OPNsense Forum

English Forums => General Discussion => Topic started by: goingrunning2015 on April 04, 2017, 04:03:57 am

Title: Access via WAN for remote access - not working, ideas?
Post by: goingrunning2015 on April 04, 2017, 04:03:57 am

I have a firewall rule to allow WAN 443 thru to the WAN address to 443.   I have the web access set to https.   When I check the firewall logs, I can see that I'm allowed in to the to the WAN IP and not blocked.   However, I never get the GUI web page to respond.   I have also tried http/80 and Icmp.   With Icmp I do get replies when I have the rule active.

I know it's frowned upon to access remote this way but just getting accustomed to this vs pfsense now.

Trying to better understand.   

I also have the antilockout rules and the GUI port redirect disabled.

I tried a custom port as well 9090.


Any ideas what I could be missing?   I feel it must be something simple.   

What could I be missing?   I see the traffic at least passing thru the firewall rule to the WAN address.

Title: Re: Access via WAN for remote access - not working, ideas?
Post by: bartjsmit on April 04, 2017, 08:02:04 am

The web GUI doesn't listen on the WAN port. The usual workaround is to access OPNsense over a VPN, with all the additional security this provides, and log in through the LAN interface.

Bart...

Title: Re: Access via WAN for remote access - not working, ideas?
Post by: goingrunning2015 on April 04, 2017, 07:36:50 pm

Bart,

Very much appreciate the answer.   Makes total sense.   Essentially helping prevent someone from making a vulnerability.   I will go the VPN route.

Again, Thank you!

Casey

Title: Re: Access via WAN for remote access - not working, ideas?
Post by: jeffh0821 on April 09, 2017, 05:28:14 pm

Actually I'd like to hijack this for a second....

I'm running OPNsense in "appliance mode". Single WAN interface. After initial configuration GUI works perfectly fine.

However, after configuring an OpenVPN server. The anti-lockout rule goes away (literally- the rule no longer appears in the Firewall WAN rules) and access is now only possible, via GUI, when I'm on an OpenVPN connection.

I understand the logic when device has multiple interfaces - and you don't want the GUI exposed externally - but I already have a firewall in front of the WAN interface. Limiting me to admin via the OpenVPN connection is challenging when I'm on the home network.

I've manually created FW rules on OPNsense to allow 443/80 to pass through the WAN address - but no luck.

So how can I get the GUI BACK to the WAN interface and off of the virtual, OpenVPN, interface?

Title: Re: Access via WAN for remote access - not working, ideas?
Post by: hockey6611 on January 25, 2018, 05:59:54 pm

Any chance you have found a resolution to this? I am testing a virtual install of OPNsense and having the exact same issue.

Title: Re: Access via WAN for remote access - not working, ideas?
Post by: franco on January 26, 2018, 07:52:32 am

By default the GUI listens on all interfaces. But if you have more than a single interface attached (usually a WAN) then WAN access is locked per firewall. Typically, opening a WAN port with a pass rule for 443 TCP enough to fix this.

On 18.1, the GUI is able to listen on specific interfaces, although it should be said that the former still applies and setting this can be dangerous if you have no way to recover access (console or SSH).


Cheers,
Franco

Title: Re: Access via WAN for remote access - not working, ideas?
Post by: NOYB on January 26, 2018, 09:36:01 am

Though I would not do this on system attached to an untrusted network e.g. internet.  But it can be handy for dev environment.

Here was my problem and Franco provided solution.
https://forum.opnsense.org/index.php?topic=7010.0

Title: Re: Access via WAN for remote access - not working, ideas?
Post by: hockey6611 on January 30, 2018, 01:16:34 am

Quote from: franco on January 26, 2018, 07:52:32 am

By default the GUI listens on all interfaces. But if you have more than a single interface attached (usually a WAN) then WAN access is locked per firewall. Typically, opening a WAN port with a pass rule for 443 TCP enough to fix this.

On 18.1, the GUI is able to listen on specific interfaces, although it should be said that the former still applies and setting this can be dangerous if you have no way to recover access (console or SSH).


Cheers,
Franco

I previously tried an allow any-to-any rule, and that didn't work. I tried binding the GUI to WAN on 18.1, no luck either. Each time, once I created the openvpn server, via the wizard, I would be unable to connect to the GUI.

Quote from: NOYB on January 26, 2018, 09:36:01 am

Though I would not do this on system attached to an untrusted network e.g. internet.  But it can be handy for dev environment.

Here was my problem and Franco provided solution.
https://forum.opnsense.org/index.php?topic=7010.0

This solved it for me! Thanks NOYB and franco! I am running the instance behind another NAT firewall to get familiar with OPNsense, hence the single WAN interface. I liked the native TOTP authentication in OPNsense and wanted to try that out with openvpn.

Quote from: franco on January 26, 2018, 07:32:58 am

* Disable reply-to in the firewall rule that you use to pass your access.

Once I did this, I was able to access the GUI after the openvpn server was created. Thanks again!