Hi,
I have a problem setting up a firewall / VPN.
Basically, two network : a private one (LAN_P) and a corporate (LAN_C). Only LAN_C have an internet access and the goal is to give to a customer on internet access to a computer in the private network, but the client is OPNsense and it should initiate the connextion.
But I dont have access to LAN_P all the time, only for the setup. We are administrating everything from LAN_C, so I should give access to GUI from LAN_C. That's the 1st difficulty.
Next, I think if I setup a VPN client from the interface on LAN_C to the external customer, I will loose the control of OPNsense. That's the 2nd problem (or not ?).
Hopefully, the hardware have 4 ethernet ports, so I think I could do something like dedicating an interface to VPN and another one to GUI, both on LAN_C.
What do you think ?
(http://singman.free.fr/images/VPN.png)
Sounds like you need a site-to-site VPN to allow an unattended connection. OPNsense can be the server or the client using either IPSec or OpenVPN (easier).
The manual has a page on it: https://docs.opnsense.org/manual/how-tos/sslvpn_s2s.html
Bart...
You have not read my message...
The problem is not to setup the VPN, the problem is to give access to the Admin console to OPNSense GUI, without using a VPN.
I"ve tried many settings, including a NAT transversal, all my attempts are blocked by the deny rule.
try Franco's suggestion in this thread: https://forum.opnsense.org/index.php?topic=573.0
Who should I trust ?
- franco : Do a NAT from a high port like 12345 to LAN 443 - not working
- ristridin : do a Firewall rule External IP/Host -> WAN address -> OPNSense 443 - not working
- jwright : disable reply-to on WAN rules - not working
- banym : change Mngmt port and open it from WAN - not working
I'm amazed by the number of answers to this very basic question (while pfSense is doing that in a very easy way) and none of them is working or provided with a simple step-to-step tutorial or picture, to avoid any errors.
BTW, my problem is still there.
Your admin console connects from wan with a RFC1918 address from corporate network. So you have to allow private RFC1918 addresses from wan ( it's a checkbox in wan interface configuration) .
But why switching from pfSense when lucky and so much better? ::)
RFC1918 and bogon networks already desactivated :)
And if ... I disable PF completely ?
I dont need the firewall part of OPNSense, just the router and VPN. My WAN (LAN corporate) is already secured by firewalls.
What do you think ?