Messages

Franco, I can access the WebGui from the WAN interface without VPN.

And that is a bug in my opinion, since the OPNsense is a fresh setup without any settings modifications from my side. Is there any way to block the web GUI from being accessible from WAN?

[block]

If you have private ranges on your WAN and want to access the web GUI, simply do:

Thank you for your quick response. If I understand you correctly do you describe a way to access the WebGUI from outside. But my question is how do I block the webGUI from being accessible from the rest of the world. And I would say that this also should be the standard behavior of a firewall not to be available from the WAN interface (except you are using VPN).

Same issue with a clean install of OPNsense 17.1-amd64. (I am very tempted to use !!!!!!111!)

This looks like an fat ugly bug to me, since the WAN interface has explicitly the "Block private Network" flag set.

I am wondering if the bug is in my understanding of the flag and reaching the login screen from outside is a wanted feature. I also seem to be the only one stumbling across this issue. Please can someone explain to me if this is expected behavior of the firewall to show a login screen to the public? And what can be done to block this.

I've LAN and WAN interfaces and the "Block private networks   " rule is active on the WAN.

To be more specific:

The WAN has two rules:
  * Block private networks
  * Block bogon networks

The LAN has following rules:
  * Anti-Lockout Rule
  * Default allow LAN to any rule
  * Default allow LAN IPv6 to any rule

And there is also NAT active:
  * Anti-Lockout Rule on the LAN Interface

No, not again! :-)

This is a fresh install and I am a bit unwilling to pull my appliance off the wall, unscrew everything, plug in the serial cable and a SD card, do a fresh install and do all the steps in reverse, just to figure out that I fell into the trap of a standard phone center question "did you reset everything?" again. The "reset everything" may help, but it doesn't answer the question why I see the login screen.

So, before I start thinking about the reset, am I the only one who sees the login screen on the WAN interface? And is there a setting to disallow this behavior?

Thank you for the quick responses! And, sorry for me being a bit slow-family got my full attention this weekend.

@chemlud

No, VPN isn't setup yet. I'm accessing the WebGUI with the public ip adress provided by Kabel Deutschland.

@fabian

The WebGUI is also accessible via smartphone from a different provider.

The build in webserver should in my understanding listen to connections on the LAN (e.g. 10.0.0.1:403) but not the WAN interface. But it seems to listen to all (0.0.0.0:403) interfaces.

I am very willing to accept that I misconfigured the firewall, but since I didn't do a lot of configuration work I am stuck.

My OPNSense FW is behind a cable modem. I'd like to enable VPN to access my home network and therefore turned the modem into "bridge mode" (my provider is Kabel Deutschland, btw). After doing that I can access the WebGUI of my OPNSense firewall from outside. Why is that? My understanding is, that OPNSense doesn't allow connections to the WebGUI on the WAN interface.

I've tried to find a setting for disabling access to the WebGUI, but didn't find any. Do I need to set up firewall rules for blocking? I the anti-lockout rule in the NAT settings the culprit for that behavior?