OPNsense Forum

Archive => 16.7 Legacy Series => Topic started by: lsc9x on August 06, 2016, 09:10:19 pm

Title: [SOLVED] Disable Web Interface on WAN Interface?
Post by: lsc9x on August 06, 2016, 09:10:19 pm

I searched for a bit looking for an answer on this and couldn't find one easily, so here's my question:

Right now, everything is working perfectly!  My opnsense machine is acting as a router/firewall and I have the WAN set to DHCP for it's addressing, and the LAN set to a static IP running DHCP and forwarding DNS.

But there is a problem:

If I go to my WAN IP in a web browser, it comes up with my admin page!  I absolutely DO NOT want to have a web logon available for hackers on the WAN interface and would like to disable the web logon, or ANY logon from the WAN interface.  I would like the external WAN interface to be locked down as much as humanly possible.  I don't need login access on the WAN interface, ever.

But I would like to retain web access on the LAN interface for administrative purposes, of course!

Is there an easy way to (properly) shut down logon and/or web access on the WAN interface?

Thanks!

Title: Re: Disable Web Interface on WAN Interface?
Post by: phoenix on August 06, 2016, 09:45:19 pm

I'm guessing that you're talking about connecting from your LAN, aren't you? If that's the case and unless you've forwarded or opened port 443 or 80 then the web ui is not available to the outside world.

Title: Re: Disable Web Interface on WAN Interface?
Post by: Zeitkind on August 07, 2016, 12:05:32 am

Well, it might be a bit confusing. If you connect from inside your LAN to the outside (WAN) IP-address of your firewall, you indeed will get the normal login page. If you check the same from outside - it won't work. Or should not - if you did not change anything. So - check from an outside address.
LAN-client -> LAN-IP of firewall  = works
LAN-client -> WAN-IP of firewall = works
WAN-client -> WAN-IP of firewall = does not work (by default)
You might check this with an online scanner like
https://pentest-tools.com/network-vulnerability-scanning/tcp-port-scanner-online-nmap
or
https://www.grc.com
or any other online scanner around.

So, traffic gets redirected, but there is no explicit rule for that shown in the GUI, prob. a dev will answer here.

Title: [SOLVED] Re: Disable Web Interface on WAN Interface?
Post by: lsc9x on August 07, 2016, 02:07:05 am

Excellent!  Both of you appear to be correct, and thanks for the website links, Zeitkind! (Very useful tools, thanks!)

So yes, when I did the pentest, my server came back with next to nothing which is exactly what I wanted.

Just to be safe I VPNd to a remote server in a different country and looked back in and nothing was replying from my external IP.

Problems solved!  =)