OPNsense Forum
English Forums => General Discussion => Topic started by: TheLatestWire on January 17, 2018, 11:58:25 pm
-
Hi,
I thought I just disabled the two NAT rules to my internal www server, but with that rule disabled I just noticed the admin web GUI for my OPNsense server is then publicly accessible. I must be misunderstanding something somewhere. I certainly don't want my OPNsense server accessible from the internet.
I've attached a screenshot of the NAT rules. I re-enabled them to block access to the admin webgui, but now my web server is publicly accessible again which was what I was hoping to disable for a while. Maybe I should just delete the NAT rules instead of disabling them?
Thanks,
ObecalpEffect.
-
Sorry, somehow I completely forgot that I have another ISP firewall on the public side of my OPNsense box which has DMZ/Application forwarding set for specific ports (including 443/80) to go to my OPNsense box. I guess I still would have expected the GUI not to show up since the ISP firewall is sending traffic to what is the public/WAN interface on the OPNsense box.
-
Hi,
To avoid future confusion: so this is "working as intended"?
Cheers,
Franco
-
I've attached a screenshot of the NAT rules. I re-enabled them to block access to the admin webgui, but now my web server is publicly accessible again which was what I was hoping to disable for a while. Maybe I should just delete the NAT rules instead of disabling them?
Maybe the NAT reflection is messing with your nerves here?!?! :-\ (As if you try to access your FW on WAN address from LAN network, NAT reflection will redirect and cut short the request, from LAN device to LAN address of the FW - and this is not only permitted, but more so, enforced by the anti-lockout rule.)
Sorry, somehow I completely forgot that I have another ISP firewall on the public side of my OPNsense box which has DMZ/Application forwarding set for specific ports (including 443/80) to go to my OPNsense box. I guess I still would have expected the GUI not to show up since the ISP firewall is sending traffic to what is the public/WAN interface on the OPNsense box.
NOT! - See above :)
If you want to be completely sure, try accessing your OPNsense on public IP from a device (eg. smartphone/ tablet) connected to internet through an OPNsense independent connection (3G/4G or else).
To avoid future confusion: so this is "working as intended"?
Probably yes, we have to wait for confirmation from @ObecalpEffect.
Cheers!