Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - talowicz

Pages1
#1
24.7, 24.10 Legacy Series / Advice needed - OPNsense + Dumb APs
January 31, 2025, 04:22:06 AM

Hello.

I am looking to add a few WAPs to my LANs but dont know how to go about doing it. Ideally I would like the APs to be 'dumb' and be able to flash OpenWRT onto them. I then do not know how I would go about managing them. Would this be done over the network or would there be an physical interface I can plug into to configure.  The latter would be ideal.
Basic network topology of my subnets, interfaces and where I want an AP deployed

eth0 - WAN <-- DHCP from ISP
eth1 - LAN1 <-- 192.168.10.1/24 + AP ACCESSIBLE
eth2 - LAN2 <-- 192.168.20.1/24 + AP ACCESCIBLE
eth3 - MGMT <-- 192.168.99.1/24

Firewall ip is 192.168.99.1

Can anybody point me in the right directions as to how one can setup a dumb ap with opnsense.

Thanks in advance!
#2
Tutorials and FAQs / Re: [NOOB] Creating a management interface
December 11, 2024, 09:26:43 PM
Quote from: Melroy vd Berg on December 09, 2024, 03:02:15 PM
Quote from: OPNenthu on December 07, 2024, 03:07:55 PM
On my system that auto-generated rule is only there for 'LAN'.  The other interfaces don't have it.

You're 100% correct indeed. The anti-lockout rule seems to be hard-coded in the code within the function: 
Code Select
filter_core_get_antilockout()

https://github.com/opnsense/core/blob/7373985f3b2b0344c1e2596bdbbb5b0870cadb57/src/etc/inc/filter.lib.inc#L113 (looking at this code, its unclear to me when this rule is actually created automatically and when not). My general understanding is that this anti-lockout rule will be applied to only the "LAN" interface (no matter how you rename it).

However you normally do NOT (never) want to have a management interface on a WAN interface. Only on one or more LAN ports.

The "Automatically generated rules" are actually generated for both LAN and WAN interfaces. However, I was confused myself with the default "sshlockout" rule is auto-generated  :-X. But this is of course to block access to SSH secure shell and HTTP web management interface, which is the opposite of anti-lock rule of course :).

Long story short. Let's create our own dedicated management interface on OPNsense including an anti-lockout rule:


  • In Interfaces -> Assignments. I added the device (port) to the list. And press save.
  • Go to Interfaces -> [YOUR_INTERFACE]. Select "Enable interface" and select "Prevent interface removal". And maybe give it a better description something like: "LAN_MANGEMENT". Then I also set IPv4 Configuration Type to: Static IPV4. And down below under Static IPv6 configuration. I give the OPNsense firewall a static IPv4 address: 192.168.2.1, with 24 subnet mask (so not 192.168.1.1 in case you were using this already on another interface).
  • For easy of use, I also enabled DHCPv4 on this management interface. So go to: Services -> ISC DHCPv4 -> [LAN_MANGEMENT] interface. Select "Enable DHCP serv on the LAN_MANAGEMENT interface. And I gave it a range from: 192.168.2.100 to: 192.168.2.199. And press Save.
  • In Firewall -> Aliases -> New alias. Name: "anti_lockout_ports". Type: "Port(s)". Content: 80 (enter), 443 (enter) and 22 (enter). Description: "Anti-lockout ports".
  • Finally, I go to Firewall -> Nat -> Port forward. In my case the anti-lockout rule was there already. If not, create a new rule -> Select the interface (eg. "LAN_MANAGEMENT"). Protocol: TCP. Destination: "LAN_MANAGEMENT address". Destination port select: "anti_lockout_ports" (our alias we created earlier). As Redirect target IP, I provided: 192.168.2.1 (the firewall static IP address I gave it in step 2.) Give it a description like: "Anti-Lockout Rule". And press Save.
  • And press "Apply changes".



If you are sure you have the correct firewall rule in place (see my steps above). You could optionally disable the default anti-lockout rule on the LAN interface, by going to: Firewall -> Settings -> Advanced -> "Disable anti-lockout" by checking "Disable administration anti-lockout rule". Which thus disables the default anti-lockout rule on the LAN interface like you mentioned before.

If I said something wrong, please let me know. I will update this post.

Thanks for the reply!

I followed your steps and they should work, but now my problem is that in my firewall logs, My MGMT device (192.168.99.100) is getting blocked when trying to access 192.168.1.1:443 (WebGui). It is being caught by the 'Default Deny / state violation rule' which cannot be disabled on that interface, unless there is another way that I do not know. Any ideas on how to remedy this? Again, thanks for taking the time to answer my post!
#3
Tutorials and FAQs / [NOOB] Creating a management interface
December 07, 2024, 04:19:04 AM
I am new to this forum, so the subject tag may not be correct and I was in a hurry when making this post!

I'm using OPNsense in a QEMU virtual machine with 3 interfaces. I would like to make the WebGUI only accessible from the MGMT interface, and also have the MGMT interface blocked from accessing the internet.

Here is a quick diagram I diagram to visualize my topology: 
https://0x0.st/Xhb5.png

I have assigned address ranges to these interfaces, added an allow all rule to the MGMT interface, and verified that I can access the internet and the WebGUI from the MGMT network. But when I change Settings > Administration > Listen Interfaces from "All" to "MGMT", I cannot access the webgui anymore from the MGMT interface. I am very new to OPNsense and am migrating from Mikrotik so the new terminology and procedures are confusing me!

Any help would be greatly appreciated. 
Pages1