Unable to prevent access to WebGUI from another VLAN

[Tanduvil]

Hi community,

I have OPNsense 23.1 on a Jetway mini-pc with the following setup:

HOME_VLAN (192.168.110.0/24, on NIC 1)
MANAGEMENT_VLAN (172.16.17.0/24 on NIC 2, WebGUI listens only on this interface)
WAN on NIC 3, connected to a FritzBox

As a DNS resolver I use Unbound DNS. The DNS-Addresses are the interface addresses of the VLANs.

How can I prevent that PCs from the HOME_VLAN can access the WebGUI on MANAGEMENT_VLAN?

Here are my simple rules for the HOME_VLAN, the same I use also on MANAGEMENT_VLAN, just with this VLAN as source. WebGUI is accessible from both VLANS without any problems.

Protocol    Source                  Port    Destination                   Port    

Pass:
IPv4 UDP    HOME_VLAN net    *    This Firewall                   53 (DNS)

Block:
IPv4 *    *                            *    RFC1918_Private_Net    *

Pass:
IPv4 TCP    HOME_VLAN net     *    *                                    Ports_TCP_80_443

RFC1918_Private_Net is an alias for the private networks, Ports_TCP_80_443 the alias for the named ports.


Internet access works on 443 and 80, private networks are blocked from HOME_VLAN. Except the WebGUI address on MANAGEMENT_VLAN. I tried to explicitly block the Management VLAN interface from the Home VLAN, but it did not work either.


Any idea what else I could try?


Thank you so much,
Christian

[Patrick M. Hausen]

Check "Disable anti-lockout" in Firewall > Settings > Advanced?

[chemlud]

Rule on TOP of HOME_VLAN rules set

Block HOME_VLAN net MANAGEMENT_VLAN address 443

[Tanduvil]

@pmhausen
Amazing, thank you for the quick reply!!! That was it.

@chemlud
Thanks for replying.

[Patrick M. Hausen]

@franco - which once again shows that there is still too much "magic" going on in OPNsense in unexpected places.

Seriously, if traffic to the web UI is denied, it is denied. If the admin locks themselves out, so be it.