[SOLVED] Access webGui from WAN

Started by empbilly, April 10, 2017, 11:06:06 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 10, 2017, 11:06:06 PM Last Edit: April 11, 2017, 06:51:07 PM by empbilly
Hello,

After installing opnsense I disabled the firewall via the command line so that I could create a rule in the wan to allow the access of my machine from work.

With the pfctl -d command I disabled, created a rule for allow access to my public IP and after apply changes, I lost my access. I had to rerun pfctl -d to gain access again. I checked and my firewall rule was saved.

Even with the rule I can not access via wan. Anyone else with this problem?
April 11, 2017, 06:13:16 AM #1 Last Edit: April 11, 2017, 06:13:29 PM by franco
pfctl -d will disable the packet filter, but any change on the GUI will reenable it. Note that pfctl -d also disables NAT for your internal networks, likely leaving them stranded.

In theory this rule should work, but try to be more permissive with source and destination first to make sure there is not a typo / other problem in the rule.

The other question is how your test setup works. Is WAN a public IP? Is an intermediate network attached? Do you test from this network? Does your ISP give you an IP or is it shared between multiple customers?


Cheers,
Franco
April 11, 2017, 04:40:24 PM #2
QuoteThe other question is how your test setup works. Is WAN a public IP?
Yes, public IP.

QuoteIs an intermediate network attached?
Yes

QuoteDo you test from this network?
Yes

QuoteDoes your ISP give you an IP or is it shared between multiple customers?
no, we have an IP block.

I'm testing opnsense for a wifi network called eduroam.

- The IP that I set in the WAN is part of a vlan in our border firewall and is public IP.

- The IP that I have on my machine is allowed for everything inside that vlan.
April 11, 2017, 06:18:42 PM #3
Go to Firewall: Settings: Advanced, set [ x ] Disable reply-to on WAN rules. This option is off by default to ensure Multi-WAN consistency for return traffic of external connections, but can skew your results when you are right in front of the WAN while the gateway is somewhere else.

If you don't have Multi-WAN you can leave this enabled, if not you should only use this for testing. If you need this permanently for a service and have Multi-WAN, you can also disable this behaviour per pass firewall rule in the respective advanced settings.


Cheers,
Franco
April 11, 2017, 06:44:35 PM #4 Last Edit: April 11, 2017, 06:50:50 PM by empbilly
franco,

I do not have multi-wan, but marking this option for testing I get access.

I did as you suggested. I checked this option directly in the rule that I created for webGui access.

Thanks for your help!  ;D

RESOLUTION: If you reading this post, have the same problem and environment as me, you can enable the option directly in the wan rule.

So do this:

Firewall> Rules> Wan: Edit your rule and in Advanced Options check the option disable reply-to.
Print
Go Up Pages1
User actions