Text only | Text with Images

OPNsense Forum

English Forums => 25.7, 25.10 Series => Topic started by: ecereb on September 17, 2025, 09:41:59 PM

Title: HTTP, HTTPS, FTP-OPNProxy for in-house Web Server - Free version of OPNsense
Post by: ecereb on September 17, 2025, 09:41:59 PM
V 25.7.3_7-amd64

I am in the process of migrating from ZyXEL ZyWALL USG20 firewall. I've gotten everything to work with OPNsence LAN access, except incoming HTTP HTTPS and FTP. I have an in-house Apache web server. I use ftp to update web pages. Now I am finding that FTP capabilities are not available on the free version of OPNsense.

I'm just this 74 year old retired guy that has had a web server for over 25 years. I've tried a number of other firewalls including DDWrt, OpenWrt, TinyWall and ZoneAlarm. Thus far OPNsense seems to be the best. Of course, I had to purchase a Protectli Vault FW4C device. However...

I'm finding that there may be no (0) free firewalls that support WWW side facing web servers.
Is this true for OPNsence?

I have two VLANS. I've followed the cookbook method of NAT Port Forward of opening up 80 and 443 to the web. But still no response on the web side.
Then I can't find anything about FTP, Proxies, or .

How do I get FTP to work.

Stephen Staubach
Title: Re: HTTP, HTTPS, FTP-OPNProxy for in-house Web Server - Free version of OPNsense
Post by: meyergru on September 18, 2025, 12:13:53 AM
Of course you can do that all day long...


1. About FTP:

Do you know the difference between active and passive FTP (https://www.jscape.com/blog/active-v-s-passive-ftp-simplified)?

Active FTP is way harder to be handled by a firewall, because the data connection uses another TCP stream, for which the ports are transmitted over the control channel. There were all kinds of security problems in the past with that.

So, the best approach would be to switch to a passive FTP server on your web host, or even better, use SCP, which is also encrypted, such that usernames and passwords do not get transmitted in the open. If you absolutely must stay with FTP, you can use the os-ftp-proxy plugin.

Most file-transfer programs can handle multiple protocols, like active FTP, passive FTP, SCP, SFTP and FTPS.

2. For your web services:

You can either have OpnSense run itself on a different port than 80/443 and then use port-forwarding for IPv4 or IPv6 firewall rules to simply let traffic pass or (preferably) use a reverse proxy like Caddy or HAproxy in order to terminate the HTTP(S) traffic on OpnSense (optionally handling certificates and TLS, too). There are great howtos for those in the tutorial section.

You just have to install plugins for Caddy (os-caddy) or HAproxy (os-haproxy).
Title: Re: HTTP, HTTPS, FTP-OPNProxy for in-house Web Server - Free version of OPNsense
Post by: amichel on September 18, 2025, 08:59:29 AM
In case you do not want to change the Port the firewall is listening.
I created a VIP (10.1.1.1) and since the FW website should not be available on the WAN I redirected Port 443 on the WAN side to the VIP on Port 40443 (or any other port).
Then all you need to do is to configure the reverse proxy (I use Nginx) to listen on 10.1.1.1:40443 and proxy the bits back to the Webserver in the LAN on Port 443.

This https://github.com/opnsense/plugins/issues/722
redirected me to my solution
Text only | Text with Images