OPNsense Forum

English Forums => General Discussion => Topic started by: TheLatestWire on January 17, 2018, 11:58:25 pm

Title: Disabled WWW Server NAT Rule, Suddenly the Admin Web GUI is publicly Accessible!
Post by: TheLatestWire on January 17, 2018, 11:58:25 pm

Hi,

I thought I just disabled the two NAT rules to my internal www server, but with that rule disabled I just noticed the admin web GUI for my OPNsense server is then publicly accessible.  I must be misunderstanding something somewhere.  I certainly don't want my OPNsense server accessible from the internet.

I've attached a screenshot of the NAT rules.  I re-enabled them to block access to the admin webgui, but now my web server is publicly accessible again which was what I was hoping to disable for a while.  Maybe I should just delete the NAT rules instead of disabling them?

Thanks,
ObecalpEffect.

Title: Re: Disabled WWW Server NAT Rule, Suddenly the Admin Web GUI is publicly Accessible!
Post by: TheLatestWire on January 18, 2018, 04:04:01 am

Sorry, somehow I completely forgot that I have another ISP firewall on the public side of my OPNsense box which has DMZ/Application forwarding set for specific ports (including 443/80) to go to my OPNsense box.  I guess I still would have expected the GUI not to show up since the ISP firewall is sending traffic to what is the public/WAN interface on the OPNsense box.

Title: Re: Disabled WWW Server NAT Rule, Suddenly the Admin Web GUI is publicly Accessible!
Post by: franco on January 18, 2018, 10:31:22 am

Hi,

To avoid future confusion: so this is "working as intended"?


Cheers,
Franco

Title: Re: Disabled WWW Server NAT Rule, Suddenly the Admin Web GUI is publicly Accessible!
Post by: Ciprian on January 18, 2018, 12:07:52 pm

Quote from: ObecalpEffect on January 17, 2018, 11:58:25 pm

I've attached a screenshot of the NAT rules.  I re-enabled them to block access to the admin webgui, but now my web server is publicly accessible again which was what I was hoping to disable for a while.  Maybe I should just delete the NAT rules instead of disabling them?

Maybe the NAT reflection is messing with your nerves here?!?!  :-\  (As if you try to access your FW on WAN address from LAN network, NAT reflection will redirect and cut short the request, from LAN device to LAN address of the FW - and this is not only permitted, but more so, enforced by the anti-lockout rule.)

Quote from: ObecalpEffect on January 18, 2018, 04:04:01 am

Sorry, somehow I completely forgot that I have another ISP firewall on the public side of my OPNsense box which has DMZ/Application forwarding set for specific ports (including 443/80) to go to my OPNsense box.  I guess I still would have expected the GUI not to show up since the ISP firewall is sending traffic to what is the public/WAN interface on the OPNsense box.

NOT! - See above :)

If you want to be completely sure, try accessing your OPNsense on public IP from a device (eg. smartphone/ tablet) connected to internet through an OPNsense independent connection (3G/4G or else).

Quote from: franco on January 18, 2018, 10:31:22 am

To avoid future confusion: so this is "working as intended"?

Probably yes, we have to wait for confirmation from @ObecalpEffect.

Cheers!