Disabled WWW Server NAT Rule, Suddenly the Admin Web GUI is publicly Accessible!

[TheLatestWire]

Hi,

I thought I just disabled the two NAT rules to my internal www server, but with that rule disabled I just noticed the admin web GUI for my OPNsense server is then publicly accessible.  I must be misunderstanding something somewhere.  I certainly don't want my OPNsense server accessible from the internet.

I've attached a screenshot of the NAT rules.  I re-enabled them to block access to the admin webgui, but now my web server is publicly accessible again which was what I was hoping to disable for a while.  Maybe I should just delete the NAT rules instead of disabling them?

Thanks,
ObecalpEffect.

[TheLatestWire]

Sorry, somehow I completely forgot that I have another ISP firewall on the public side of my OPNsense box which has DMZ/Application forwarding set for specific ports (including 443/80) to go to my OPNsense box.  I guess I still would have expected the GUI not to show up since the ISP firewall is sending traffic to what is the public/WAN interface on the OPNsense box.

[franco]

Hi,

To avoid future confusion: so this is "working as intended"?


Cheers,
Franco

[Ciprian]

I've attached a screenshot of the NAT rules.  I re-enabled them to block access to the admin webgui, but now my web server is publicly accessible again which was what I was hoping to disable for a while.  Maybe I should just delete the NAT rules instead of disabling them?

Maybe the NAT reflection is messing with your nerves here?!?!    (As if you try to access your FW on WAN address from LAN network, NAT reflection will redirect and cut short the request, from LAN device to LAN address of the FW - and this is not only permitted, but more so, enforced by the anti-lockout rule.)

Sorry, somehow I completely forgot that I have another ISP firewall on the public side of my OPNsense box which has DMZ/Application forwarding set for specific ports (including 443/80) to go to my OPNsense box.  I guess I still would have expected the GUI not to show up since the ISP firewall is sending traffic to what is the public/WAN interface on the OPNsense box.

NOT! - See above

If you want to be completely sure, try accessing your OPNsense on public IP from a device (eg. smartphone/ tablet) connected to internet through an OPNsense independent connection (3G/4G or else).

To avoid future confusion: so this is "working as intended"?

Probably yes, we have to wait for confirmation from @ObecalpEffect.

Cheers!