>port = https flags S/SA keep state label "NEGATE_ROUTE: Negate policy routing for destination"
                    pass in log quick on em6 route-to (em4 WAN2_GW_IP) inet proto tcp from 10.2.2.0/24 to any port = https flags S/SA keep state label "USER_RULE: ruch: do HTTPS"

                    today we've got tested again from these ips: 62.210.252.43 163.172.13.43
                    none from above are in our WAN1 or WAN2 network</negate_networks></negate_networks></webconfiguratorlockout>

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.