Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - power46

Pages1
#1
General Discussion / Access WebUI via WAN
Today at 02:49:51 PM
Hi,

I would like to try OPNsense on hcloud for test purpose.

Starting from a FreeBSD instance, I am installing OPNsense via the script:

Code Select
sh ./opnsense-bootstrap.sh.in -r 24.7 -y

and copy the following file to /conf/config.xml:


Code Select
<?xml version="1.0"?>
<opnsense>
  <trigger_initial_wizard/>

  <theme>opnsense</theme>

  <system>
    <optimization>normal</optimization>
    <hostname>OPNsense</hostname>
    <domain>localdomain</domain>
    <dnsallowoverride>1</dnsallowoverride>
    <group>
      <name>admins</name>
      <description><![CDATA[System Administrators]]></description>
      <scope>system</scope>
      <gid>1999</gid>
      <member>0</member>
      <priv>page-all</priv>
    </group>
    <user>
      <name>root</name>
      <descr><![CDATA[System Administrator]]></descr>
      <scope>system</scope>
      <groupname>admins</groupname>
      <password>$6$DEHx8zOr5VVhjFwz$pS/NcRnn03fpFxbR2xP0gkfUSdSDA0FZxRF3zCn09qTFF604k800paZCNnxrMwElH8gAsPK8GDHBFgOX32YI2/</password>
      <uid>0</uid>
    </user>
    <nextuid>2000</nextuid>
    <nextgid>2000</nextgid>
    <webgui>
      <protocol>https</protocol>
      <nohttpreferercheck>1</nohttpreferercheck>
    </webgui>
    <disablenatreflection>yes</disablenatreflection>
    <usevirtualterminal>1</usevirtualterminal>
    <disableconsolemenu/>
    <disablevlanhwfilter>1</disablevlanhwfilter>
    <disablechecksumoffloading>1</disablechecksumoffloading>
    <disablesegmentationoffloading>1</disablesegmentationoffloading>
    <disablelargereceiveoffloading>1</disablelargereceiveoffloading>
    <pf_share_forward>1</pf_share_forward>
    <lb_use_sticky>1</lb_use_sticky>
    <ssh>
      <group>admins</group>
      <enabled>enabled</enabled>
    </ssh>
  </system>

  <interfaces>
    <wan>
      <enable>1</enable>
      <if>vtnet0</if>
      <mtu/>
      <ipaddr>dhcp</ipaddr>
      <subnet/>
      <gateway/>
      <blockpriv>1</blockpriv>
      <blockbogons>1</blockbogons>
      <dhcphostname/>
      <media/>
      <mediaopt/>
    </wan>
    <lan>
      <enable>1</enable>
      <if>vtnet1</if>
      <ipaddr>dhcp</ipaddr>
      <subnet/>
      <media/>
      <mediaopt/>
    </lan>
  </interfaces>

  <dhcpd>
    <lan>
      <enable/>
      <range>
        <from>192.168.1.100</from>
        <to>192.168.1.199</to>
      </range>
    </lan>
  </dhcpd>

  <unbound>
    <enable>1</enable>
  </unbound>

  <nat>
    <outbound>
      <mode>automatic</mode>
    </outbound>
  </nat>

  <filter>
    <rule>
      <type>pass</type>
      <interface>lan</interface>
      <ipprotocol>inet</ipprotocol>
      <statetype>keep state</statetype>
      <descr><![CDATA[Allow public ICMP ping to this firewall from LAN]]></descr>
      <protocol>icmp</protocol>
      <icmptype>echoreq</icmptype>
      <source>
        <any>1</any>
      </source>
      <destination>
        <network>(self)</network>
      </destination>
    </rule>

    <rule>
      <type>pass</type>
      <interface>wan</interface>
      <ipprotocol>inet</ipprotocol>
      <statetype>keep state</statetype>
      <descr><![CDATA[Allow public ICMP ping to this firewall from WAN]]></descr>
      <protocol>icmp</protocol>
      <icmptype>echoreq</icmptype>
      <source>
        <any>1</any>
      </source>
      <destination>
        <network>(self)</network>
      </destination>
    </rule>

    <rule>
      <type>pass</type>
      <interface>wan</interface>
      <ipprotocol>inet4</ipprotocol>
      <statetype>keep state</statetype>
      <descr><![CDATA[CAUTION: Allow public remote access to this firewall via SSH]]></descr>
      <protocol>tcp</protocol>
      <source>
        <any>1</any>
      </source>
      <destination>
        <network>(self)</network>
        <port>22</port>
      </destination>
    </rule>

    <rule>
      <type>pass</type>
      <interface>wan</interface>
      <ipprotocol>inet4</ipprotocol>
      <statetype>keep state</statetype>
      <descr><![CDATA[CAUTION: Allow public remote access to this firewall via HTTP]]></descr>
      <protocol>tcp</protocol>
      <source>
        <any>1</any>
      </source>
      <destination>
        <network>(self)</network>
        <port>80</port>
      </destination>
    </rule>

    <rule>
      <type>pass</type>
      <interface>wan</interface>
      <ipprotocol>inet4</ipprotocol>
      <statetype>keep state</statetype>
      <descr><![CDATA[CAUTION: Allow public remote access to this firewall via HTTPS]]></descr>
      <protocol>tcp</protocol>
      <source>
        <any>1</any>
      </source>
      <destination>
        <network>(self)</network>
        <port>443</port>
      </destination>
    </rule>
  </filter>

</opnsense>


Seems that the config file is read, as I am able to login, via the serial console, with root and the password above.

From the serial console I can see that:

* LAN (vtnet1) gets an ip via dhcp
* WAN (vtnet0) gets an ip via dhcp (the public one)

But I am not able to ping/ssh/access the web ui.

Am I missing something?

Thanks




Pages1