If you have recently installed a Pfsense firewall in your office or home network then you may need to remote manage your pfsense firewall from wan, and for this, you need to add certain firewall rules to allow secure remote access. Once you make these necessary firewall rules then you can manage it easily through its web interface or WebGUI. In this article, we are going to enable remote access by the use of SSH Tunnel and then we will add firewall rules for it, and lastly, we will make use of Alias to create a small list of multiple remote wan IP addresses, from which we would like to allow strict access to our pfsense WebGUI.
By default, pfsense doesn’t allow remote access to WebGUI from wan, as it will allow its security information to travel all over the internet insecurely. But when you freshly install pfsense then you may need to access it through the wan temporarily to complete the configuration setup and change the default password.
To allow temporary wan access, just move to pfsense CLI console and choose option # 8 to open the shell prompt, and then type pfctl -d, this will temporarily disable the firewall rules preventing the access on the pfsense wan address. Also, keep in notice that you need to reissue this command with almost every change you make in the web GUI, once done with setting up and you are able to open pfsense web GUI on the LAN address then reissue the same command with a -e to reinstate the previous firewall rules for wan access, i.e pfctl -e.
Recommended Ways to Remote Access Pfsense WebGUI ?
The Pfsense makers, NETGATE, recommend two secure ways to open web interface remotely which are:
Through the Use of VPNs such as OpenVPN or IPSEC (Need Higher Skills)
Through the Use of SSH Tunneling (This will be elaborated in this Article)
Building a VPN is not in the scope of this article but instead, we will be configuring an SSH tunnel.
Brief Intro to Configuration Steps ?
The plan is to configure ssh tunnel on our pfsense box, once the tunnel setup is complete then we will initiate an ssh client connection from our remote computer to our pfsense firewall, and then we will port forward pfsense web interface to our computer through the same SSH Tunnel connection. So once the connection is established, then we shall be able to open our web interface at its local address.
Enable SSH Remote Access
By default, SSH access is not enabled on the pfsense, so we need to enable it first and later we need to allow it through firewall rules for wan access, so let’s do it step by step.
Log in to your pfsense firewall using your admin credentials and if you are using your pfsense default credentials such as username admin and password pfsense then do change the password to something strong. In order to change the password, select from the top menu and go to System>User Manager and then select Users tab, then select pencil icon (Edit) for admin under Actions and then change the default password.
Assuming that the password is changed to something strong, let’s enable SSH access and for this, select from the top menu and go to System>Advance then select Admin Access tab and scroll down till you reach the Secure Shell section.
Now select the Secure Shell checkbox to enable it and leave the settings at defaults, but if you need even more security then use only Public Key at SSHd key only field, here is a link to learn how to create an ssh public key in pfsense.
But for the sake of this topic, the SSH defaults will do. So once you enabled it don’t forget to hit the Save button.
It is recommended to allow Strict Access to our Management Interface IP Address (Pfsense Web Interface IP). For a Strict Access, you will choose a single remote wan IP address or multiple wan addresses from which you would like to initiate an SSH connection to your Pfsense firewall, this will add another security layer to your configuration as no other IP address on the WAN side will be allowed to connect. I hope, this makes sense to you.
Create an ALlAS List for allowed Remote WAN IP Addresses
For Strict Access, we need to create an Alias. An Alias just represents a group. It can be a group of IP addresses or multiple IP addresses which are grouped logically and named something meaningful, let’s say for example “Allowed-Remote-Management-IPs” is an ALIAS that contains different allowed wan IP addresses. Using ALIAS makes our configuration shorter and simpler.
For this article, we will choose something shorter to be used as ALIAS let’s use Remote-Wan-IPs, and let’s create it. For this, from the Top Menu select Firewall>Aliases, and then on the IP tab select Add. This will open ALlAS Page.