If you have recently installed a Pfsense firewall in your office or home network then you may need to remote manage your pfsense firewall from wan, and for this, you need to add certain firewall rules to allow secure remote access. Once you make these necessary firewall rules then you can manage it easily through its web interface or WebGUI. In this article, we are going to enable remote access by the use of SSH Tunnel and then we will add firewall rules for it, and lastly, we will make use of Alias to create a small list of multiple remote wan IP addresses, from which we would like to allow strict access to our pfsense WebGUI.
By default, pfsense doesn’t allow remote access to WebGUI from wan, as it will allow its security information to travel all over the internet insecurely. But when you freshly install pfsense then you may need to access it through the wan temporarily to complete the configuration setup and change the default password.
To allow temporary wan access, just move to pfsense CLI console and choose option # 8 to open the shell prompt, and then type pfctl -d, this will temporarily disable the firewall rules preventing the access on the pfsense wan address. Also, keep in notice that you need to reissue this command with almost every change you make in the web GUI, once done with setting up and you are able to open pfsense web GUI on the LAN address then reissue the same command with a -e to reinstate the previous firewall rules for wan access, i.e pfctl -e.
Recommended Ways to Remote Access Pfsense WebGUI ?
The Pfsense makers, NETGATE, recommend two secure ways to open web interface remotely which are:
- Through the Use of VPNs such as OpenVPN or IPSEC (Need Higher Skills)
- Through the Use of SSH Tunneling (This will be elaborated in this Article)
Building a VPN is not in the scope of this article but instead, we will be configuring an SSH tunnel.
Brief Intro to Configuration Steps ?
The plan is to configure ssh tunnel on our pfsense box, once the tunnel setup is complete then we will initiate an ssh client connection from our remote computer to our pfsense firewall, and then we will port forward pfsense web interface to our computer through the same SSH Tunnel connection. So once the connection is established, then we shall be able to open our web interface at its local address.
Enable SSH Remote Access
By default, SSH access is not enabled on the pfsense, so we need to enable it first and later we need to allow it through firewall rules for wan access, so let’s do it step by step.
Log in to your pfsense firewall using your admin credentials and if you are using your pfsense default credentials such as username admin and password pfsense then do change the password to something strong. In order to change the password, select from the top menu and go to System>User Manager and then select Users tab, then select pencil icon (Edit) for admin under Actions and then change the default password.
Assuming that the password is changed to something strong, let’s enable SSH access and for this, select from the top menu and go to System>Advance then select Admin Access tab and scroll down till you reach the Secure Shell section.
Now select the Secure Shell checkbox to enable it and leave the settings at defaults, but if you need even more security then use only Public Key at SSHd key only field, here is a link to learn how to create an ssh public key in pfsense.
But for the sake of this topic, the SSH defaults will do. So once you enabled it don’t forget to hit the Save button.
It is recommended to allow Strict Access to our Management Interface IP Address (Pfsense Web Interface IP). For a Strict Access, you will choose a single remote wan IP address or multiple wan addresses from which you would like to initiate an SSH connection to your Pfsense firewall, this will add another security layer to your configuration as no other IP address on the WAN side will be allowed to connect. I hope, this makes sense to you.
Create an ALlAS List for allowed Remote WAN IP Addresses
For Strict Access, we need to create an Alias. An Alias just represents a group. It can be a group of IP addresses or multiple IP addresses which are grouped logically and named something meaningful, let’s say for example “Allowed-Remote-Management-IPs” is an ALIAS that contains different allowed wan IP addresses. Using ALIAS makes our configuration shorter and simpler.
For this article, we will choose something shorter to be used as ALIAS let’s use Remote-Wan-IPs, and let’s create it. For this, from the Top Menu select Firewall>Aliases, and then on the IP tab select Add. This will open ALlAS Page.
Now type the following to complete Alias configuration.
Name : Enter Remote_WAN_IPs.
Description: Enter your desired logical explanation such as “Allowed wan IPs to access Management Interface“.
Type: Host(s) if you have just one wan IP to allow , if you have multiple IPs then choose Type: Networks.
Here is an example with Multiple Remote Wan IPs.
Now hit the Save button to finalize settings for an Alias.
Create An SSH Firewall Rule to allow remote Access From WAN
By default, pfsense uses a firewall rule called the Anti Lockout Rule that disables remote access to the pfsense web interface and also saves the user to be locked out of the firewall in case, if the firewall rules are misconfigured. In order to allow remote web access, we need to disable this rule.
To disable it, select from the top menu System>Advance from the Admin Access Tab unselect checkbox against Disable webConfigurator anti-lockout rule.
Now as the final step to Remote Access configuration we need to create a firewall Pass rule along with using Alias in the allowed Source field as shown in the screenshot below.
To create a firewall rule, select from the top menu Firewall>Rules and then select your WAN Interface and then select Add.
Here is an example configuration screenshot.
Here Action: is PASS as we want to allow SSH traffic from the remote WAN.
Interface : WAN it will be our local WAN Interface.
Protocol: TCP as SSH use TCP port 22 by default.
Source: Single host or Alias , we will choose Remote_WAN_IPs as it will pop up when we will start typing the name for our Alias.
Destination: This Firewall (self), This represents the Management IP Address for our firewall.
Once you are done typing your configuration details, hit the Save button to be done with the configuration.
Remote Access Pfsense WebGUI on a Windows10 Machine by using SSH Tunneling
Now we are done with SSH configuration on our pfsense firewall and before we try to open the pfsense web interface remotely, we need to test our new SSH configuration.
You can test this using any OS (Operating System) or a tool such as Putty. For putty read below, to test on windows open command prompt and type the following to initiate an SSH connection.
Windows 10 comes with a native SSH client, now on the command prompt.
Type: ssh [email protected]”your pfsense wan ip address”
after you press enter, it will ask your admin password so enter the password.
If every thing goes correct then you will see the following screen which means that our SSH connection is a success.
Finally, it’s time to initiate an SSH tunnel from our Windows 10 machine, Press CTRL C to disconnect the previous connection and after this, just enter the following command to initiate a tunnel connection from your windows machine.
ssh -L 8888:localhost:443 [email protected]"your pfsense wan ip address"
Let me explain the above command a bit.
ssh: Initiating an ssh connection.
-L: Asking to initiates local port forwarding from pfsense with the address localhost (127.0.0.1) and port 443 (port used by pfsense), thus initiating an ssh connection to pfsense along with mapping localhost of pfsense to your machine’s localhost and pfsense port 443 to your machine port 8888.
After entering the password, If the connection is successful then just open a web browser on your windows machine and type https://localhost:8888. Make sure to use https://.
Remote Access Pfsense WebGUI by enabling SSH Tunnel on Putty
Putty is a good free tool that is commonly used to remote access servers and networking equipment either using SSH or Telnet, it also uses other methods to remote access into a device. Download the Putty and type in the following settings
In the Host Name field Enter your Pfsense WAN Interface Public IP Address then Select SSH>Tunnels from the left Pane.
Now enter the following Configuration.
Here 8888 is our local windows machine port that is being mapped to pfsense port 443 and 127.0.0.1 is Pfsense Loopback address that is being mapped to our local machine loopback’s address. After selecting Add just Select Open.
Now type admin at the login as prompt, then type in your pfsense admin password, if all is well then you will see this screen after.
After this just open your browser and type in https:127.0.0.1:8888. Make sure you type https://.
And if you see login page then you are successful in securely opening pfsense web interface remotely.