OPNsense Forum

English Forums => 24.7, 24.10 Legacy Series => Topic started by: danieldk on November 03, 2024, 12:01:07 PM

Title: Cannot access Web GUI through a VLAN
Post by: danieldk on November 03, 2024, 12:01:07 PM
Setup:


Also important: the Web GUI is set to listen on all interfaces.

A client on the VLAN gets an IP address. The firewall rules also work - I can access external hosts through the WAN. I can also SSH into the OPNsense router, etc. I cannot access the Web UI through a web browser, nothing happens until it times out. Now the fun part:


~ % curl -v http://192.168.43.1/
*   Trying 192.168.43.1:80...
* Connected to 192.168.43.1 (192.168.43.1) port 80
> GET / HTTP/1.1
> Host: 192.168.43.1
> User-Agent: curl/8.7.1
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 301 Moved Permanently
< Location: https://192.168.43.1/
< Content-Length: 0
< Date: Sun, 03 Nov 2024 10:54:48 GMT
< Server: OPNsense
<
* Connection #0 to host 192.168.43.1 left intact


As you can see, connections to the HTTP port work and as expected, the client is redirected to HTTPS. But then:


~ % curl -v https://192.168.43.1/
*   Trying 192.168.43.1:443...
* Connected to 192.168.43.1 (192.168.43.1) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* Recv failure: Connection reset by peer
* LibreSSL/3.3.6: error:02FFF036:system library:func(4095):Connection reset by peer
* Closing connection
curl: (35) Recv failure: Connection reset by peer


Just hangs until it times out. So the connection is dropped. There is no firewall rule blocking it, it seems that the WebUI itself is dropping the connection. This can be confirmed by changing the WebGUI to use HTTP rather than HTTPS in the Administration settings (remember that HTTP works, see above). So, rather than getting a redirect, we now expect to get the login page. However:


~ % curl -v http://192.168.43.1/
*   Trying 192.168.43.1:80...
* Connected to 192.168.43.1 (192.168.43.1) port 80
> GET / HTTP/1.1
> Host: 192.168.43.1
> User-Agent: curl/8.7.1
> Accept: */*
>
* Request completely sent off
* Recv failure: Connection reset by peer
* Closing connection
curl: (56) Recv failure: Connection reset by peer


Given that HTTP worked before setting the Web UI to HTTP, it seems like the Web UI itself is dropping connections coming from the VLAN?
Title: Re: Cannot access Web GUI through a VLAN
Post by: danieldk on November 03, 2024, 03:33:01 PM
Figured out the issue. I was testing with macOS' VLAN support. Turns out it is just very broken, I think it was something in the TLS connection that caused the failure (maybe related MTU size?). There were also other ways the connection would get dropped. For instance, when SSHing into OpenWrt and then running top would often also break the connection. Tested now with a switch with VLAN tagging and it works as expected.