OPNsense Forum

Archive => 16.7 Legacy Series => Topic started by: Shockwaver on January 02, 2017, 09:41:43 pm

Title: TLS Web interface access.
Post by: Shockwaver on January 02, 2017, 09:41:43 pm
Hello everyone.
I succesfully configured WAN, LAN, DHCP server, Firewall rules, NAT and so forth, but I am struggling with simple LAN-side access to web GUI via secure socket.
I have set this LAN Firewall rule (please see attachment) and I was thinking it should be enough, but it is not, how comes?

Thank you
Title: Re: TLS Web interface access.
Post by: fabian on January 02, 2017, 10:09:42 pm
You probably did not configure HTTPS under "System". You don't need to create a firewall rule for that because it is covered by the anti lockout rule.
Title: Re: TLS Web interface access.
Post by: Shockwaver on January 03, 2017, 10:05:30 am
Perfect Thank you! We totally missed that config section, sorry!
Ok, got it working under https, but then again we got confused about what you said: how comes the anti-lockout is enough? As far as we can see (it's in the attacment of my first post) it opens just port 80, is it also taking care of port 443 under the hood?

However, next step was to NAT a port for remote access to the web GUI (password is strong, connection is encrypted and IPs are controlled, so no worries) but we got dns rebind attack protection alert. We know what it is and we don't need this protection, how can we get rid of the alert to access with domain name from wan?
Or is there a better way than NATting the access?

Nevermind, I found out:
I just filled the input "Alternate hostnames" under System -> Settings -> Administration with the domain name(s) we'll be using to access this firewall.

Still I'd like to know why the anti-lockout rule which is specified for port 80 works also for port 443...
Title: Re: TLS Web interface access.
Post by: fabian on January 03, 2017, 12:54:21 pm
The Anti-Lockout rule works for the currently configured ports for the web based user interface as well as for ssh. It is some kind of an alias of up to thee ports which are passed if targeted to the firewall before your firewall rules are evaluated so you cannot accidentally lock yourself out by blocking one of this ports. It is probably only a GUI issue (if it is).