Firewall - Best Practice?

smthing · April 13, 2023, 09:04:20 PM

I've seen some examples where people setup Firewall rules for the OPNsense Gateway, but don't really understand the practice.

Example: How to access the WEB Gui from the WAN port.
Almost all guides recommend a NAT Port Forward the HTTPS port (without changing port no.) from the WAN interface to the LAN interface. And then open up the firewall from the LAN side.

Is there a reason for this? Why not open up the firewall from the WAN side and skip the NAT Port Forward?

bartjsmit · April 14, 2023, 08:24:51 AM

Best practice is not to expose any management interfaces to the internet. Use a VPN for remote access

smthing · April 14, 2023, 10:41:30 AM

Quote from: bartjsmit on April 14, 2023, 08:24:51 AM
Best practice is not to expose any management interfaces to the internet. Use a VPN for remote access

That's understood in general cases and pretty well known.

I'm more curious about the process of using NAT Port Forward from WAN -> LAN side of the gateway and then open the firewall for LAN access. Is there any benefit from doing this?

meyergru · April 14, 2023, 11:13:27 AM

Yes. To have the same URL from inside and out.

phoenix · April 14, 2023, 11:34:35 AM

Quote from: smthing on April 14, 2023, 10:41:30 AM
Quote from: bartjsmit on April 14, 2023, 08:24:51 AM
Best practice is not to expose any management interfaces to the internet. Use a VPN for remote access

That's understood in general cases and pretty well known.

I'm more curious about the process of using NAT Port Forward from WAN -> LAN side of the gateway and then open the firewall for LAN access. Is there any benefit from doing this?

Then why don't you follow the suggestion to use a VPN? You can set-up a secure connection with Wireguard and only the allowed users will be able to access the LAN interface from the internet - much more secure and works a treat, I've been using it for years without problems.

It would certainly bother me if I exposed my LAN interface to the interface via NAT, I'm sure there's plenty of hackers that would find that config a challenge. ;)

smthing · April 15, 2023, 08:29:09 PM

Quote from: meyergru on April 14, 2023, 11:13:27 AM
Yes. To have the same URL from inside and out.

Good point and makes sense.

Quote from: phoenix on April 14, 2023, 11:34:35 AM
Then why don't you follow the suggestion to use a VPN? You can set-up a secure connection with Wireguard and only the allowed users will be able to access the LAN interface from the internet - much more secure and works a treat, I've been using it for years without problems.

It would certainly bother me if I exposed my LAN interface to the interface via NAT, I'm sure there's plenty of hackers that would find that config a challenge. ;)

Thank you. The WEB GUI was an example and I can understand the assumption. The question is however about the practice. And as mentioned above, it's probably due to having the same URL.

Firewall - Best Practice?

smthing

April 13, 2023, 09:04:20 PM

bartjsmit

April 14, 2023, 08:24:51 AM #1

smthing

April 14, 2023, 10:41:30 AM #2

meyergru

April 14, 2023, 11:13:27 AM #3

phoenix

April 14, 2023, 11:34:35 AM #4

smthing

April 15, 2023, 08:29:09 PM #5