Restrict Pfsense 2.4.x Admin Access

If you are using a Pfsense Firewall, then you are probably aware that access to the management interface is allowed by default from all interfaces except the WAN. To enhance the security of your network, in many environments access to the management interface should be limited with the use of firewall rules. For reasons as to why, see the blog post Securely Managing Web-administered Devices. With that said, below we will detail the steps required to limit access to the Pfsense administrative interface using basic firewall rules. First we will want to completely restrict administrative access from interfaces such as DMZ or WLAN. This can be accomplished with the rule pictured below. Below you will see that just above our interface allow rule, we have a rule that rejects access to PORTS_MGMT if the destination address is This Firewall. Note that PORTS_MGMT is an alias for ports 22, 80 and 443 and This Firewall is a builtin alias for your Pfsense Firewall. You will notice that every interface has a corresponding alias for its respective gateway address.

Note: In our previous article Restrict Pfsense Admin Access we created rules with a destination of the gateway address. Using that approach, the firewall was still accessible using the WAN IP from any internal network managed by Pfsense which is the default behavior.
Below is another example of rejecting access on the Guest Wireless Network (GWN) interface. These two example rules can be applied to any network for which Pfsense management interface access will be completely restricted. The last two rules we will want to create are on the LAN interface allowing Pfsense management interface access from our management PC only and access for all others restricted. Below you will note that we have two rules, the first of which allows access to the management interface from the management PC and the second that restricts access to all others. So there you have it, with a few simple rules you have locked down your Pfsense admin access to a single PC.
Note: The rules detailed above will break your firewall if you are using squid as a transparent proxy.

Did you find this article useful? Why not share it with your friends?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.