Hello,
I read some posts here but I didn' find a solution.
How to connect from my mobile to opnsense GUI from wan. Now from lan OPNsense address is 192.168.1.1.
Please does anyone knows what is address after https// to connect need from wan? What firewall rules , do I need to connect.
I use default firewall rules from scratch. In System ->Administrator I have Listen Interfaces - All
Firewall > Rules > WAN
Click on the "+" to add a rule. Add this rule:
Action: allow
Source: any
Destination: WAN address
Destination port: 443
That's should be it. I would also go to Firewall > Settings > Advanced and check "Disable anti-lockout". I don't like "magic" things going on without explicit configuration.
Also please start to read the documentation.
Quote from: Patrick M. Hausen on December 04, 2023, 12:05:05 PM
Firewall > Rules > WAN
Click on the "+" to add a rule. Add this rule:
Action: allow
Source: any
Destination: WAN address
Destination port: 443
That's should be it. I would also go to Firewall > Settings > Advanced and check "Disable anti-lockout". I don't like "magic" things going on without explicit configuration.
Also please start to read the documentation.
I did everything you said. Which is address do I have to put on firefox? https// <- what?
External WAN address of your OPNsense ...
Quote from: Patrick M. Hausen on December 04, 2023, 12:46:31 PM
External WAN address of your OPNsense ...
Do you mean the public Ip or IPV4 of wan address? I use both but It didn't work.
IPv4 of WAN address should be a public IP. Isn't it? If it isn't, why?
Quote from: Patrick M. Hausen on December 04, 2023, 01:03:20 PM
IPv4 of WAN address should be a public IP. Isn't it? If it isn't, why?
Yes , WAN it Is the public. I am behind CGNAT I use vpn server instead WAN to bypass CGNAT. It is the same. I use the public the public of vpn.
Whole my lan works with VPN . All traffic goes to vpn so, I bypass the cg nat. So for my post I use public IP from vpn but I cannot access to web interface through WAN
Sorry, this will not work since I am sure you do not have a public routable IP for your VPN interface... whatever this public IP is (VPN server IP???), it will not allow you to connect to your sense.
Behind CGNAT you can only gain direct access via v6.
Quote from: tiermutter on December 04, 2023, 01:43:19 PM
Sorry, this will not work since I am sure you do not have a public routable IP for your VPN interface... whatever this public IP is (VPN server IP???), it will not allow you to connect to your sense.
Behind CGNAT you can only gain direct access via v6.
To bypass this problem I run wireguard client on raspberry behind OPNsense. The topology is: Main router -> raspberry wiregurard -> OPNsense. I tested with the previous firewall. It works 100%
I am going to try here with OPNsense.
Do you mean tha IPV6 can avoid this problem?
Sorry, I don't understand how exactly this should work...
Can you provide a detailed network diagram (devices, addresses, routes, ...) of your old setup where this worked?
Are there any other services in this setting like portmapper? What is the exact role of your VPS (Now i remember this, but it is not mentioned in this thread!)?
As said in other threads: Details are missing! You cannot assume that everyone knows your setup or that Patrick or me will always remember details posted across 3-5 threads.
Quote from: novel on December 04, 2023, 09:59:09 PM
Do you mean tha IPV6 can avoid this problem?
You can use ipv6 instead of v4 to reach your sense or home nework, yes.
Even with CGNAT you should get a public v6. I am also behind CGNAT using v6 to connect via VPN to gain access to my whole LAN (even via internal v4 addresses).
Quote from: tiermutter on December 05, 2023, 07:00:11 AM
Quote from: novel on December 04, 2023, 09:59:09 PM
Do you mean tha IPV6 can avoid this problem?
You can use ipv6 instead of v4 to reach your sense or home nework, yes.
Even with CGNAT you should get a public v6. I am also behind CGNAT using v6 to connect via VPN to gain access to my whole LAN (even via internal v4 addresses).
Thank you for information. Do you have static prefix on IPV6? or do you use ddclient to update IP?
So, do you use vpn to have inbound traffic to opnsense and port forward? Do you use vpn for any other reason?
A) No static prefix, but actually it has never changed the last 2 or 3 years.
B) Yes, I use ddclient for updatating IP, but since I never had change in the past years, I am not sure if it really works or not. ::)
C) Unsure what you mean... After establishing VPN connection from client so sense I have access to all my LAN/ VLAN at home and clients will use (per my default) my home WAN connection. No need for any port forwards.
D) Other reasons? No... simply ta have access to my home nets and to use my home WAN connection and also DNS resolver. I have also two NAS as VPN clients to realize external backups (I don't want site to site connection here). Anyting more to achieve with a roadwarrior VPN? ??? My sense also is VPN client (nord vpn) but I use it only for a couple of devices...
QuoteSorry, I don't understand how exactly this should work...
Can you provide a detailed network diagram (devices, addresses, routes, ...) of your old setup where this worked?
Are there any other services in this setting like portmapper? What is the exact role of your VPS (Now i remember this, but it is not mentioned in this thread!)?
As said in other threads: Details are missing! You cannot assume that everyone knows your setup or that Patrick or me will always remember details posted across 3-5 threads.
this is why I with regret, even with Private Messages, I have had to stop trying to help. We keep getting single couple-liners to ask a question, but he has this convoluted setup that he fails to include on each thread. So everyone tying to help has to spend a lot of time to discover that in the end. Sorry OP but you have been asked many times to include all your setup. We're trying to help for free whilst holding day jobs. It's not fair to do it the way you are doing it so far.
+1
Could really be much easier to help and understand the situation and the whole desired setup.
Plus, why someone who has to ask "how do I add a rule" is attempting such a supposedly unnecessarily complex and convoluted setup ...?
Quote from: cookiemonster on December 05, 2023, 12:40:33 PM
QuoteSorry, I don't understand how exactly this should work...
Can you provide a detailed network diagram (devices, addresses, routes, ...) of your old setup where this worked?
Are there any other services in this setting like portmapper? What is the exact role of your VPS (Now i remember this, but it is not mentioned in this thread!)?
As said in other threads: Details are missing! You cannot assume that everyone knows your setup or that Patrick or me will always remember details posted across 3-5 threads.
this is why I with regret, even with Private Messages, I have had to stop trying to help. We keep getting single couple-liners to ask a question, but he has this convoluted setup that he fails to include on each thread. So everyone tying to help has to spend a lot of time to discover that in the end. Sorry OP but you have been asked many times to include all your setup. We're trying to help for free whilst holding day jobs. It's not fair to do it the way you are doing it so far.
I am newbie on OPNsense. I don't understand some words..So, I am honest. It doesn't work. I can predict what information I have to give you. I am not expert right? So OPNsense has much rules. Every post or question I have to upload all my setup from opnsense?
Please give me details what information you want then I will give. If I did some errors about me I am really sorry to everyone.
I forgot that I have CGNAT, then I cannot connect from wan. Now I connect to vpn to get public ip from vpn so I try to confirutation that said Patrick.
Please ask me what information do you want. I really I don't know what information is good to give you.
I am sorry!
Quote from: tiermutter on December 05, 2023, 01:21:34 PM
+1
Could really be much easier to help and understand the situation and the whole desired setup.
I AM SORRY. PLEASE, ask me what kind information from setup do you want. then I do...
Quote from: Patrick M. Hausen on December 05, 2023, 03:14:06 PM
Plus, why someone who has to ask "how do I add a rule" is attempting such a supposedly unnecessarily complex and convoluted setup ...?
because Inside when add a rules ... with + ....inside has a lot of choices. That is a reason why ask...
I use OPnsense a couple of days. Please you have to understand this. I migrated from other firewall.
I am sorry!
Quote from: Patrick M. Hausen on December 04, 2023, 12:05:05 PM
Firewall > Rules > WAN
Click on the "+" to add a rule. Add this rule:
Action: allow
Source: any
Destination: WAN address
Destination port: 443
That's should be it. I would also go to Firewall > Settings > Advanced and check "Disable anti-lockout". I don't like "magic" things going on without explicit configuration.
Also please start to read the documentation.
As I said other post...I use second ethernet cable that connect other network adapter on opnsense. So just said WAN2 .. <----Wan2 comes from raspberry to run wireguard vpn as client. This is done because I am behind nat ....With this solution I already bypass CGNAT.
So I have to go Firewall > Rules > WAN2 instead WAN right ?? to open tcp 443 Right?
Do I need to go Firewall > NAT > Port forward to open tcp 443 port ???
FWIW, I use a Wireguard connection to my OPNsense server and connect using that - I can then access the LAN interface for full management of the firewall if I need to. That seems to me to be the simplest solution to this problem.
Quote from: phoenix on December 06, 2023, 11:00:21 AM
FWIW, I use a Wireguard connection to my OPNsense server and connect using that - I can then access the LAN interface for full management of the firewall if I need to. That seems to me to be the simplest solution to this problem.
What means FWIW
Do you run wireguard client to opnsense and wireguard server on VPS ? Would you like to explain to setup? I want to do the same yours.
Do you have incoming traffic to opnsense?
FWIW, means For What It's Worth (i.e. just my opinion). :)
There's a page that describes how to install Wireguard on OPNsense here: https://docs.opnsense.org/manual/how-tos/wireguard-client.html
Follow those instructions and then set-up a wireguard client on your mobile phone or your home PC or whatever you use then connect to OPNsense and you'll have full access to the LAN and the web interface to OPNsense on your LAN IP.
It's not really that difficult to get running and yes, I have incoming traffic to my internal servers.
BTW, there are plenty of other sites that have details of how to install and use Wireguard, take a look at some of those sites here: https://www.startpage.com/do/dsearch?query=%22how+to%22+install+wireguard+on+OPNsense
Quote from: phoenix on December 06, 2023, 11:18:14 AM
FWIW, means For What It's Worth (i.e. just my opinion). :)
There's a page that describes how to install Wireguard on OPNsense here: https://docs.opnsense.org/manual/how-tos/wireguard-client.html
Follow those instructions and then set-up a wireguard client on your mobile phone or your home PC or whatever you use then connect to OPNsense and you'll have full access to the LAN and the web interface to OPNsense on your LAN IP.
It's not really that difficult to get running and yes, I have incoming traffic to my internal servers.
Thank you for reply
Are you behind CGNAT ? Do you know what is CGNAT ??
With above setup are you able to port forward from opnsense and bypass CGNAT ???
CGNAT can not be bypassed.
You might want to check out zerotier for your VPN needs when the public side of the opnsense is unreachable.
Alternatively, you should have a public IPv6 which should be reachable.
Anyway you should not expose the admin interface of your opnsense or any other firewall to the internet.
I think there are always problems with the translation here too, making it so hard to understand...
"Bypassing" is the wrong word, I think he only want to achieve that he can access OPNsense services via WAN.
As said, this can be done easily by v6, but this is not "bypassing", it is just using another protocol...
Quote from: bimbar on December 06, 2023, 12:31:26 PM
CGNAT can not be bypassed.
You might want to check out zerotier for your VPN needs when the public side of the opnsense is unreachable.
Alternatively, you should have a public IPv6 which should be reachable.
Anyway you should not expose the admin interface of your opnsense or any other firewall to the internet.
Wrong... With my setup I have public from vpn then with old firewall I had have incoming traffic to firewall and port forward. With ipv4 from ISP I couldn't have port forward and public ip.
I want to do the same with OPNsense. I am going to find information for zerotier
Quote from: tiermutter on December 06, 2023, 12:42:07 PM
I think there are always problems with the translation here too, making it so hard to understand...
"Bypassing" is the wrong word, I think he only want to achieve that he can access OPNsense services via WAN.
As said, this can be done easily by v6, but this is not "bypassing", it is just using another protocol...
Ok , It is not bypassing. The same world I read it other forums. I don't have IPV6. Do you have any other solution?
"have not" could mean that v6 is not activated, but does not mean that your provider will not provide v6. ;)
Sure your provider will not provide v6?
Quote from: tiermutter on December 06, 2023, 01:06:25 PM
"have not" could mean that v6 is not activated, but does not mean that your provider will not provide v6. ;)
Sure your provider will not provide v6?
My connection doesn't have ipv6. I have one other connection with IPV6 I don't have access his router. He gave me only password from wifi. How can I pass ipv6 from wifi to my opnsense? I try yesterday but I didn't find solution. I put ipv6 on slaac to get automatic ipv6 address but It couldn't work.
It is again impossible to follow and to imagine how your setup looks like.
Please (again) provide full information about your actual and desired setup.
Please do not describe this in words, but with a graphical network diagram as already asked for in Post #9.
Quote from: tiermutter on December 06, 2023, 01:41:02 PM
It is again impossible to follow and to imagine how your setup looks like.
Please (again) provide full information about your actual and desired setup.
Please do not describe this in words, but with a graphical network diagram as already asked for in Post #9.
I hope to help you my diagram. It is not very good...I am sorry. If you want any more information I will give you. Thank you
Fine :)
There are some things I don't understand....
WAN (Internet) to Router: Wifi connection? Really? How exactly do we have to imagine that?
Router: What does this device do? Type and OS? Does it any firewalling or NAT?
Raspi: I know this from other threads... in the past you used it as VPN gateway, but now you use OPNsense as client and VPN gateway, don't you?
Public IP from VPS: Does your VPN client really have a public IP on its interface assigned by WG server? Or does it simply mean, that traffic routed through VPN is originated from public WG IP (NAT)?
I use opnsense with a wifi stick as the WAN interface for traveling. Doing fine for years here... :-D
I am aware of situations where WIFI is used for WAN uplink, but for this case it is better to ask twice ;)
However, then there is also info about the endpoint missing...
Quote from: tiermutter on December 06, 2023, 02:22:52 PM
Fine :)
There are some things I don't understand....
WAN (Internet) to Router: Wifi connection? Really? How exactly do we have to imagine that?
Router: What does this device do? Type and OS? Does it any firewalling or NAT?
router runs as router It can be as brigde mode. It is ubiquiti
WAN It is private ip. My router get internet through wifi with NAT.
Raspi: I know this from other threads... in the past you used it as VPN gateway, but now you use OPNsense as client and VPN gateway, don't you?
I changed the vpn to raspi because I couldn't setup opnsense to get WAN access. If I am able to run the setup that suggest other user. or the setup that made together from old post I am going to take out the raspberry.
Public IP from VPS: Does your VPN client really have a public IP on its interface assigned by WG server? Or does it simply mean, that traffic routed through VPN is originated from public WG IP (NAT)?
The second as you said
inside the terminal of the raspberry if type curl ifconfig.me then show the public ip of vpn server (VPS) eth0 on raspberry it is not public It is private Ip. Does it help you?
Quote from: chemlud on December 06, 2023, 03:22:34 PM
I use opnsense with a wifi stick as the WAN interface for traveling. Doing fine for years here... :-D
It is the same like me? Your connection is it behind cgnat? Can you access from wan to opnsense?
Quote from: novel on December 06, 2023, 12:01:42 PM
Quote from: phoenix on December 06, 2023, 11:18:14 AM
FWIW, means For What It's Worth (i.e. just my opinion). :)
There's a page that describes how to install Wireguard on OPNsense here: https://docs.opnsense.org/manual/how-tos/wireguard-client.html
Follow those instructions and then set-up a wireguard client on your mobile phone or your home PC or whatever you use then connect to OPNsense and you'll have full access to the LAN and the web interface to OPNsense on your LAN IP.
It's not really that difficult to get running and yes, I have incoming traffic to my internal servers.
Thank you for reply
Are you behind CGNAT ? Do you know what is CGNAT ??
With above setup are you able to port forward from opnsense and bypass CGNAT ???
would you like to answer. I have a problem that I try to solve it . Please tell me !
Yes, I do know what CGNAT is and no, my ISP doesn't use that. You can't get through CGNAT (IPv4) to access your WAN interface nor should you ever 'allow' connections to your WAN interface. The only solution is to use IPv6 to access your LAN with a VPN as I mentioned earlier, obviously that assumes your ISP provides IPv6.
Who is your ISP? Would you consider moving to another ISP that doesn't use CGNAT, that would be the optimal solution. ;)
Quote from: phoenix on December 07, 2023, 10:37:33 AM
Yes, I do know what CGNAT is and no, my ISP doesn't use that. You can't get through CGNAT (IPv4) to access your WAN interface nor should you ever 'allow' connections to your WAN interface. The only solution is to use IPv6 to access your LAN with a VPN as I mentioned earlier, obviously that assumes your ISP provides IPv6.
Who is your ISP? Would you consider moving to another ISP that doesn't use CGNAT, that would be the optimal solution. ;)
inaccurate
You are wrong . I already did it.
Please, search in google bypass CGNAT then stop to have opinion because you don't have knowledge in the specific issue.
Then you maybe like to show us such google-results to give us a chance of understanding what you mean.
Using external services is nothing what I would name "bypassing"... this is another way / workaround to achieve what you want... And as said:
Quote from: phoenix on December 07, 2023, 10:37:33 AM
You can't get through CGNAT (IPv4) to access your WAN interface
This is 100% true as long as your provider don't give you exclusive routing /NAT for one or a couple of ports.
Quote from: tiermutter on December 07, 2023, 08:47:07 PM
Then you maybe like to show us such google-results to give us a chance of understanding what you mean.
Using external services is nothing what I would name "bypassing"... this is another way / workaround to achieve what you want... And as said:
Quote from: phoenix on December 07, 2023, 10:37:33 AM
You can't get through CGNAT (IPv4) to access your WAN interface
This is 100% true as long as your provider don't give you exclusive routing /NAT for one or a couple of ports.
https://github.com/mochman/Bypass_CGNAT
https://forum.mikrotik.com/viewtopic.php?t=193257
Please, I don't care to discussing for cgnat. I would like to access from wan as you said such as IPV6
Did you see my diagram? I sent you extra information that you said. How can I solve it? Can you help to pass ipv6 from router to opnsense?
Hi Answer is here (https://think.unblog.ch/en/access-to-opnsense-web-gui-via-wan-after-installation/)
With option 8) Shell execute the command pfctl -d:
root@OPNsense:~ # pfctl -d
pf disabled
(https://think.unblog.ch/wp-content/uploads/2022/05/OPNsense_Firewall_Rules_WAN.png)
Besides the fact that you are replying to a thread that's 18 months old, the recommendation is awful.
Disabling the firewall or enabling access to all ports???