Messages

A way to force local clients to use IPv4 is to create a rule in the LAN like at the first spot of the ruleset:
The trick is action reject.

And it does the trick!

Code Select Expand

*   Trying [2001:XXXX]:443...
* connect to 2001:XXX port 443 from 2001:XXX port 59426 failed: Connection refused
*   Trying 10.10.1.1:443...
Amazing, thank you!

[Setup Overview:]

Setup Overview:
I have successfully configured the OPNsense WebGUI to be accessible via a reverse proxy using the os-caddy plugin, following the official documentation.
 

• WebGUI Port: Changed the WebGUI port to 8443 (System ‣ Settings ‣ Administration).
• Caddy Proxy: Caddy serves the WebGUI on port 443, as detailed in the "Reverse Proxy the OPNsense WebGUI" guide.
• Firewall: Port 443 is permitted from WAN to the Caddy reverse proxy.
• Access Control (IPv4): Access to the internal OPNsense domain is restricted to my local network using Caddy's access list with the IPv4 subnet, per the "Restrict access to internal IPs" guide.
• IPv6 Setup: The local network is configured for IPv6 using WAN interface tracking (SLAAC/DHCPv6-PD), meaning my local IPv6 prefix is dynamic.

Problem / Constraint:

The OPNsense internal domain resolves to both an IPv4 and an IPv6 address. When a client prefers IPv6, it connects to the WebGUI using the local IPv6 address.

While I can initially add the current local IPv6 subnet to the Caddy access list, this configuration will break the next time my ISP changes the IPv6 prefix on the WAN interface, as the local network's prefix is dynamically tracked from the WAN.

Question:

What is the most robust and recommended "OPNsense way" to restrict WebGUI access exclusively to hosts on the local network (LAN) when using Caddy as a reverse proxy, especially considering the dynamic nature of the IPv6 prefix from WAN interface tracking?

I am looking for a solution that avoids manual updates to the Caddy access list whenever the upstream IPv6 prefix changes.

I think I should describe my setup in more detail to avoid confusion.

Since this is a pfSense → OPNsense migration project, the OPNsense box is currently sitting inside my local network behind pfSense (pfSense LAN network).

    pfSense LAN network: 10.10.1.0/24

    OPNsense WAN IP: 10.10.1.99

    OPNsense LAN network: 10.20.1.0/24 (with LAN gateway 10.20.1.1)

When testing from LAN (behind OPNsense):

    My test machine gets an IP in the 10.20.1.xxx range from OPNsense.

    domain.name resolves either via OPNsense DNS (Unbound DNS overrides) or by the /etc/hosts file on the test machine.

        Both dig domain.name and ping domain.name resolve to 10.20.1.1.

When testing from WAN (in front of OPNSense, behind pfSense):

    My test machine gets an IP in the 10.10.1.xxx range from pfSense.

    domain.name resolves either via pfSense DNS or the test machine's /etc/hosts.

        Both dig domain.name and ping domain.name resolve to 10.10.1.99 (the OPNsense WAN IP).

The results of the connection tests I described in my original post still apply under this setup.

Hello everyone,

This is my first post here. I'm new to OPNsense and currently trying to migrate my network from pfSense.

I'm setting up OPNsense to expose a local web server to the outside world with TLS offloading. I've tried both Caddy and Nginx plugins and hit the same issue, so I suspect I'm missing something obvious in the general configuration rather than in the reverse proxy setup.

Both proxies work perfectly when accessed from the LAN: HTTP → HTTPS redirection, TLS offloading, and connecting to the upstream HTTP server in the local network all function as expected.
However, I cannot connect from the WAN at all. I can see the WAN pass rule being triggered in the firewall live view, but no connection is established.

**What I've done so far:**

1. Changed WebGUI to port 8433 and disabled HTTP redirect.
2. Added firewall rules to WAN: **PASS**, IPv4 TCP, from any to This Firewall on ports 80 and 443.
3. Followed the basic Caddy setup ([docs](https://docs.opnsense.org/manual/how-tos/caddy.html#standard-configuration)), except *General Settings → Disable certs* since I'm using a self-signed cert.
4. Also followed the basic Nginx setup ([forum guide](https://forum.opnsense.org/index.php?topic=19305.0)).

**How I test:**

From LAN:

1. Verified the domain resolves to the router's IP.
2. `curl -ikL http://domain.name` → gets a 308 redirect, then the actual website.
3. Confirmed the correct self-signed cert is served.

From WAN:

1. Same domain resolution check. (for router IP on WAN interface)
2. `curl` just hangs and times out.
3. Firewall live view shows the rule for port 80 being triggered (green).
4. `sockstat -l | grep :80` on the router shows the correct service (Nginx or Caddy, depending on what's running).

I'm running out of ideas on what might be wrong and would really appreciate any help.

Thanks in advance!