Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    WebGui admin available from WAN

    Scheduled Pinned Locked Moved webGUI
    10 Posts 7 Posters 3.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      WebChode
      last edited by

      I just installed 2.3 and spent the last 3 hours getting everything working, including OpenVPN. Everything works great, except I can access the GUI admin from the WAN.

      I tried it from my phone and another computer on a Verizon USB modem. Both can access the admin login page. Obviously I don't want this, so how do I block admin access from WAN? I'd still like to be able to connect remotely to it when connected via VPN.

      Thanks in advance.

      PS I'm a novice when it comes to creating rules so if you can break it down that would be extremely helpful.

      PSS I'm not sure why anyone would want WAN access to the admin page by default…

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        It's not by default, so you added a rule on WAN that opened it up. Firewall>Rules, WAN tab. Remove the rule that's allowing it.

        1 Reply Last reply Reply Quote 0
        • GertjanG
          Gertjan
          last edited by

          @WebChode:

          PSS I'm not sure why anyone would want WAN access to the admin page by default…

          And you are entirely right.

          @WebChode:

          PS I'm a novice when it comes to creating rules so if you can break it down that would be extremely helpful.

          What do you have listed on the WAN firewall rules tab ?

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          1 Reply Last reply Reply Quote 0
          • W
            WebChode
            last edited by

            Here is a screenshot of my WAN rules.

            ![Screen Shot 2016-04-27 at 7.43.56 PM.png](/public/imported_attachments/1/Screen Shot 2016-04-27 at 7.43.56 PM.png)
            ![Screen Shot 2016-04-27 at 7.43.56 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2016-04-27 at 7.43.56 PM.png_thumb)

            1 Reply Last reply Reply Quote 0
            • N
              NOYB
              last edited by

              The issue is so glaring I need sun glasses  8)
              Hint: Nothing below the second rule is doing anything.

              1 Reply Last reply Reply Quote 0
              • MikeV7896M
                MikeV7896
                last edited by

                What NOYB is saying, in not so many words, is that the second rule on your WAN interface is allowing ANY IPv4 TCP/UDP connections into the WAN interface of your pfSense box. And that's why your GUI is available over your WAN connection… along with lots of other stuff, assuming default settings have been retained for services like DNS Resolver, NTP, and others.

                IMHO, that would be a good rule to remove IMMEDIATELY.

                The S in IOT stands for Security

                1 Reply Last reply Reply Quote 0
                • M
                  mattbsyd
                  last edited by

                  The second rule is extremely dangerous and more than likely completely unnecessary. I agree it should be removed immediately.

                  Are you creating this rule to allow all traffic out of your LAN? If so that's not the right interface. I've seen a lot of people have the wrong mentality when using non-consumer firewalls such as pfSense, cisco, fortigate, etc. as they use 'egress' filtering (not sure if that's the most correct term) but basically it means firewall closest to the source, so if you want to allow traffic from LAN to WAN create the rule on the LAN interface, if you want to allow traffic from the internet into your environment you create that on the WAN interface, not the other way around.

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    "PS I'm a novice when it comes to creating rules"

                    You don't say.. I would of never guessed after you created that any any rule on your wan interface..  What did you think that rule was going to allow exactly??

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • C
                      cmb
                      last edited by

                      Be nice, johnpoz.

                      Yes that is indeed a dangerous rule, you're effectively disabling the firewall completely with that. There is no need for rules on WAN other than the 1194 one that allows traffic to reach your OpenVPN server instance.

                      https://doc.pfsense.org/index.php/Firewall_Rule_Basics

                      1 Reply Last reply Reply Quote 0
                      • W
                        WebChode
                        last edited by

                        Thanks for the help.

                        FWIW, I didn't create the rule specifically. I did a clean install and followed a You Tube tutorial on setting up OpenVPN. Apparently I checked something wrong somewhere.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.