Access WebUI via WAN

Started by power46, Today at 02:49:51 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
Today at 02:49:51 PM
Hi,

I would like to try OPNsense on hcloud for test purpose.

Starting from a FreeBSD instance, I am installing OPNsense via the script:

Code Select
sh ./opnsense-bootstrap.sh.in -r 24.7 -y

and copy the following file to /conf/config.xml:


Code Select
<?xml version="1.0"?>
<opnsense>
  <trigger_initial_wizard/>

  <theme>opnsense</theme>

  <system>
    <optimization>normal</optimization>
    <hostname>OPNsense</hostname>
    <domain>localdomain</domain>
    <dnsallowoverride>1</dnsallowoverride>
    <group>
      <name>admins</name>
      <description><![CDATA[System Administrators]]></description>
      <scope>system</scope>
      <gid>1999</gid>
      <member>0</member>
      <priv>page-all</priv>
    </group>
    <user>
      <name>root</name>
      <descr><![CDATA[System Administrator]]></descr>
      <scope>system</scope>
      <groupname>admins</groupname>
      <password>$6$DEHx8zOr5VVhjFwz$pS/NcRnn03fpFxbR2xP0gkfUSdSDA0FZxRF3zCn09qTFF604k800paZCNnxrMwElH8gAsPK8GDHBFgOX32YI2/</password>
      <uid>0</uid>
    </user>
    <nextuid>2000</nextuid>
    <nextgid>2000</nextgid>
    <webgui>
      <protocol>https</protocol>
      <nohttpreferercheck>1</nohttpreferercheck>
    </webgui>
    <disablenatreflection>yes</disablenatreflection>
    <usevirtualterminal>1</usevirtualterminal>
    <disableconsolemenu/>
    <disablevlanhwfilter>1</disablevlanhwfilter>
    <disablechecksumoffloading>1</disablechecksumoffloading>
    <disablesegmentationoffloading>1</disablesegmentationoffloading>
    <disablelargereceiveoffloading>1</disablelargereceiveoffloading>
    <pf_share_forward>1</pf_share_forward>
    <lb_use_sticky>1</lb_use_sticky>
    <ssh>
      <group>admins</group>
      <enabled>enabled</enabled>
    </ssh>
  </system>

  <interfaces>
    <wan>
      <enable>1</enable>
      <if>vtnet0</if>
      <mtu/>
      <ipaddr>dhcp</ipaddr>
      <subnet/>
      <gateway/>
      <blockpriv>1</blockpriv>
      <blockbogons>1</blockbogons>
      <dhcphostname/>
      <media/>
      <mediaopt/>
    </wan>
    <lan>
      <enable>1</enable>
      <if>vtnet1</if>
      <ipaddr>dhcp</ipaddr>
      <subnet/>
      <media/>
      <mediaopt/>
    </lan>
  </interfaces>

  <dhcpd>
    <lan>
      <enable/>
      <range>
        <from>192.168.1.100</from>
        <to>192.168.1.199</to>
      </range>
    </lan>
  </dhcpd>

  <unbound>
    <enable>1</enable>
  </unbound>

  <nat>
    <outbound>
      <mode>automatic</mode>
    </outbound>
  </nat>

  <filter>
    <rule>
      <type>pass</type>
      <interface>lan</interface>
      <ipprotocol>inet</ipprotocol>
      <statetype>keep state</statetype>
      <descr><![CDATA[Allow public ICMP ping to this firewall from LAN]]></descr>
      <protocol>icmp</protocol>
      <icmptype>echoreq</icmptype>
      <source>
        <any>1</any>
      </source>
      <destination>
        <network>(self)</network>
      </destination>
    </rule>

    <rule>
      <type>pass</type>
      <interface>wan</interface>
      <ipprotocol>inet</ipprotocol>
      <statetype>keep state</statetype>
      <descr><![CDATA[Allow public ICMP ping to this firewall from WAN]]></descr>
      <protocol>icmp</protocol>
      <icmptype>echoreq</icmptype>
      <source>
        <any>1</any>
      </source>
      <destination>
        <network>(self)</network>
      </destination>
    </rule>

    <rule>
      <type>pass</type>
      <interface>wan</interface>
      <ipprotocol>inet4</ipprotocol>
      <statetype>keep state</statetype>
      <descr><![CDATA[CAUTION: Allow public remote access to this firewall via SSH]]></descr>
      <protocol>tcp</protocol>
      <source>
        <any>1</any>
      </source>
      <destination>
        <network>(self)</network>
        <port>22</port>
      </destination>
    </rule>

    <rule>
      <type>pass</type>
      <interface>wan</interface>
      <ipprotocol>inet4</ipprotocol>
      <statetype>keep state</statetype>
      <descr><![CDATA[CAUTION: Allow public remote access to this firewall via HTTP]]></descr>
      <protocol>tcp</protocol>
      <source>
        <any>1</any>
      </source>
      <destination>
        <network>(self)</network>
        <port>80</port>
      </destination>
    </rule>

    <rule>
      <type>pass</type>
      <interface>wan</interface>
      <ipprotocol>inet4</ipprotocol>
      <statetype>keep state</statetype>
      <descr><![CDATA[CAUTION: Allow public remote access to this firewall via HTTPS]]></descr>
      <protocol>tcp</protocol>
      <source>
        <any>1</any>
      </source>
      <destination>
        <network>(self)</network>
        <port>443</port>
      </destination>
    </rule>
  </filter>

</opnsense>


Seems that the config file is read, as I am able to login, via the serial console, with root and the password above.

From the serial console I can see that:

* LAN (vtnet1) gets an ip via dhcp
* WAN (vtnet0) gets an ip via dhcp (the public one)

But I am not able to ping/ssh/access the web ui.

Am I missing something?

Thanks




Print
Go Up Pages1
User actions