1
24.1 Legacy Series / VPN clients: access to the WebGUI at the loopback interface via NAT port forward
« on: August 11, 2024, 06:08:12 pm »
Until now, I had the WebGUI bound (listen interface) to the LAN interface only (I don't want to bind it to the WAN interface + there's already another service (HAProxy) bound to the same port there).
Even though the LAN interface uses fully static configuration (as mentioned at https://docs.opnsense.org/manual/settingsmenu.html#listen-interfaces), the WebGUI now fails to automatically start after updating from 24.1.8 to 24.1.10_8 (it can be still started manually).
Therefore I went the way of adding a custom loopback interface (device lo1, interface opt1, IP 127.0.0.10) to which I bound the WebGUI and then added a NAT port forwarding rule (along with the associated filter rule that allows the related traffic) for the LAN interface that makes the WebGUI accessible from LAN just like before.
This works fine, however the problem is with accessing the WebGUI from VPN (IPsec road-warrior VPN clients connected to the OPNsense host). I also added the same NAT port forwarding rule (along with the associated filter rule) for the IPsec interface, but VPN clients still can't access the WebGUI.
When enabling logging on these firewall rules I can see that the traffic passes these rules as expected (same as in the LAN case).
I also tried packet capture, but it doesn't capture the traffic that's subject to the NAT port forwarding in any useful way, so it didn't really help (I can only see the initial SYN packet coming from the VPN client side - at the IPSec enc0 device).
Now I'm quite out of ideas what could be wrong and what to try. Perhaps routing issue (with traffic coming back to the VPN client) or something else?
Does anyone have any ideas or tips what to look at or try?
Even though the LAN interface uses fully static configuration (as mentioned at https://docs.opnsense.org/manual/settingsmenu.html#listen-interfaces), the WebGUI now fails to automatically start after updating from 24.1.8 to 24.1.10_8 (it can be still started manually).
Therefore I went the way of adding a custom loopback interface (device lo1, interface opt1, IP 127.0.0.10) to which I bound the WebGUI and then added a NAT port forwarding rule (along with the associated filter rule that allows the related traffic) for the LAN interface that makes the WebGUI accessible from LAN just like before.
This works fine, however the problem is with accessing the WebGUI from VPN (IPsec road-warrior VPN clients connected to the OPNsense host). I also added the same NAT port forwarding rule (along with the associated filter rule) for the IPsec interface, but VPN clients still can't access the WebGUI.
When enabling logging on these firewall rules I can see that the traffic passes these rules as expected (same as in the LAN case).
I also tried packet capture, but it doesn't capture the traffic that's subject to the NAT port forwarding in any useful way, so it didn't really help (I can only see the initial SYN packet coming from the VPN client side - at the IPSec enc0 device).
Now I'm quite out of ideas what could be wrong and what to try. Perhaps routing issue (with traffic coming back to the VPN client) or something else?
Does anyone have any ideas or tips what to look at or try?