Unable to prevent access to WebGUI from another VLAN

[Tanduvil]

Hi community,

I have OPNsense 23.1 on a Jetway mini-pc with the following setup:

HOME_VLAN (192.168.110.0/24, on NIC 1)
MANAGEMENT_VLAN (172.16.17.0/24 on NIC 2, WebGUI listens only on this interface)
WAN on NIC 3, connected to a FritzBox

As a DNS resolver I use Unbound DNS. The DNS-Addresses are the interface addresses of the VLANs.

How can I prevent that PCs from the HOME_VLAN can access the WebGUI on MANAGEMENT_VLAN?

Here are my simple rules for the HOME_VLAN, the same I use also on MANAGEMENT_VLAN, just with this VLAN as source. WebGUI is accessible from both VLANS without any problems.

Protocol    Source                  Port    Destination                   Port    

Pass:
IPv4 UDP    HOME_VLAN net    *    This Firewall                   53 (DNS)

Block:
IPv4 *    *                            *    RFC1918_Private_Net    *

Pass:
IPv4 TCP    HOME_VLAN net     *    *                                    Ports_TCP_80_443

RFC1918_Private_Net is an alias for the private networks, Ports_TCP_80_443 the alias for the named ports.


Internet access works on 443 and 80, private networks are blocked from HOME_VLAN. Except the WebGUI address on MANAGEMENT_VLAN. I tried to explicitly block the Management VLAN interface from the Home VLAN, but it did not work either.


Any idea what else I could try?


Thank you so much,
Christian

[Patrick M. Hausen]

Check "Disable anti-lockout" in Firewall > Settings > Advanced?

[chemlud]

Rule on TOP of HOME_VLAN rules set

Block HOME_VLAN net MANAGEMENT_VLAN address 443

[Tanduvil]

@pmhausen
Amazing, thank you for the quick reply!!! That was it. :)

@chemlud
Thanks for replying.

[Patrick M. Hausen]

@franco - which once again shows that there is still too much "magic" going on in OPNsense in unexpected places. ;)

Seriously, if traffic to the web UI is denied, it is denied. If the admin locks themselves out, so be it.