OPNsense Forum
English Forums => General Discussion => Topic started by: guest14791 on November 04, 2016, 03:24:13 am
-
Hey all,
New opnsense user here. I have it mostly the way I want, but ran into one thing that I can't solve yet. I want external access to the GUI. I am running HTTPS on 444. So, I made a WAN rule to pass TCP traffic on 444 to the WAN interface, but that doesn't seem to take care of it. Looking for assistance as to what I am missing.
Thanks
-
My suggestion would be to never open the firewall UI directly to the internet, it's not safe or secure and not good practice. Use a VPN and you can connect to the firewall via it's LAN IP address.
-
Dig an openVPN/IPsec tunnel to your box and do the service via the tunnel. Anything else is not state-of-the-art.
-
So, is it not possible? I have a dedicated set of IPs it will be open to, not the world.
-
If those IP's are not on a WAN, don't use the WAN interface to connect to them (use an OPT interface). If they are on the public internet, you open up attacks through source IP spoofing.
As mentioned in this thread, firewalls risk being compromised if traffic is mixed. In a high security environment you would separate production traffic from firewall management traffic by VLAN.
Bart...
-
OK, never mind. Knew it was a probably a waste of time to ask a simple question on a "support" forum these days. Instead, I get an idealogical response. thanks.
-
OK, never mind. Knew it was a probably a waste of time to ask a simple question on a "support" forum these days. Instead, I get an idealogical response. thanks.
It's not an 'idealogical' response, it's the correct response to that specific question. You phrased it poorly to start with by not giving the full details of what you were trying to do and, IIRC, this question has been asked and answered before on these forums. If you think the response you've been given is poor then search first.
-
1: I did search, but could not find a thread with a response.
2: Not sure how my question is poor. It pretty specifically talks about WAN access to the UI. Can you please educate me?
3: When the responses specifically do not answer the question but instead try to tell me what I want to do (because it's better!), it's an idealogical response. I didn't ask about VPN access to hit the interface from the inside.
The only reason we are at this point, is because nobody wanted to provide a simple response to a simple question. Why is that so difficult?
-
if the web interface is bound to an internal lan IP address, a NAT rule is required.
-
Thanks Fabian, I'll look at the NAT rules to see if I am missing something there.
-
2: Not sure how my question is poor. It pretty specifically talks about WAN access to the UI. Can you please educate me?
For sure, we can try. But quite sure you won't listen anyway.
You asked a question not about how to properly use this product, you asked how you can break a security measure taken in this firewall. It's kinda like asking in a GM forum how to disable the ABS of your new Corvette C7. And for sure you won't get the answer you wanted - as long as you do not provide a very good explanation why you want to do that. Exposing the GUI of a firewall to the Internet should be the last resort to achieve something.
-
Let's please focus on helping, suspending judgement for good measure. :)
Maybe setting Firewall: Settings: Advanced option "- Disable reply-to on WAN rules" helps here too.
-
A little late but...
You didn´t specify if you have a certificate, but anyway:
a) I installed my certificate (and its bundle)
b) configured the web gui to use such certificate
c) configured the web gui to listen to some port
d) created a rule on WAN interface:
WAN interface
any Source
Destination WAN address
from selected port to same port
Redirect target IP 127.0.0.1
Redirect target port configured port (could be different for security. Don´t use any known port for the "from" part)
Use a good description to remind you that it´s not recommended to open management to the outside
Regards
-
Hey all,
New opnsense user here. I have it mostly the way I want, but ran into one thing that I can't solve yet. I want external access to the GUI. I am running HTTPS on 444. So, I made a WAN rule to pass TCP traffic on 444 to the WAN interface, but that doesn't seem to take care of it. Looking for assistance as to what I am missing.
Thanks
here's what I have in my wiki, from my setup recipe, about how to do this.
Remote admin
Listen on port 10443
set listening port to 10443 (from default 443), 'cause most clients use 443 for something internal
System --> Settings --> Administration
<Skip all the other settings>
TCP Port: 10443
Disable Port 80 redirect: < X >
Scroll down and click "Save" (button)
Create Additional Admin user
System --> Access --> Users
click on "+" button to "add user"
Disabled < >
username: Admin
password: Whatever it is
type it again
Full Name: Second Admin User
E-mail:
Comment:
Preferred landing Page: index.php
Language: Default
Login Shell: /sbin/nologin
Expiration Date:
Group Membership:
Not a member of Member Of
< > admins
Certificate:
OTP Seed:
Authorized Keys:
IPsec Pre-Shared Key:
Save and go back (button)
Create Firewall Alias
Add external hosts for remote admin
Firewall --> Aliases --> "+" (button)
Name: remote_admin (note limits on naming – no spaces)
Descriptions: Auth remote admin locations
Type: Hosts or Ports
Aliases: 111.222.222.111
111.222.222.112
name.bogus.tld
Apply (button)
Create WAN Firewall Rule
Firewall -> Rules -> WAN
Create Rule ('+' button labelled 'add new rule')
Create rule
Action: pass
Disabled: < > Disable this rule
Interface: WAN
TCP/IP Version: IPv4
Protocol: any
Source / Invert: < >
Source: remote_admin (put your alias here)
Source: [Advanced]
Destination / Invert: < >
Destination: This Firewall
Destination port range:
:from: to:
:any any
Log: < > Log packets that are handled by this rule
Category:
Description: RRTI BISI remote admin
Advanced features
Source OS: any
No XMLRPC Sync: < >
Schedule: none
Gateway: default
Advanced Options: [show/Hide]
Save button
Apply Button
-
Clicking "Disable reply-to on Wan rules" in Firewall -> Settings -> Advanced is a must in some setups to get be able to access the webinterface and SSH interface from an external source. You need to disable any other Firewall rules as well and add firewall rules to allow any traffic through the WAN. The answer from BISI Sysadmin is the most complete but doesn't work on OPNsense in newer versions running vlans.
BTW, on some VLAN configs using OPNsense for an edge router, a specific VLAN is used as the internet and sent directly to all servers connected.
-
I am using openvpn to reach the firewall and manage it from there and it seems to be quite fast to deploy. Also woth 2 factor auth, you can get even better security.
The risks exposing your UI/ssh to any IP from internet is a bad practice.
-
Hello guys being new to this IT world in general i started with a PC ,with OPNsense installed ,playing and exploring. I have my PC not in a real wan but inside my ISP's Home Router on a typical Private Network. I just want not to go to the room where my Firewall is to configure it through gui. So i want to see if MY IP binded with MY MAC-address can access the gui through WAN.The reason firewal is there and not in my PC directly is cause i have 2 server machines directly connected to Firewall so only them are protected from my firewall right now. I just wanted to see if can and actually if it is easy. I do not want to open the gate(I know about security risks i have only the very basic security knowledge but i am mid level network engineer). So i would to have this opportunity only as long as configuring the Firewall some afternoons when i am going from work. That's why i want to be an easy configure to access in order to cancel it wasy anytime. Thank you very much.
-
DISCLAIMER: The following action is not recommended as anyone can try to log onto your firewall admin GUI from the WorldWildWeb and you are inviting trouble. But, I am providing you the answer, assuming you understand there are better solutions to what you trying to achieve.
To enable Remote WebAdmin access from the WAN (outside world), do this:
One the Firewall GUI, goto:
Firewall -> NAT -> Port Forward -> Click the [ + ] sign to create a new rule as follows:
Interface: WAN
Protocol: TCP
Destination: WAN address
Destination Range: From: 443 (or HTTPS) -- -- To: 443 (or HTTPS)
Redirect target IP: "Single host or Network" and enter LAN IP of your firewall eg. 192.168.1.1
Redirect target port: 443 (or HTTPS)
See attached image of what the GUI would show if the rule was entered correctly. IP address for my OPNsense LAN is: 10.1.10.1
Save + Apply = JOY
Again... probably not the best idea, but there are times you need this to get things going initially.