Text only | Text with Images

OPNsense Forum

English Forums => General Discussion => Topic started by: ricksense on November 13, 2023, 08:41:26 PM

Title: [SOLVED] Getting access to Opnsense GUI from WAN issue
Post by: ricksense on November 13, 2023, 08:41:26 PM
hi,
I installed OPNsense on my Proxmox machine to practice with it, and wanted to get temporarily access to  its Web GUI from the WAN port to set it up more easily from my PC running on my home LAN managed by a physical router.
I hadn't managed to do it until I set "Disable" for the reply-to option in the WAN rule advanced settings, which did the trick.

However, I haven't yet understood what the reply-to is really for, and if it is safe to keep it disabled.

Again, I also have OPNsense running as a VM in my WMware workstation. I only set the pass rule on its WAN without disabling the reply-to option which is still set as "default". I can access its WEB GUI from the WAN nonetheless.
Why?

Title: Re: Getting access to Opnsense GUI from WAN issue
Post by: franco on November 14, 2023, 10:49:57 AM
Hi,

It's ok to keep it disabled. In the average case you don't access the GUI from the WAN and this is only an issue if you are locally attached. As soon as you pass the next hop over the router this problem doesn't exist anymore. The firewall wants to try to reply to the router, not the client in that scenario. This is required for multi-WAN to run smoothly so it is enabled by default.


Cheers,
Franco
Title: Re: Getting access to Opnsense GUI from WAN issue
Post by: ricksense on November 14, 2023, 12:51:32 PM
Quote from: franco on November 14, 2023, 10:49:57 AM
It's ok to keep it disabled. In the average case you don't access the GUI from the WAN and this is only an issue if you are locally attached. As soon as you pass the next hop over the router this problem doesn't exist anymore. The firewall wants to try to reply to the router, not the client in that scenario. This is required for multi-WAN to run smoothly so it is enabled by default.

Ok, I think I got it. But I am still wondering why I didn't have the same problem with my OPNsense VM running on VMware workstation. the Reply-to option is still set to default there. Strange thing really.

Moreover, I need to add a second WAN to experiment with dual WAN failover setup on OPNsense.
I guess that I have to set it back to "default" then. right?

Thank you
Title: Re: Getting access to Opnsense GUI from WAN issue
Post by: franco on November 14, 2023, 01:08:54 PM
It depends a bit on the router to send the packet back where it belongs or leak it to the next upstream hop. Sometimes it works but more often than not it doesn't. :)

> Moreover, I need to add a second WAN to experiment with dual WAN failover setup on OPNsense.
> I guess that I have to set it back to "default" then. right?

For clear separation yes. In the failover cases it's less relevant but in load balancing this is better to have.

You can also disable reply-to per firewall rule and leave the setting at the default.


Cheers,
Franco
Title: Re: Getting access to Opnsense GUI from WAN issue
Post by: ricksense on November 14, 2023, 02:08:56 PM
Quote from: franco on November 14, 2023, 01:08:54 PM
You can also disable reply-to per firewall rule and leave the setting at the default.

It is exactly what I did already.

Thanks
Text only | Text with Images