Print Page - how can I prevent the Web Gui being accessible via all default gateways?

Title: how can I prevent the Web Gui being accessible via all default gateways?
Post by: OzziGoblin on February 19, 2023, 05:15:56 AM

Hi, Please forgive me, I'm new to OpnSense and this forum

I'm hoping someone can help me as I'm unable to find a solution to this.
I have a network configured with multiple subnets and vlans and the admin web gui is accessible from all the default gateways.

Is there anyway to prevent this?

thanks

Title: Re: how can I prevent the Web Gui being accessible via all default gateways?
Post by: zan on February 19, 2023, 06:09:14 AM

Have you checked Settings>Administration>Listen Interfaces? Its 'All' by default.

Title: Re: how can I prevent the Web Gui being accessible via all default gateways?
Post by: tong2x on February 19, 2023, 03:10:59 PM

Quote from: OzziGoblin on February 19, 2023, 05:15:56 AM
Hi, Please forgive me, I'm new to OpnSense and this forum

I'm hoping someone can help me as I'm unable to find a solution to this.
I have a network configured with multiple subnets and vlans and the admin web gui is accessible from all the default gateways.

Is there anyway to prevent this?

thanks

you need to add a firewall rule to block access to your firewall
ex. guestnet
block, interface guestnet, source any, destination this firewall/guestnet address, port 80/http

for each interface ithink you need to, except your main lan

Title: Re: how can I prevent the Web Gui being accessible via all default gateways?
Post by: OzziGoblin on February 19, 2023, 11:59:35 PM

thanks for your help zan, Settings>Administration>Listen Interfaces worked perfectly :D

Title: Re: how can I prevent the Web Gui being accessible via all default gateways?
Post by: EdwinKM on February 20, 2023, 12:01:59 AM

Quote from: tong2x on February 19, 2023, 03:10:59 PM
Quote from: OzziGoblin on February 19, 2023, 05:15:56 AM
Hi, Please forgive me, I'm new to OpnSense and this forum

I'm hoping someone can help me as I'm unable to find a solution to this.
I have a network configured with multiple subnets and vlans and the admin web gui is accessible from all the default gateways.

Is there anyway to prevent this?

thanks

you need to add a firewall rule to block access to your firewall
ex. guestnet
block, interface guestnet, source any, destination this firewall/guestnet address, port 80/http

for each interface ithink you need to, except your main lan

I think it is better to used the supplied feature of OPNsense itself. And i would assume this will also works after you change the web GUI port.

That said, the best strategy is for "untrusted/guest" networks is to
* Create a *last* rule to reject RFC1918. -> Meaning a user can go to internet but can not access anything on the lan
* before this rule i like to create a rule to allow ICMP to the gateway. This is mainly for (my own) debugging if issues
* before this rule create any other LAN access exceptions (DNS/NTP, etc.)

OPNsense Forum

English Forums => General Discussion => Topic started by: OzziGoblin on February 19, 2023, 05:15:56 AM