WebGui admin available from WAN



  • I just installed 2.3 and spent the last 3 hours getting everything working, including OpenVPN. Everything works great, except I can access the GUI admin from the WAN.

    I tried it from my phone and another computer on a Verizon USB modem. Both can access the admin login page. Obviously I don't want this, so how do I block admin access from WAN? I'd still like to be able to connect remotely to it when connected via VPN.

    Thanks in advance.

    PS I'm a novice when it comes to creating rules so if you can break it down that would be extremely helpful.

    PSS I'm not sure why anyone would want WAN access to the admin page by default…



  • It's not by default, so you added a rule on WAN that opened it up. Firewall>Rules, WAN tab. Remove the rule that's allowing it.



  • @WebChode:

    PSS I'm not sure why anyone would want WAN access to the admin page by default…

    And you are entirely right.

    @WebChode:

    PS I'm a novice when it comes to creating rules so if you can break it down that would be extremely helpful.

    What do you have listed on the WAN firewall rules tab ?



  • Here is a screenshot of my WAN rules.

    ![Screen Shot 2016-04-27 at 7.43.56 PM.png](/public/imported_attachments/1/Screen Shot 2016-04-27 at 7.43.56 PM.png)
    ![Screen Shot 2016-04-27 at 7.43.56 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2016-04-27 at 7.43.56 PM.png_thumb)



  • The issue is so glaring I need sun glasses  8)
    Hint: Nothing below the second rule is doing anything.



  • What NOYB is saying, in not so many words, is that the second rule on your WAN interface is allowing ANY IPv4 TCP/UDP connections into the WAN interface of your pfSense box. And that's why your GUI is available over your WAN connection… along with lots of other stuff, assuming default settings have been retained for services like DNS Resolver, NTP, and others.

    IMHO, that would be a good rule to remove IMMEDIATELY.



  • The second rule is extremely dangerous and more than likely completely unnecessary. I agree it should be removed immediately.

    Are you creating this rule to allow all traffic out of your LAN? If so that's not the right interface. I've seen a lot of people have the wrong mentality when using non-consumer firewalls such as pfSense, cisco, fortigate, etc. as they use 'egress' filtering (not sure if that's the most correct term) but basically it means firewall closest to the source, so if you want to allow traffic from LAN to WAN create the rule on the LAN interface, if you want to allow traffic from the internet into your environment you create that on the WAN interface, not the other way around.


  • LAYER 8 Global Moderator

    "PS I'm a novice when it comes to creating rules"

    You don't say.. I would of never guessed after you created that any any rule on your wan interface..  What did you think that rule was going to allow exactly??



  • Be nice, johnpoz.

    Yes that is indeed a dangerous rule, you're effectively disabling the firewall completely with that. There is no need for rules on WAN other than the 1194 one that allows traffic to reach your OpenVPN server instance.

    https://doc.pfsense.org/index.php/Firewall_Rule_Basics



  • Thanks for the help.

    FWIW, I didn't create the rule specifically. I did a clean install and followed a You Tube tutorial on setting up OpenVPN. Apparently I checked something wrong somewhere.


Log in to reply