How I can disable access of WebUI for WAN Port?
OOTB it's disabled (as long as there is more than WAN iirc). Configure under System -> Settings -> Administration
Hint: if you are connected to the LAN network and just typing the WAN IP address into your browser, you are still initiating the connection from LAN and are therefore permitted.
To truly test if the administration UI is enabled on WAN you need to be connected to the Internet somehow differently and really come from outside.
OK.
Now I want make the server accessible over http,https with NAT rule.
Can I follow the forum tutorial or have I to change more options?
I did already the forum Tutorial but the WebUI had priorty and doesn't works.
Please post
1. all details about your NAT rule
2. a plan of your network including IP addresses
3. a description of what this is supposed to do and in which way it doesn't
"something something doesn't work" is by far too little information to come up with any diagnose.
NAT rules
(https://abload.de/img/auswahl_002vdkzv.png)
Bridge
(https://abload.de/img/auswahl_003bejn7.png)
DHCPv4 leases
(https://abload.de/img/auswahl_004hlj22.png)
I want that 5erver(192.168.1.100) webserver is accesible at Port 80,433 on WAN (Router)
So that I can hit free-vpn.ch(85.195.234.234) display the website which is hosted on 5erver behind router.
I can't ping the devices under the LAN. So isn't possible to ping lapt0p(192.168.0.106) to 5erver(192.168.0.100)
Please show the details of one of the two NAT rules after you clicked on the small "edit/pencil" icon.
(https://abload.de/img/auswahl_00585kt5.png)
(https://abload.de/img/auswahl_006qmki0.png)
I can't also not ping the devices in the same bridge from lapt0p to 5erver as example...
Change the "Filter rule association" to "Pass" and the "TCP/IP version" to "IPv4". Then it should work.
For IPv6 don't use NAT but create a firewall rule (Firewall > Rules > WAN) permitting ports 80 and 443 to the fixed IPv6 address of your server inbound.
Quote from: pmhausen on November 17, 2021, 07:52:02 PM
Change the "Filter rule association" to "Pass" and the "TCP/IP version" to "IPv4". Then it should work.
For IPv6 don't use NAT but create a firewall rule (Firewall > Rules > WAN) permitting ports 80 and 443 to the fixed IPv6 address of your server inbound.
It doesn't work.
I can't accessible also not a client in the same bridge network. As example from lap0tp to 5erver. Why?
And the the clients doesn't have a IPv6 from ISP only one from the router. Why?
Did you try with a device connected to the "outside Internet", i.e. through tethering with your mobile phone?
So called "hairpin" connections from inside to the outside address do not work out of the box. You need extra configuration for that. Let's get the port forwarding straight, first. So please try with an outside device.
Second, I cannot help you with your IPv6 if you don't tell us how precisely your ISP is routing IPv6 down your line. DHCPv6? Prefix delegation? Static prefix or changing every couple of hours? ... and so on. We would need to know all of that.
How familiar are you with basic networking concepts like this? Did you read the OPNsense documentation?
Quote from: pmhausen on November 17, 2021, 08:05:32 PM
Did you try with a device connected to the "outside Internet", i.e. through tethering with your mobile phone?
So called "hairpin" connections from inside to the outside address do not work out of the box. You need extra configuration for that. Let's get the port forwarding straight, first. So please try with an outside device.
Second, I cannot help you with your IPv6 if you don't tell us how precisely your ISP is routing IPv6 down your line. DHCPv6? Prefix delegation? Static prefix or changing every couple of hours? ... and so on. We would need to know all of that.
How familiar are you with basic networking concepts like this? Did you read the OPNsense documentation?
DHCPv6
https://www.tuxone.ch/2021/02/fiber7-access-mit-pfsense.html (https://www.tuxone.ch/2021/02/fiber7-access-mit-pfsense.html)
I did that and the clients has now a IPv6 from the ISP
(https://abload.de/img/auswahl_010ook7q.png)
(https://abload.de/img/auswahl_011pfkl0.png)
(https://abload.de/img/auswahl_012v8jsl.png)
(https://abload.de/img/auswahl_0135mkaf.png)
I tried to connect with the Handy and it' doesn't work
(https://abload.de/img/auswahl_0076vkxh.png)
(https://abload.de/img/auswahl_008nfj58.png)
(https://abload.de/img/auswahl_009hske6.png)
Does the system you named "Server" have the LAN IP address of the OPNsense as its default gateway?
Quote from: pmhausen on November 17, 2021, 08:55:02 PM
Does the system you named "Server" have the LAN IP address of the OPNsense as its default gateway?
The 5erver have a IP 192.168.1.100 and a fixed IPv6 (ping -v6 joelmueller.ch) from ISP and is a client of the router(opnsens) also directly connected to LAN(bridge0) but I can't ping the local ipv4 neither ipv6.
Yes. ip addr shows me two IPv6 adresse and 192.168.1.100 as IPv4
The IPv6 issue I could fix with change the setting of the WAN port. Now I have a route and can ping a IPv6 adress but I don't understand why I can't ping local IPv4 addresses of the DHCPv4/24 subnet?
So have I to activate a option?
Quote from: Morta on November 17, 2021, 09:10:37 PM
Quote from: pmhausen on November 17, 2021, 08:55:02 PM
Does the system you named "Server" have the LAN IP address of the OPNsense as its default gateway?
The 5erver have a IP 192.168.1.100 and a fixed IPv6 (ping -v6 joelmueller.ch) from ISP and is a client of the router(opnsens) also directly connected to LAN(bridge0) but I can't ping the local ipv4 neither ipv6.
Yes. ip addr shows me two IPv6 adresse and 192.168.1.100 as IPv4
That does not answer the question if the server has got the correct default gateway.
Quote from: pmhausen on November 17, 2021, 10:05:21 PM
Quote from: Morta on November 17, 2021, 09:10:37 PM
Quote from: pmhausen on November 17, 2021, 08:55:02 PM
Does the system you named "Server" have the LAN IP address of the OPNsense as its default gateway?
The 5erver have a IP 192.168.1.100 and a fixed IPv6 (ping -v6 joelmueller.ch) from ISP and is a client of the router(opnsens) also directly connected to LAN(bridge0) but I can't ping the local ipv4 neither ipv6.
Yes. ip addr shows me two IPv6 adresse and 192.168.1.100 as IPv4
That does not answer the question if the server has got the correct default gateway.
How can I figure out?
Whatever your "Server" is - check the network settings that you configured. If someone else did, ask that person. How should I know? I have no clue what operating system your "Server" is running.
Please ... read up on fundamental networking concepts or get someone to assist who does know. This is far beyond the assistance that can be expected from a voluntary community forum.
"How can I figure out the default gateway of my server?" Seriously?
I said the gateway of my server is 192.168.1.1.
It's a dhcp client of dhcp server of the router and is arch linux machine.
I can not write more than yes the router ip's is the router gateway. I don't know what is wrong at my answer above. I did ip a and shows me 192.168.1.1/24 as gateway and 192.168.1.100 as ip.
So the problem isn't only on the server but n all devices plugged to lan(bridge) interface.
I fixed the issue with this value of tunables on OPNsense
net.link.bridge.allow_llz_overlap 0
net.link.bridge.inherit_mac 0
net.link.bridge.ipfw 1
net.link.bridge.ipfw_arp 0
net.link.bridge.log_stp 0
net.link.bridge.pfil_bridge Set to 1 to enable filtering on the bridge interface 0
net.link.bridge.pfil_local_phys Set to 1 to additionally filter on the physical interface for locally destined packets 0
net.link.bridge.pfil_member Set to 0 to disable filtering on the incoming and outgoing member interfaces. 0
net.link.bridge.pfil_onlyip Handling of non-IP packets which are not passed to pfil (see if_bridge(4))
Here the link
https://forums.freebsd.org/threads/routing-between-bridged-interfaces.73803/ (https://forums.freebsd.org/threads/routing-between-bridged-interfaces.73803/)
Now I can ping the clients and access the services in the same network.
Sorry for the missunderstanding my english is not so good and I was insecure of your question. I know what a gateway is and how to find out but my answer was unclear.