Remote firewall Administration

From PFSenseDocs

This article is part of the HOWTO series.

Contents 1 Summary 1.1 Use a VPN 1.2 Restricted Firewall Access 1.3 Use HTTPS 1.4 Move the WebGUI to an Alternate port 1.5 I really don't care much about security, how do I open it all the way up? 1.6 Example Firewall Rule Setup

Summary

There are a few different ways to remotely administer a pfSense system, that come with varying levels of recommendation. They should all work, but which one you use may vary for any number of reasons (Client restrictions, corporate policies, etc.)

Use a VPN

Probably the safest way to accomplish the task would be to setup a VPN that will get you access to the pfSense box and the network it protects. There are several VPN options available in pfSense, such as IPsec, PPTP, or OpenVPN. You could even connect with SSH only and then forward the WebGUI port via a tunnel that way. Once a VPN is in place you should be able to connect to the LAN side of the pfSense router, depending on your VPN seutp.

Restricted Firewall Access

If you must open your WebGUI port to the Internet, try to restrict it by IP range as much as possible. Ideally, if you have a static IP at your location you want to manage from, allow traffic from that IP or subnet and nowhere else.

Use HTTPS

It is also a good idea to use HTTPS to encrypt access to the WebGUI port. Some modern browsers may complain about the certificate, but you can usually store an exception so it will only complain the first time. If you want to use HTTPS then it will be necessary to enable it under System > General Setup, using the WebGUI protocol option.

Move the WebGUI to an Alternate port

Is is also a good idea to move the WebGUI to a non-standard, random port. Just make sure you remember what it is! This can be changed under System > General Setup, using the option WebGUI port. Try to avoid common ports like 443, 31337, 8080, 8888, etc.

I really don't care much about security, how do I open it all the way up?

You only need to create a firewall rule to allow remote firewall administration - do not create a port forward or any other NAT configuration.

Example Firewall Rule Setup

Firewall > Rules, WAN Tab

Action: pass

Interface: WAN

Protocol: TCP

Source: Any (or restrict by IP/subnet if you can)

Destination: Any

Destination port range: HTTPS (Or the custom port you chose)

Description: Allow Remote Mgmt https