[SOLVED] Getting access to Opnsense GUI from WAN issue

Started by ricksense, November 13, 2023, 08:41:26 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 13, 2023, 08:41:26 PM Last Edit: November 14, 2023, 02:09:28 PM by ricksense
hi,
I installed OPNsense on my Proxmox machine to practice with it, and wanted to get temporarily access to  its Web GUI from the WAN port to set it up more easily from my PC running on my home LAN managed by a physical router.
I hadn't managed to do it until I set "Disable" for the reply-to option in the WAN rule advanced settings, which did the trick.

However, I haven't yet understood what the reply-to is really for, and if it is safe to keep it disabled.

Again, I also have OPNsense running as a VM in my WMware workstation. I only set the pass rule on its WAN without disabling the reply-to option which is still set as "default". I can access its WEB GUI from the WAN nonetheless.
Why?

November 14, 2023, 10:49:57 AM #1
Hi,

It's ok to keep it disabled. In the average case you don't access the GUI from the WAN and this is only an issue if you are locally attached. As soon as you pass the next hop over the router this problem doesn't exist anymore. The firewall wants to try to reply to the router, not the client in that scenario. This is required for multi-WAN to run smoothly so it is enabled by default.


Cheers,
Franco
November 14, 2023, 12:51:32 PM #2 Last Edit: November 14, 2023, 12:58:02 PM by ricksense
Quote from: franco on November 14, 2023, 10:49:57 AM
It's ok to keep it disabled. In the average case you don't access the GUI from the WAN and this is only an issue if you are locally attached. As soon as you pass the next hop over the router this problem doesn't exist anymore. The firewall wants to try to reply to the router, not the client in that scenario. This is required for multi-WAN to run smoothly so it is enabled by default.

Ok, I think I got it. But I am still wondering why I didn't have the same problem with my OPNsense VM running on VMware workstation. the Reply-to option is still set to default there. Strange thing really.

Moreover, I need to add a second WAN to experiment with dual WAN failover setup on OPNsense.
I guess that I have to set it back to "default" then. right?

Thank you
November 14, 2023, 01:08:54 PM #3
It depends a bit on the router to send the packet back where it belongs or leak it to the next upstream hop. Sometimes it works but more often than not it doesn't. :)

> Moreover, I need to add a second WAN to experiment with dual WAN failover setup on OPNsense.
> I guess that I have to set it back to "default" then. right?

For clear separation yes. In the failover cases it's less relevant but in load balancing this is better to have.

You can also disable reply-to per firewall rule and leave the setting at the default.


Cheers,
Franco
November 14, 2023, 02:08:56 PM #4
Quote from: franco on November 14, 2023, 01:08:54 PM
You can also disable reply-to per firewall rule and leave the setting at the default.

It is exactly what I did already.

Thanks
Print
Go Up Pages1
User actions