webConfigurator Options in pfSense

Today, I thought it might be interesting to look at some of the advanced pfSense settings. I will start this series by looking at the webConfigurator settings, which you can find by navigating to System -> Advanced, and clicking on the “Admin Access” tab.

webConfigurator Options


webConfigurator settings in pfSense 2.0

The first setting is “Protocol“. The default is HTTP, but you can choose HTTP Secure, which runs HTTP on top of the SSL/TLS protocol, enabling secure communications. Next is “TCP port“; here you can enter a custom port number for the web interface (80 for HTTP, 443 for HTTPS). This provides an extra layer of security, as you can use “security through obscurity” to hide the pfSense webConfigurator from others (this is especially valuable if, for whatever reason, you have to be able to access the webConfigurator from the WAN interface).

The next setting is “Max Processes“, in which you can alter the number of webConfigurator processes that are allowed to run simultaneously. Increasing the number of instances allows more users/browsers to access the GUI concurrently. Next is the “Disable webConfigurator redirect rule“. When this check box is unchecked, access to the pfSense web interface is always permitted from the WAN, even on port 80, regardless of the listening port is configured. Checking this box disables this access. If it is checked, access to the webConfigurator can be allowed, but only via an explicit rule and via NAT port forwarding.

The next setting is “Disable web configurator login autocomplete” When this in unchecked (the default), login credentials for the webConfigurator maybe saved by the browser. Checking this check box disables autocomplete on the login form so that browsers will not prompt to save credentials, but not all browsers respect this option.

Next is “Disable logging of webConfigurator successful logins“; when this is checked, successful logins to the webConfigurator will not be logged. When unchecked, “Disable webConfigurator anti-lockout rule” will allow access to the pfSense web interface regardless of what firewall rules are set. If this box is checked, then access from the LAN will still be possible if the web interface is set to port 80 and the default “Anti-Lockout Rule” is still in place (or if a rule is created to allow traffic on whatever port you choose). Make sure such a rule is in place before you check this box, or you could lock yourself out.

Disable DNS Rebinding Checks” when unchecked blocks private IP responses from your configured DNS servers. Sometimes, however, it may interfere with webConfigurator access or name resolution; if so, you can check this box so that such private IP responses will not be blocked. Below this, at “Alternate Hostnames for DNS Rebinding and HTTP_REFERER Checks“, you can specify alternate hostnames by which the router may be queried to bypass the DNS rebinding attack checks (hostnames should be separated by spaces). Finally, when unchecked, “Disable HTTP_REFERER enforcement check” will disable access to the webConfigurator from scripts that try to redirect traffic based on the HTTP_REFERER field. Checking this box disables this protection, which may help if you use external scripts to interact with the system.

External Links:

HTTP_referer at Wikipedia

pfSense VPN: Part One

pfSense VPN

Configuring an IPsec VPN tunnel in pfSense 2.0.

Virtual Private Networking (VPN) extends a private network across a public network, such as the Internet. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security and management policies of the private network, and is accomplished by establishing a virtual point-to-point connection with another computer. This is done through dedicated connections, encryption, or a combination of the two. Most router/firewalls support VPN, and this article describes some of the pfSense VPN options.

There are a variety of VPN services available, and pfSense has four of the most popular implementations built right in: IPsec, L2TP, OpenVPN, and PPTP. OpenVPN is emerging as the standard VPN protocol, but OpenVPN support is not built into Windows – you’ll have to download the client software. IPsec is also a popular VPN implementation. PPTP and L2TP, on the other hand, are losing ground to OpenVPN, but are still popular and are supported by most major operating systems.

pfSense VPN: IPsec

pfSense VPN

Setting up a firewall rule to allow IPsec traffic to the LAN.

In many cases, IPsec is the preferred method for network-to-network connections. IPsec (Internet Protocol Security) is a technology protocol suite for securing Internet Protocol (IP) communications by authenticating and/or encrypting each IP packet of a communication session. IPsec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. Setting up an IPsec connection in pfSense is easy. Browse to VPN -> IPsec. If the “Tunnels” tab is not already selected, select it. Click the “Plus” button to create an IPsec tunnel. Leave “Disable this phase 1 entry” unchecked and keep the interface as “WAN“. At “Remote Gateway“, enter the public IP address or host name of the remote gateway. At “Pre-Shared Key“, input your pre-shared key string. Now, click on “Save” to save the changes, click on “Enable IPsec“, and click on the “Save” button again. Click on “Apply changes” if necessary.

In order for IPsec traffic to pass through to the LAN, we need to create a new rule. Browse to Firewall -> Rules and select the IPsec tab. Click on the “Plus” button to add a new firewall rule. At “Destination“, set the destination to the LAN subnet, and at “Destination port“, set the destination port to “any“. Add a description at “Description” if you want, and click on “Save” to save changes. Click on “Apply changes” if necessary. This completes the set up of a pfSense VPN tunnel with IPsec.

In the next article, I will cover using VPN with the L2TP and OpenVPN protocols. Part three will cover the PPTP protocol.

External Links:

Setting up an IPsec VPN Link at doc.pfsense.org

© 2013 David Zientara. All rights reserved. Privacy Policy