Author Topic: Disabled WWW Server NAT Rule, Suddenly the Admin Web GUI is publicly Accessible! (Read 3771 times)

TheLatestWire · « **on:** January 17, 2018, 11:58:25 pm »

Hi,

I thought I just disabled the two NAT rules to my internal www server, but with that rule disabled I just noticed the admin web GUI for my OPNsense server is then publicly accessible. I must be misunderstanding something somewhere. I certainly don't want my OPNsense server accessible from the internet.

I've attached a screenshot of the NAT rules. I re-enabled them to block access to the admin webgui, but now my web server is publicly accessible again which was what I was hoping to disable for a while. Maybe I should just delete the NAT rules instead of disabling them?

Thanks,
ObecalpEffect.

TheLatestWire · « **Reply #1 on:** January 18, 2018, 04:04:01 am »

Sorry, somehow I completely forgot that I have another ISP firewall on the public side of my OPNsense box which has DMZ/Application forwarding set for specific ports (including 443/80) to go to my OPNsense box. I guess I still would have expected the GUI not to show up since the ISP firewall is sending traffic to what is the public/WAN interface on the OPNsense box.

franco · « **Reply #2 on:** January 18, 2018, 10:31:22 am »

Hi,

To avoid future confusion: so this is "working as intended"?

Cheers,
Franco

Ciprian · « **Reply #3 on:** January 18, 2018, 12:07:52 pm »

Quote from: ObecalpEffect on January 17, 2018, 11:58:25 pm

I've attached a screenshot of the NAT rules. I re-enabled them to block access to the admin webgui, but now my web server is publicly accessible again which was what I was hoping to disable for a while. Maybe I should just delete the NAT rules instead of disabling them?

Maybe the NAT reflection is messing with your nerves here?!?! $:-\$ (As if you try to access your FW on WAN address from LAN network, NAT reflection will redirect and cut short the request, from LAN device to LAN address of the FW - and this is not only permitted, but more so, enforced by the anti-lockout rule.)

Quote from: ObecalpEffect on January 18, 2018, 04:04:01 am

Sorry, somehow I completely forgot that I have another ISP firewall on the public side of my OPNsense box which has DMZ/Application forwarding set for specific ports (including 443/80) to go to my OPNsense box. I guess I still would have expected the GUI not to show up since the ISP firewall is sending traffic to what is the public/WAN interface on the OPNsense box.

NOT! - See above

If you want to be completely sure, try accessing your OPNsense on public IP from a device (eg. smartphone/ tablet) connected to internet through an OPNsense independent connection (3G/4G or else).

Quote from: franco on January 18, 2018, 10:31:22 am

To avoid future confusion: so this is "working as intended"?

Probably yes, we have to wait for confirmation from @ObecalpEffect.

Cheers!

Author Topic: Disabled WWW Server NAT Rule, Suddenly the Admin Web GUI is publicly Accessible! (Read 3771 times)

TheLatestWire

Disabled WWW Server NAT Rule, Suddenly the Admin Web GUI is publicly Accessible!

TheLatestWire

Re: Disabled WWW Server NAT Rule, Suddenly the Admin Web GUI is publicly Accessible!

franco

Re: Disabled WWW Server NAT Rule, Suddenly the Admin Web GUI is publicly Accessible!

Ciprian

Re: Disabled WWW Server NAT Rule, Suddenly the Admin Web GUI is publicly Accessible!