1

I just installed PFSense in my network and configured the pfBlockerNG and Snort package. Its all running fine, except I have noticed by webConfiguraion GUI is accessible from the internet through my public WAN address. I have tried adding a rule to disallow anything other than LAN. I tried blocking traffic from any source to 'WAN net' on 443/80, but that didn't worked as well. Essentially, I want the GUI to be assessible within my LAN network and not from anywhere else.

What am I missing? Any help really appreciated.

PS: My firewall rules are pretty standard, default installed rules and the rules added by pfBlockerNG.

Bhaskar
  • 10,537
  • 6
  • 53
  • 64
  • Just a thought, the traffic isn't coming in through the WAN if you're actually accessing it from within the LAN, unless you're somehow explicitly routing the traffic through the WAN. If you are testing from within the LAN then the router is likely detecting that it owns the IP address and isn't forwarding the traffic. You might be looking to simply limit the IP addresses that the service is listening on. – Jonathan Gray Apr 03 '21 at 08:37
  • Hi @JonathanGray yes I was testing it from a comp which was in the LAN network, but hitting the WAN IP directly, let me try it with a comp outside the LAN. Also when you mean limit it by IP, do you mean I add a rule in the WAN firewall with source as a known set of IPs and destination as 192.168.10.1 (which host the webConfigurator). – Bhaskar Apr 03 '21 at 16:16
  • I mean if possible set the listening IP address of the web interface to the IP address 192.168.10.1. It is likely currently listening on the IP address 0.0.0.0 (for all interfaces). This wouldn't require firewall configuration. The likely reason your firewall rule didn't work is because the traffic wasn't actually coming in through your WAN interface but rather through the LAN. The routing table doesn't care about which interface an IP address is attached to if the router is the final destination. But if the traffic is being blocked from the WAN then you don't really need to worry any further. – Jonathan Gray Apr 03 '21 at 17:41
  • @JonathanGray you are right, I tested it outside my network (connected to a different network) and was not able to access the GUI. I ran nmap as well to scan the ports an was not accessible. Liked you said, once inside the network, even though I hit the WAN IP, it lets me get through. Thanks for the help. If you would like to move your response to the answer, I can mark it answered. – Bhaskar Apr 04 '21 at 19:08

1 Answers1

1

Note that once you install Pfsense it adds a "Default allow LAN" to LAN interface but there is no such rule on WAN interface. It means you can access everything from LAN, that is, you can access WAN (and so the internet) but the access from WAN is blocked. Fortunately there is no way to access GUI from WAN by default. This configuration is pretty the same the default config you find in a home/conventional router. I advise you to try Pfsense for a while before installing packages.

Gui
  • 53
  • 5