I'd like to access the WebGUI from the webinterface but can't get it to work
Does anyone know how to get it to work?
(Just installed my box yesterday, came from PfSense)
Hello,
it is nice that you tried OPNsense.
If you come from pfSense, the set-up of OPNsense should not be much different.
Do you still have your OPNsense appliance connected to a monitor/console? If so please configure the network interface(s) first. If not please go back and connect your monitor/console, it is the easiest and fastest way to get your initial connection problem solved. The configuration through the OPNsense console menu is also highly recommended for virtual machine installs. In the console menu one can ping out to a IP address to see if the WAN is set-up right.
See:
Setup wizard (https://wiki.opnsense.org/index.php/GUI/Setup_wizard)
and
How To Install OPNsense on VirtualBox (https://www.youtube.com/watch?v=uob0zr1MPQc)P
Hope that helps.
I got it all configured, i got WAN, WWAN and a BRIDGE with LAN and WIRELESS, I got internet connection through the BRIDGE, so all is working fine.... except that i need to be able to access the WUI from the WAN..
some of the errors i found at pfsense i have not found here YET...... hope not to find them at all....
This isn't really recommended, but you can enable access to the GUI from the WAN. If you can, you should:
o Do a NAT from a higher port from WAN (e.g. 12345) to LAN 443
o Use a password that meets today's standards
o Pin access to the GUI by restricting WAN port access by IPs
We do have bugs, but we enjoy fixing them as they come up. :)
I'll try that Monday.
Of course I'll will make a restriction that only allow a few trusted IP adresses
no luck :-(
I tried to NAT 12345 to 192.168.1.1 without any FW Rules but the one for NAT.
Then I tried to NAT to 127.0.0.1. Still no luck :-(
Hi,
in order to gain access to your opnsense via wan, you just need to configure a firewall rule
External IP/Host -> WAN address -> OPNsense Managment Port (443)
best regards,
Boris
Hi Boris
That is the roule made by the NAT
Maybe an IP alias > virtual IP address would help? It's a extra virtual IP added to an network interface (WAN), that could be used or forwarded by the firewall
In general it is not a good idea to open up web UI access on WAN to your router.
However sometimes you find yourself in a situation where you need it temporary.
This is from some pfsense forum and also works in opnsense.
Console access is required though...
Go into the shell and type: pfctl -d
This disables the firewall completely, and you should be able to access the web UI via WAN interface.
Turning it back on: pfctl -e
Take note that any change you make in the web UI, will result in opnsense immediately enabling the firewall again. So you might have to disable it many times, during one session.
A small caveat with 'pfctl -d' is that this also disables NAT, so be careful not to annoy your LAN users. ;)
Wich are the best secure option to access on gui of firewall outside? VPN? can help on rules of VPN then web gui?
Thanks.
sorry to revive an old thread, but it is really related. i've just installed OpnSense 20.1, and trying to access the gui from the wan interface
- in the system / settings / administration / webgui, listen is to any interface
- I've created a fw rule to accept any source, destination wan address (or this firewall), https, not working
- I've created a nat rule, to accept any source, destination wan address (or this firewall), 8443, redirect 192.168.1.1/443, not working
- if I stop the firewall via pfctl -d, I can access the gui from the lan - but it is too radical
What could be wrong ?
J.
Try disabling reply-to on WAN rules (Firewall > Settings > Advanced)
No need for the NAT rule if you change the TCP port for the Web GUI to a different port that is not overlapping with 1:1 NAT or nginx or haproxy usage (e.g. try 4443). You need to add this port number to the URL for all access then, even from LAN.
Then add filter rule to allow access to this port from WAN.
Might still be some other filter rule forbids this; with luck it is a rule with logging; even better luck if it has a description, this helps finding the culprit in the firewall log.
If I need access to a WAN Port I change the port of the management and open the Port from my fixed IP to the WAN Interface. The rule belongs on WAN Interface. That's it.
Never open it for the complete Internet.
When WebGUI access from WAN, if source is private IP, remember to uncheck "Block private networks" in Interface setting.
Quote from: jwright on March 15, 2020, 10:42:53 PM
Try disabling reply-to on WAN rules (Firewall > Settings > Advanced)
I was looking for a solution to a similar problem for a long time.
This solved my problem !thank you very much
Quote from: jwright on March 15, 2020, 10:42:53 PM
Try disabling reply-to on WAN rules (Firewall > Settings > Advanced)
This one is working for me.
I think OPNsense could do with an option on the console for punching an initial hole through to the UI for a specific WAN IP, I think a rule that specifically whitelists an IP is fine. The default LAN only assumes one is running the firewall local to them so they can just access over a LAN, but this falls apart on remote installations, and adding a firewall rule in the console, when the whole software is designed to be managed from the UI is clearly not a clean way of doing it, hopefully a solution can be found.
As it stands now it is pfctl -d disable the entire firewall, then going into the UI to add some kind of management IP ACL rule for access the UI and finally turning the firewall back on with apply.
I've never liked the idea of allowing access to the OPNSense WebUI from the Internet. I set up Wireguard on OPNsense and if I need to log into my OPNsense system when away from home, I just fire up the Wireguard VPN on whatever device I'm using.
Well your case is a local install, if OPNsense is remote you need to at the very least have some kind of initial WAN access. Even if its to setup a VPN.