pfSense Gold Subscription

Author Topic: Remote Administration (possible to restrict to certain port?)  (Read 246 times)

0 Members and 1 Guest are viewing this topic.

Offline Iceman24

  • Jr. Member
  • **
  • Posts: 49
  • Karma: +1/-0
    • View Profile
Remote Administration (possible to restrict to certain port?)
« on: January 06, 2018, 01:36:41 pm »
I have a custom port setup for accessing the main login page, but I've noticed when connecting remotely that just using the default port 80 redirects to SSL at the actual port I configured. Main reason I used custom port was to make it harder to find. How can I block off the port 80 and redirect from happening?

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9601
  • Karma: +1090/-309
    • View Profile
Re: Remote Administration (possible to restrict to certain port?)
« Reply #1 on: January 06, 2018, 01:57:47 pm »
System > Advanced

Uncheck WebGUI Redirect.

But nothing would happen if you weren't passing port 80 inbound WAN.

It sounds like you really could use a re-thinking about what to pass inbound and would probably be far more secure if you set up OpenVPN for access like this and closed all those holes you placed on WAN.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline Iceman24

  • Jr. Member
  • **
  • Posts: 49
  • Karma: +1/-0
    • View Profile
Re: Remote Administration (possible to restrict to certain port?)
« Reply #2 on: January 06, 2018, 02:03:51 pm »
Thanks. Taken care of. I never set up the passing of port 80 inbound WAN, so I don't know why that was like that.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9601
  • Karma: +1090/-309
    • View Profile
Re: Remote Administration (possible to restrict to certain port?)
« Reply #3 on: January 06, 2018, 02:54:00 pm »
Yes you did or it would have been blocked.

Assuming you were really connecting inbound WAN from the outside and not just to the WAN address from the inside. Those are two completely different things. (The former regulated by rules on WAN, the latter by rules on LAN).
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline Iceman24

  • Jr. Member
  • **
  • Posts: 49
  • Karma: +1/-0
    • View Profile
Re: Remote Administration (possible to restrict to certain port?)
« Reply #4 on: January 06, 2018, 07:25:17 pm »
Thanks for mentioning the WAN vs LAN. It made be realize I was connecting from inside my LAN. I hadn't thought about it. So false alarm, it's working as it should.

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14821
  • Karma: +1375/-202
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Remote Administration (possible to restrict to certain port?)
« Reply #5 on: January 08, 2018, 05:46:56 am »
See it all the time - pretty much every single thread that says pfsense is open from the wan to the gui is them hitting it from the lan side ;)

Out of the box there are no rules on the wan - all unsolicited traffic to your wan IP from the wan side (internet) would be dropped..   So you hitting your web gui from the internet is you either opened up the firewall, or are hitting it from inside.  Or you you turned of firewall completely, etc.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline Iceman24

  • Jr. Member
  • **
  • Posts: 49
  • Karma: +1/-0
    • View Profile
Re: Remote Administration (possible to restrict to certain port?)
« Reply #6 on: January 09, 2018, 11:18:40 pm »
Thanks for the help. I have a follow up question on this. If I connect from inside my LAN to another device on my LAN, but use the external IP, does my connection stay inside my LAN or does it go out and back in?

One thing I'd like to do is use my external addresses to connect to avoid the SSL warning as my internal addresses don't have the proper certificates, but when connecting externally, they do. This would prevent me from clicking through the warning prompts.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9601
  • Karma: +1090/-309
    • View Profile
Re: Remote Administration (possible to restrict to certain port?)
« Reply #7 on: January 09, 2018, 11:57:01 pm »
To your browser, the IP address does not matter. The name does. Split DNS is the best way to accomplish that.

https://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline Iceman24

  • Jr. Member
  • **
  • Posts: 49
  • Karma: +1/-0
    • View Profile
Re: Remote Administration (possible to restrict to certain port?)
« Reply #8 on: January 12, 2018, 10:45:50 pm »
Thanks. I tried the Split DNS for about an hour, couldn't get it to work. I couldn't access my server through the public IP. I have services on different ports on it. I read some other people with issues, closest thing i saw was that it might be because the only thing separating the different services on my server are the ports. I don't have any example.myserver. Just myserver:port.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9601
  • Karma: +1090/-309
    • View Profile
Re: Remote Administration (possible to restrict to certain port?)
« Reply #9 on: January 13, 2018, 02:54:07 pm »
Yeah that gets harder especially if the server you are looking to access is on the same subnet as the clients.

If they are on different subnets you can just do the same port forwards on the client interface.

Or if you have say:

outside_address:8443 forwarded to inside_address_0:443
outside_address:8444 forwarded to inside_address_1:443
outside_address:8445 forwarded to inside_address_2:443

Then perhaps you can make those web servers listen on 443 and 8443, 443 and 8444, 443 and 8445, etc. Then both the URL port and the forwarded port will respond.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM