OPNsense Forum

Archive => 17.1 Legacy Series => Topic started by: empbilly on April 10, 2017, 11:06:06 pm

Title: [SOLVED] Access webGui from WAN
Post by: empbilly on April 10, 2017, 11:06:06 pm
Hello,

After installing opnsense I disabled the firewall via the command line so that I could create a rule in the wan to allow the access of my machine from work.

With the pfctl -d command I disabled, created a rule for allow access to my public IP and after apply changes, I lost my access. I had to rerun pfctl -d to gain access again. I checked and my firewall rule was saved.

Even with the rule I can not access via wan. Anyone else with this problem?
Title: Re: Access webGui from WAN
Post by: franco on April 11, 2017, 06:13:16 am
pfctl -d will disable the packet filter, but any change on the GUI will reenable it. Note that pfctl -d also disables NAT for your internal networks, likely leaving them stranded.

In theory this rule should work, but try to be more permissive with source and destination first to make sure there is not a typo / other problem in the rule.

The other question is how your test setup works. Is WAN a public IP? Is an intermediate network attached? Do you test from this network? Does your ISP give you an IP or is it shared between multiple customers?


Cheers,
Franco
Title: Re: Access webGui from WAN
Post by: empbilly on April 11, 2017, 04:40:24 pm
Quote
The other question is how your test setup works. Is WAN a public IP?
Yes, public IP.

Quote
Is an intermediate network attached?
Yes

Quote
Do you test from this network?
Yes

Quote
Does your ISP give you an IP or is it shared between multiple customers?
no, we have an IP block.

I'm testing opnsense for a wifi network called eduroam (https://www.eduroam.org/).

- The IP that I set in the WAN is part of a vlan in our border firewall and is public IP.

- The IP that I have on my machine is allowed for everything inside that vlan.
Title: Re: Access webGui from WAN
Post by: franco on April 11, 2017, 06:18:42 pm
Go to Firewall: Settings: Advanced, set [ x ] Disable reply-to on WAN rules. This option is off by default to ensure Multi-WAN consistency for return traffic of external connections, but can skew your results when you are right in front of the WAN while the gateway is somewhere else.

If you don't have Multi-WAN you can leave this enabled, if not you should only use this for testing. If you need this permanently for a service and have Multi-WAN, you can also disable this behaviour per pass firewall rule in the respective advanced settings.


Cheers,
Franco
Title: Re: Access webGui from WAN
Post by: empbilly on April 11, 2017, 06:44:35 pm
franco,

I do not have multi-wan, but marking this option for testing I get access.

I did as you suggested. I checked this option directly in the rule that I created for webGui access.

Thanks for your help!  ;D

RESOLUTION: If you reading this post, have the same problem and environment as me, you can enable the option directly in the wan rule.

So do this:

Firewall> Rules> Wan: Edit your rule and in Advanced Options check the option disable reply-to.