Hi,
I followed the steps laid out in
Surprisingly, I am able to access the pfsense console from ANY public IP address ( even from my mobile ) despite having the FW rules in place:
Any ideas?
FYI, it seems to happen right after I point the the .*.com to the WAN IP in Digital Ocean as stated in the video tutorial
Thanks !
Not clear on your goal, is it to use HAProxy? Also I don’t know what’s in your “Private_Networks” alias but that rule could be allowing the access.
Hi,
The addresses include the LAN, the wireguard address arrange and the Trusted VLAN range. Thanks for the response. Any ideas? Yes, the plan is to use HA Proxy but I have not reached that step yet. I am puzzled as to why I am able to access the pfsense console at all. Thanks.
Some redditors suggest that it’s due to the WG WAN rules [ which I followed using your tutorial ]
"Not sure why you did, but you blurred out most of the WireGuard wan firewall rule and judging by the traffic, that’s the rule that’s allowing that. You also. Ever posted your floating rules which may also be allowing traffic in.
Thanks. I don’t have any floating rules. The WG WAN rules are defined based on on the tutorial:
Any suggestions on what I should change to disable public access to pfsense console and yet enable WG ? Thanks
When you say,
What exactly do you mean here? Are you saying from the Internet you can access the Web GUI? Or are you saying from the Internet you can access the console?
If you mean you can access the Web GUI. What are your rules for your LAN and other VLANS to access your Web GUI? Because it’s not the rules on the WAN that are allowing the access per se. It could be the Wireguard that’s doing it but I doubt it. And it’s not the other two bottom rules. Otherwise, you would see bytes going through your Private_Networks and you have 0/0 B on both rules. And when you’re using a This Firewall you’re matching all IP addresses on all firewall interfaces. But why do you have it on the WAN rule? The only reason you would want that on the WAN is if your using a dual Firewall setup and would only put that rule on the backend firewall. So you could access the backend.
The only way that I see that your Web GUI could possibly be accessed from any public IP. Is if you have your source as ANY to your Firewall on your LAN. Also, when you’re testing from your mobile. What method are you testing it from? A 5G connection or from a wireless AP that your mobile is connected to?
And how are you testing from ANY public IP? What method are you using?
Pfsense by default has explicit deny. If you can access the web interface from any public ip, then this is a misconfiguration on your end or you are confused about the origination of the traffic. I would check to see if you are hitting the interface over your WireGuard or other vpn service. It’s probably not coming in via the WAN? We need more details.
Are you saying from the Internet you can access the Web GUI? Or are you saying from the Internet you can access the console?
I am able to access the console page once I set up the SSL ( as stated in the video tutorial ) from a public cafe
If you mean you can access the Web GUI.What are your rules for your LAN and other VLANS to access your Web GUI
I don’t think it should matter as these are being Pfsense?
The only way that I see that your Web GUI could possibly be accessed from any public IP. Is if you have your source as ANY to your Firewall on your LAN.
It’s a common rule to allow all access on LAN as it’s internal, is it not?
Also, when you’re testing from your mobile. What method are you testing it from? A 5G connection or from a wireless AP that your mobile is connected to?
And how are you testing from ANY public IP? What method are you using?
No WG connection, just normal 5G connection which is able to hit the home page when i enable the signed SSL cert as stated in video
Pfsense by default has explicit deny. If you can access the web interface from any public ip, then this is a misconfiguration on your end or you are confused about the origination of the traffic. I would check to see if you are hitting the interface over your WireGuard or other vpn service. It’s probably not coming in via the WAN? We need more details.
I have shared my screenshots of the WAN and WG. If i use self signed cert, i can’t access it without using WG. Once i enable a acme cert, I can access it without using WG. Thanks
I can hit the pfsense console with any public IP ( wifi or mobile)
Any ideas?
This is not making much sense as that should not be possible since you’re not allowing port 80 or 443 on the WAN?
and I can access it via public IP : CleanShot 2022-05-30 at 08.30.10 · CleanShot Cloud
Come to think of it, I am still able to perform an Anydesk session to my devices. They should be blocked by default , right?
David, maybe you can share your FW on WAN ( with cert enabled )? Thanks
Wonder what Lawrence has under LTS_Office:
When you say console page, I’m referring to the actual console menu on the firewall itself. AKA serial console access. On pfSense there’s console access, shell access, and Web access. This is why I’m trying to understand what you mean by console access. I cannot find anywhere in either video of where Tom mentions anything about accessing the console menu. If you could point me to the specific timestamp of what you’re referring to, that could help me better understand.
But as it stands, accessing the console page means you’re accessing pfSense through a serial connection, which is not possible from an Internet cafe. As you would need physical access to the firewall to do it.
Not sure what you mean by you don’t think it should matter because it’s pfSense. Just because you have pfSense doesn’t mean you’re secure or protected. You should have proper rules in place for your LAN and any VLANs that you create. Could you please elaborate on what you mean by it doesn’t matter as being pfSense?
Yes and no. It depends on your use case and what you require. But best practice for firewall rules is to only allow the traffic that you need on your LAN. It really depends on how wide-open you want your LAN to be. Having an allow-all access LAN would mean any separate VLANs, WiFi VLANS, and WAN could access anything on your LAN. The same thing goes for any VLANs you create. Unless you add rules to filter the traffic and only allow access to what you need. I have a very restricted firewall, in that I don’t want anything coming into my LAN or VLANs that don’t need to have access. Sames goes for anything going out.
By default, the pfSense firewall rule is set to allow sources from ANY to your Web Configurator. This is the Anti-Lockout rule the first rule on the LAN. That means traffic coming in from the WAN and VLANs will be able to access the pfSense Web page. And is able to access the pfSense shell.
Netgate has documentation on Allowing Remote Access to the GUI. The safest way is using a VPN. But you should also enhance it with Strict Management rules for better security. I suspect that you have a default, allow ANY IP to your firewall on your LAN. And are not properly blocking access to your firewall. I suggest you read the documentation on Strict Management to enhance your security and prevent access from ANY public IP.
Thanks Tmi. I removed all the packages and restarted from scratch. What’s reproducible are these steps:
Is this expected? I have not configured HA proxy at this stage. Thanks
First steps 2 & 3 should be left at system default. That is, under System → Advanced → Admin Access, DNS Rebind Check should be left unchecked and Alternate Hostnames should be left blank. Unless you have a reason to access the firewall GUI using an alternate hostname other than the one that you have or should have defined under System → General Setup.
Now,
That depends if your LAN rule for Anti-Lockout looks like or similar to the picture I posted previously, Able to access pfsense console from a public IP addresss - #14 by Tmi. Then yes, it would be expected.
If you use a VPN service, connect your computer to VPN then try connecting.
Thanks! I will proceed with the rest of Lawrence 's video on HA proxy .
