Hidden Webserver IP Address by OPNsense

Started by LoudComputerGuy, December 12, 2022, 12:46:07 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 12, 2022, 12:46:07 AM
Hello,

  New to OPNsense and so far I LOVE IT!!!!!!!  In looking through the blocked traffic on my firewall log and after doing a bunch of research, it appears there is a public IP address (that I did not set) to my OPNsense firewall appliance.  It begins with 96.x.x.x.  I scoured through all of my devices for the IP and MAC address and finally found that it was assigned to the WAN port on my device.  What is this for and how do I disable it?  I have put rules in place to block all traffic to and from it because I am not comfortable with a web server IP address communicating on the open web without my knowledge.
December 12, 2022, 01:41:50 AM #1
Are you sure that's not your public address from your ISP?
Have to ask since you didn't say.

How do you know it's a webserver? Did you try to open it? What page is loaded if so?
December 12, 2022, 05:02:12 PM #2
Very good questions.  so, yes, it is my public IP that is the IP and when I go to it, I am presented with the OPNsense GUI login page.  There are IPs hitting that address nearly every second.  Is there a way to disable WAN access to the OPNsense login page so as to reduce the attack vector?
December 12, 2022, 05:39:33 PM #3
By default opnsense blocks traffic to WAN address from internet, so you don't need to setup any rules for it.

Reason why you are able to access it, is because your computer is part of LAN network, which by default can access web gui (firewall doesn't block local connections, unless you set rules for that, which you shouldn't unless you know what you are doing, doing so can lock you out from opnsense completely and only way to fix it is to revert back to factory defaults if you can't remember or don't handle console management well).

https://www.youtube.com/watch?v=kYFNa_zpeII&t=0 <--- that's good video which explains firewall rules pretty darn well.

https://www.yougetsignal.com/tools/open-ports/ is good website to test if port is open to the public net or not, type your public IP to address field (if it isn't there already) and on port section type 443, 22, 445, 80 and 21 (run test for each port separately). Those are most crucial ports you must make sure aren't open to the public, unless you are hosting a server which listens to them.
December 12, 2022, 05:42:21 PM #4
There is a "deny all" rule in place on WAN by default. Unless you removed or changed that the UI should not be accessible from the public Internet. Can you check with your phone or some other mobile device?

Because if you simply check with your locally connected PC, the connection is initiated from the inside (LAN) and thus permitted. This is regardless of the IP address. The connection from your PC enters the firewall via LAN, so that's that.

Being bombarded 24x7 with port scan packets on any public IPv4 address is perfectly normal these days. Bots are scanning the entire IPv4 Internet round the clock. Many users are shocked the first time they use a router/firewall actually logging these things  ;) I would disable logging for denied packets on WAN. Not worth the trouble.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
December 12, 2022, 05:58:05 PM #5
ALL:  Thank you very much for the replies -- all very helpful.  I do understand the continual bot scanning of IPs and all.  I just tried to access my public IP from my cell phone and nothing came up.  I am assuming the reason why it came up from my LAN is because of the already mentioned reason from above.  Very confusing if you're not aware of that clause.  I think we are OK unless anyone else would like to add anything I may have missed.
December 12, 2022, 06:20:47 PM #6
Quote from: LoudComputerGuy on December 12, 2022, 05:58:05 PM
ALL:  Thank you very much for the replies -- all very helpful.  I do understand the continual bot scanning of IPs and all.  I just tried to access my public IP from my cell phone and nothing came up.  I am assuming the reason why it came up from my LAN is because of the already mentioned reason from above.  Very confusing if you're not aware of that clause.  I think we are OK unless anyone else would like to add anything I may have missed.

You're welcome :)

Yes, it is confusing for anyone who isn't familiar with networking, but rule of thumb is, unless your firewall has rule that dictates otherwise, it will always block everything other than established connections and LAN connections.

I highly recommend taking some time, and going through the guide I linked and also reading Deciscos own guide at https://docs.opnsense.org.

Just remember that this is an enterprise firewall, so it's better to ask assistance, go through guides or just leave things "as is", rather than touching any of the stuff that seems way too complicated or hard to understand.

Firewall is only first line of defense and doesn't replace antivirus nor level of knowledge required
December 27, 2022, 04:56:08 AM #7 Last Edit: December 27, 2022, 07:38:00 PM by AdSchellevis
Use a proxy to hide your IP address. Like a VPN, a proxy acts as a middleman between your device and the internet. Websites and apps
December 27, 2022, 11:28:40 AM #8 Last Edit: December 27, 2022, 07:38:18 PM by AdSchellevis
Quote from: humXxa on December 27, 2022, 04:56:08 AM
Use a proxy to hide your IP address. Like a VPN, a proxy acts as a middleman between your device and the internet. Websites and apps

Well put point, proxies are useful, but I personally would recommend getting to know network stuff, like how firewalls, routing, NAT and DNS works bit more, before checking Proxies. Afterall proxy is something which isn't common among average home use (then again, firewall like OpnSense is something, which isn't common in home use :D)
Print
Go Up Pages1
User actions