OPNsense Forum
English Forums => General Discussion => Topic started by: Tanduvil on January 31, 2023, 09:06:10 pm
-
Hi community,
I have OPNsense 23.1 on a Jetway mini-pc with the following setup:
HOME_VLAN (192.168.110.0/24, on NIC 1)
MANAGEMENT_VLAN (172.16.17.0/24 on NIC 2, WebGUI listens only on this interface)
WAN on NIC 3, connected to a FritzBox
As a DNS resolver I use Unbound DNS. The DNS-Addresses are the interface addresses of the VLANs.
How can I prevent that PCs from the HOME_VLAN can access the WebGUI on MANAGEMENT_VLAN?
Here are my simple rules for the HOME_VLAN, the same I use also on MANAGEMENT_VLAN, just with this VLAN as source. WebGUI is accessible from both VLANS without any problems.
Protocol Source Port Destination Port
Pass:
IPv4 UDP HOME_VLAN net * This Firewall 53 (DNS)
Block:
IPv4 * * * RFC1918_Private_Net *
Pass:
IPv4 TCP HOME_VLAN net * * Ports_TCP_80_443
RFC1918_Private_Net is an alias for the private networks, Ports_TCP_80_443 the alias for the named ports.
Internet access works on 443 and 80, private networks are blocked from HOME_VLAN. Except the WebGUI address on MANAGEMENT_VLAN. I tried to explicitly block the Management VLAN interface from the Home VLAN, but it did not work either.
Any idea what else I could try?
Thank you so much,
Christian
-
Check "Disable anti-lockout" in Firewall > Settings > Advanced?
-
Rule on TOP of HOME_VLAN rules set
Block HOME_VLAN net MANAGEMENT_VLAN address 443
-
@pmhausen
Amazing, thank you for the quick reply!!! That was it. :)
@chemlud
Thanks for replying.
-
@franco - which once again shows that there is still too much "magic" going on in OPNsense in unexpected places. ;)
Seriously, if traffic to the web UI is denied, it is denied. If the admin locks themselves out, so be it.