Text only | Text with Images

OPNsense Forum

English Forums => General Discussion => Topic started by: smthing on April 13, 2023, 09:04:20 PM

Title: Firewall - Best Practice?
Post by: smthing on April 13, 2023, 09:04:20 PM
I've seen some examples where people setup Firewall rules for the OPNsense Gateway, but don't really understand the practice.

Example: How to access the WEB Gui from the WAN port.
Almost all guides recommend a NAT Port Forward the HTTPS port (without changing port no.) from the WAN interface to the LAN interface. And then open up the firewall from the LAN side.

Is there a reason for this? Why not open up the firewall from the WAN side and skip the NAT Port Forward?
Title: Re: Firewall - Best Practice?
Post by: bartjsmit on April 14, 2023, 08:24:51 AM
Best practice is not to expose any management interfaces to the internet. Use a VPN for remote access
Title: Re: Firewall - Best Practice?
Post by: smthing on April 14, 2023, 10:41:30 AM
Quote from: bartjsmit on April 14, 2023, 08:24:51 AM
Best practice is not to expose any management interfaces to the internet. Use a VPN for remote access

That's understood in general cases and pretty well known.

I'm more curious about the process of using NAT Port Forward from WAN -> LAN side of the gateway and then open the firewall for LAN access. Is there any benefit from doing this?
Title: Re: Firewall - Best Practice?
Post by: meyergru on April 14, 2023, 11:13:27 AM
Yes. To have the same URL from inside and out.
Title: Re: Firewall - Best Practice?
Post by: phoenix on April 14, 2023, 11:34:35 AM
Quote from: smthing on April 14, 2023, 10:41:30 AM
Quote from: bartjsmit on April 14, 2023, 08:24:51 AM
Best practice is not to expose any management interfaces to the internet. Use a VPN for remote access

That's understood in general cases and pretty well known.

I'm more curious about the process of using NAT Port Forward from WAN -> LAN side of the gateway and then open the firewall for LAN access. Is there any benefit from doing this?

Then why don't you follow the suggestion to use a VPN? You can set-up a secure connection with Wireguard and only the allowed users will be able to access the LAN interface from the internet - much more secure and works a treat, I've been using it for years without problems.

It would certainly bother me if I exposed my LAN interface to the interface via NAT, I'm sure there's plenty of hackers that would find that config a challenge. ;)
Title: Re: Firewall - Best Practice?
Post by: smthing on April 15, 2023, 08:29:09 PM
Quote from: meyergru on April 14, 2023, 11:13:27 AM
Yes. To have the same URL from inside and out.

Good point and makes sense.

Quote from: phoenix on April 14, 2023, 11:34:35 AM
Then why don't you follow the suggestion to use a VPN? You can set-up a secure connection with Wireguard and only the allowed users will be able to access the LAN interface from the internet - much more secure and works a treat, I've been using it for years without problems.

It would certainly bother me if I exposed my LAN interface to the interface via NAT, I'm sure there's plenty of hackers that would find that config a challenge. ;)

Thank you. The WEB GUI was an example and I can understand the assumption. The question is however about the practice. And as mentioned above, it's probably due to having the same URL.
Text only | Text with Images