Page 1 of 2 12 LastLast
Results 1 to 10 of 11
  1. #1
    Master Untangler
    Join Date
    Aug 2016
    Posts
    103

    Default blocking gui access from guest networks

    trying to block gui access from any vlan other than mgmt. All vlans (sub interfaces) hang off same internal interface that is used to manage device. I have filter rules set and working great that block vlan to vlan access however i cannot get anything to block gui access from everywhere except mgmt vlan. i have added rules to "access rules" and still no joy. Am i missing something?

  2. #2
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,606

    Default

    show us the list of access rules, the order matters.

  3. #3
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,606

  4. #4
    Master Untangler
    Join Date
    Aug 2016
    Posts
    103

    Default

    have tried blocking dst ip and port and just port

    Screenshot at 2020-10-19 23-08-28.png

  5. #5
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    9,200

    Default

    If you block GUI access, block pages will not appear. We do not recommend doing this.

    Edit: I would be more concern that you have the admin GUI open to the Internet. Rule for HTTPS allowed on WAN is enabled.
    Last edited by jcoffin; 10-20-2020 at 01:23 AM.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  6. #6
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,606

    Default

    Show us this services screen.

    services.png

    Internally, the port specified here gets forwarded to 443 on NGFW vm (always - it is a quirk)
    I would specify the protocol.
    And as John said, surgically allow access with your custom rule, do not block it.

    I like using interfaces rather than IP addresses.

  7. #7
    Master Untangler
    Join Date
    Aug 2016
    Posts
    103

    Default

    Interesting on plenty of accounts. I use 8443 and yes its open to the internet because i need access to it from time to time when i am away. Non default username even though i have "admin" automatically populate there is no admin account. Spose when its posed that way i dont need to be so concerned with inside access. But that still makes me wonder why its not working. Everything else works great just this one little thing that to me shouldnt be a big issue to accomplish but appears to be.

    The intent was to block certain vlans from accessing, filter rules work great for vlan to vlan access but dont block UT access directly. If it did this would be a closed case.

  8. #8
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,263

    Default

    The only way to control access to the WEBUI while not restricting block pages is to use the restrict administration subnet box in config -> administration.

    I suggest you disable remote HTTPs remote admin entirely, because with single factor auth... that's a great way to get hacked. Never forget that admin UI password is also root over SSH, it's a very quick gateway to an utterly compromised Untangle.

    So instead, you put a comma separated list of IP ranges that can access the admin UI in the above box, this is the local trusted IP segment, and if you want remote admin access the address pool in use by the VPN protocol in question.

    Filter rules are for things going THROUGH Untangle.

    Access rules are for things impacting Untangle itself. And those are advanced for a reason, screw that up and you'll lock out admin entirely and be forced into a reinstall.
    Last edited by sky-knight; 10-20-2020 at 03:45 PM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  9. #9
    Master Untangler
    Join Date
    Aug 2016
    Posts
    103

    Default

    Good points, i dont worry about the external access, i have a dashboard report thats shows all the attempts at logging in. Have the webpage default to admin but that account is long gone. I dont use easy or standard accounts to admin anything i control, just my way of extra level of protection. Think purplewatermelon or crazymonkeyass as usernames (and no i dont use either of those) and then an equally obscure password. So unless UT has a remote access vuln or bug am good in that regard. As always, thx for the input.

  10. #10
    Newbie
    Join Date
    May 2019
    Posts
    10

    Default

    Why not just use command center for remote access?

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2