Under System -> Settings -> Administration there is a "Listen Interfaces" set to the default of "All".
The WAN interface appears in this list -- is the admin UI presented to the WAN interface?
I'm setting this up with 5 interfaces plus the WAN.
If "All " presents the UI to the WAN, how do I select multiple interfaces without the WAN?
The only option I can see is just one interface or all interfaces.
After selecting a single interface you can add additional interfaces,
Starting the appliance up with the WAN interface enabled seems a little ... unsafe?
Had I not been normally paranoid I probably would have never looked for that setting.
Shouldn't access from the WAN be disabled be default?
The UI is not accessible on WAN. The firewall rules take care of that. So nothing unsafe.
Also it is recommended to leave the "All" setting, because if you select e.g. only LAN and you unplug and replug your LAN interface you will lose access.
This is due to how the socket interface is implemented in all Unix based systems. "All" is not "each interface individually" but rather an address (0.0.0.0, also named INADDR_ANY) that means "I don't care about the interface, I'll take any connection". It's the regular way services are listening to incoming connections and stay accessible in a stable manner even when interfaces come and go.
Again, nothing unsafe, the firewall rules block access from WAN.
So, WAN blocked by default and selecting only the interfaces I want the GUI exposed on in the selection will be the safest approach?
Thank you -- you are a LOT of help.
No, WAN is blocked by default and leaving the interfaces setting alone is the safest approach. Don't touch. The wording "All (recommended)" is there for a reason.
As I explained:
- you change the setting to LAN
- you unplug LAN
- you replug LAN without rebooting the firewall
--> you lose access to the UI.
Then you will come to the forum asking for help and people will tell you that the solution is to leave the interfaces setting at "All (recommended)".
That's it. Unless you can guarantee that your LAN interface never goes down, don't touch this setting.
Well I am sorry to say that I am the person who followed a blog post and changed my listen interfaces and now have no access to my Web interface. I promise never to do it again, but is there anyway to change it in CLI, or any solution to this at all.
Quote from: jmc on April 04, 2024, 03:13:34 AM
Well I am sorry to say that I am the person who followed a blog post and changed my listen interfaces and now have no access to my Web interface. I promise never to do it again, but is there anyway to change it in CLI, or any solution to this at all.
Best Practice is dont do change you dont understand yourself.
You can via ssh either rollback to previous working config or reset access >
https://docs.opnsense.org/troubleshooting/webgui.html
Regards,
S.