Restrict Pfsense Admin Access

If you are using a Pfsense Firewall, then you are probably aware that access to the management interface is allowed by default from all interfaces except the WAN. To enhance the security of your network, in many environments access to the management interface should be limited with the use of firewall rules. For reasons as to why, see the blog post Securely Managing Web-administered Devices. With that said, below we will detail the steps required to limit access to the Pfsense administrative interface using basic firewall rules. First we will want to completely restrict administrative access from interfaces such as DMZ or WLAN. This can be accomplished with the rule pictured below. Below you will see that just above our interface allow rule, we have a rule that rejects access to PORTS_HTTP if the destination address is the DMZ gateway. Note that PORTS_HTTP is an alias for ports 80 and 443 and DMZ address is a builtin alias for the DMZ gateway. You will notice that every interface has a corresponding alias for its respective gateway address. Below is another example of rejecting access on the Guest Wireless Network (GWN) interface. These two example rules can be applied to any network for which Pfsense management interface access will be completely restricted. The last two rules we will want to create are on the LAN interface allowing Pfsense management interface access from our management PC only and access for all others restricted. Below you will note that we have two rules, the first of which allows access to the management interface from the management PC and the second that restricts access to all others. So there you have it, with a few simple rules you have locked down your Pfsense admin access to a single PC.