Hello,
I am new to OPNsense and need your help. My OPNsense firewall is behind my router and its IP address is 192.168.50.141. LAN interface IP is 10.10.1.1, also I have two more interfaces -OPT1 and OPT2. I can access GUI from LAN network but I would like to setup access from the "WAN network" which is actually my private network. I am aware of all security problems and so on, it is just about my private network. I spent days doing research on the Internet I think I tried everything discussed in this forum so far, including using the NAT port forward as per this discussion - https://forum.opnsense.org/index.php?topic=3876.15. I can't make it to work. I guess I am doing something wrong or maybe I don't do something that I need to do. What should I do? Thank you very much for your help. I am running the latest version - 23.1.11
Can you explain more about your purpose for running OPNSense to double NAT a section of your network?
Why not move everything behind OPNSense and either remove the other router or set it to bridge mode?
Hi, sorry for my delayed response, I was away. I would like to do it this way as I would like to fully understand how OPNsense works, how to create rules, how to properly design, to setup different subnets, VLANs, and then to expose it to the Internet. Thank you very much for your help.
How do you plan on testing the rules, networks, etc if you don't have a client behind the OPNSense? Depending on your available hardware and system resources, you can also test it using VMs.
For testing purposes, you should be able just to add a pass rule to the WAN interface. But then you would have to completely recreate your setup or remember to remove that allowance once you actually put it into service.
My recommendation is to just put an machine behind OPNSense or use VMs in order to test it. You could even use your current machine as the double NAT shouldn't interfere with any testing you do.
Sorry, I should have mentioned it, I have computers connected. As I explained, my OPNsense has 4 ports – WAN, LAN and OPT1 and OPT2. The WAN and LAN addresses are 192.168.50.141 and 10.10.1.1, and the other two are 10.10.10.1 and 10.10.20.1. I have Windows machines connected to LAN and OPT2, and a Linux to OPT1. As I said, whatever I do to allow access from the "Internet"- 192.168.50.1 network, to LAN and OPT1 and 2, it just does not work. I guess I am doing something wrong or maybe I am not doing what I should do. I can't find anywhere an example how to allow that access to ping, RDP, ssh for example, to see what I am missing. I was only able to ping the 4 interfaces – 192.168.50.141, 10.10.1.1, 10.10.10.1, and 10.10.20.1 but not the machines connected to them.
Sorry, I'm still a bit confused. Why can't you just use the aforementioned windows and linux machines to test?
You were pinging the WAN, LAN, OPT1, and OPT2 gateways from a machine that's on the WAN side? And got a response?
I use these machines to test, and yes, I can ping the gateways from the WAN side, but I can't ping the machines behind the gateways, and I can't access these machines neither using RDP nor SSH from the WAN side whatever I've tried. I can't access the OPNsense GUI from the WAN, either
What did you change to get ping working?
And I meant that I'm not understanding why you need to access the UI, etc from the WAN side if you have a machine on LAN that you can use.
I have attached all rules related to the interfaces. ManagingHosts alias is about a few computers on the WAN side. OPT1 and OPT2 interfaces are VLAN1 and VLAN2-DMZ respectively but they are not configured as VLANs regardless of the labels; this would be my next task if I am able to resolve this problem. I would like to access the OPNsense GUI, which is the LAN interface 10.10.1.1, from the WAN side/network 192.168.50.0, as once I expose OPNsense to the world, I want to be able to access it if I am away from home/my network. So right now, the 192.168.50.0 network is like WAN and I can't access the GUI from there, neither trying to connect to 10.10.1.1 nor to 192.168.50.100 which is the WAN interface address. To access it, I login to a computer which is connected to the LAN interface. I am trying to learn how to properly create rules, I am also not sure if I should do anything with other settings like NAT, etc. I really appreciate your time and help!
Quote from: bcvic on July 09, 2023, 09:23:36 PM
once I expose OPNsense to the world, I want to be able to access it if I am away from home/my network.
Okay, that's where the disconnect lies. What you're attempting to do is wrong and will get your network owned in short order.
What you should be doing is configuring a VPN such as Wireguard or OpenVPN. These will allow you to securely access things when you're away from home.
I know I have to use a VPN when accessing it away from home. I am not going to expose it in this way. But right now, OPNsense is behind my router, and I just want to learn how to properly configure firewall rules in the setup I have now. Which of the rules I set up are wrong, what other rules should I set up, and are there any other configurations I need to do, so that the firewall works in the way I want?