[NOOB] Creating a management interface

[talowicz]

I am new to this forum, so the subject tag may not be correct and I was in a hurry when making this post!

I'm using OPNsense in a QEMU virtual machine with 3 interfaces. I would like to make the WebGUI only accessible from the MGMT interface, and also have the MGMT interface blocked from accessing the internet.

Here is a quick diagram I diagram to visualize my topology: 
https://0x0.st/Xhb5.png

I have assigned address ranges to these interfaces, added an allow all rule to the MGMT interface, and verified that I can access the internet and the WebGUI from the MGMT network. But when I change Settings > Administration > Listen Interfaces from "All" to "MGMT", I cannot access the webgui anymore from the MGMT interface. I am very new to OPNsense and am migrating from Mikrotik so the new terminology and procedures are confusing me!

Any help would be greatly appreciated. 

[OPNenthu]

Hi, I recently learned this myself so just passing it forward-

It's perfectly safe, and recommended, to leave that setting on 'All'.  It won't expose the GUI on WAN, or any other interface besides LAN, unless you put a firewall rule in to explicitly allow it.  It's default deny.

If you want to prevent LAN from accessing it, you just need to make sure not to put an 'allow all' rule on the LAN interface.  Or you can put an explicit condition or rule before the 'allow all' to block access from LAN.
Update: the default anti-lockout is a system rule so I think it takes precedence.  Not sure how to override that.

As for the MGMT interface, you will need to add a custom pass rule.  OPNsense creates one by default for LAN, but not for others.  Personally I keep an allow rule on each VLAN interface that I want to access the GUI.  I set destination as 'This Firewall' and a ports alias with '22' and '443' (or whatever port you use).

[Melroy vd Berg]

When I click on "Automatically generated rules" on my dedicated management port (use igc0 for this), I do have an anti-lock out rule there already....

Are you sure you needed it add it manually!?

For SSH (Secure Shell Server), I do actually manually specify the interfaces, just to be sure.

[OPNenthu]

On my system that auto-generated rule is only there for 'LAN'.  The other interfaces don't have it.

[EricPerl]

@talowicz,
Do you mean you want to allow machines in the MGMT network to access the GUI (at MGMT address)?
And block these machines from accessing the internet?

Note that the LAN is getting pretty permissive rules by default.
So, if you intend to block access to the GUI from LAN (to LAN or MGMT address), you'll need to address that later.

[Melroy vd Berg]

On my system that auto-generated rule is only there for 'LAN'.  The other interfaces don't have it.

You're 100% correct indeed. The anti-lockout rule seems to be hard-coded in the code within the function: 

Code Select Expand

filter_core_get_antilockout()

https://github.com/opnsense/core/blob/7373985f3b2b0344c1e2596bdbbb5b0870cadb57/src/etc/inc/filter.lib.inc#L113 (looking at this code, its unclear to me when this rule is actually created automatically and when not). My general understanding is that this anti-lockout rule will be applied to only the "LAN" interface (no matter how you rename it).

However you normally do NOT (never) want to have a management interface on a WAN interface. Only on one or more LAN ports.

The "Automatically generated rules" are actually generated for both LAN and WAN interfaces. However, I was confused myself with the default "sshlockout" rule is auto-generated  :-X. But this is of course to block access to SSH secure shell and HTTP web management interface, which is the opposite of anti-lock rule of course :).

Long story short. Let's create our own dedicated management interface on OPNsense including an anti-lockout rule:

• In Interfaces -> Assignments. I added the device (port) to the list. And press save.
• Go to Interfaces -> [YOUR_INTERFACE]. Select "Enable interface" and select "Prevent interface removal". And maybe give it a better description something like: "LAN_MANGEMENT". Then I also set IPv4 Configuration Type to: Static IPV4. And down below under Static IPv6 configuration. I give the OPNsense firewall a static IPv4 address: 192.168.2.1, with 24 subnet mask (so not 192.168.1.1 in case you were using this already on another interface).
• For easy of use, I also enabled DHCPv4 on this management interface. So go to: Services -> ISC DHCPv4 -> [LAN_MANGEMENT] interface. Select "Enable DHCP serv on the LAN_MANAGEMENT interface. And I gave it a range from: 192.168.2.100 to: 192.168.2.199. And press Save.
• In Firewall -> Aliases -> New alias. Name: "anti_lockout_ports". Type: "Port(s)". Content: 80 (enter), 443 (enter) and 22 (enter). Description: "Anti-lockout ports".
  
• Finally, I go to Firewall -> Nat -> Port forward. In my case the anti-lockout rule was there already. If not, create a new rule -> Select the interface (eg. "LAN_MANAGEMENT"). Protocol: TCP. Destination: "LAN_MANAGEMENT address". Destination port select: "anti_lockout_ports" (our alias we created earlier). As Redirect target IP, I provided: 192.168.2.1 (the firewall static IP address I gave it in step 2.) Give it a description like: "Anti-Lockout Rule". And press Save.
  
• And press "Apply changes".

If you are sure you have the correct firewall rule in place (see my steps above). You could optionally disable the default anti-lockout rule on the LAN interface, by going to: Firewall -> Settings -> Advanced -> "Disable anti-lockout" by checking "Disable administration anti-lockout rule". Which thus disables the default anti-lockout rule on the LAN interface like you mentioned before.

If I said something wrong, please let me know. I will update this post.

[talowicz]

On my system that auto-generated rule is only there for 'LAN'.  The other interfaces don't have it.

You're 100% correct indeed. The anti-lockout rule seems to be hard-coded in the code within the function: 

Code Select Expand

filter_core_get_antilockout()

https://github.com/opnsense/core/blob/7373985f3b2b0344c1e2596bdbbb5b0870cadb57/src/etc/inc/filter.lib.inc#L113 (looking at this code, its unclear to me when this rule is actually created automatically and when not). My general understanding is that this anti-lockout rule will be applied to only the "LAN" interface (no matter how you rename it).

However you normally do NOT (never) want to have a management interface on a WAN interface. Only on one or more LAN ports.

The "Automatically generated rules" are actually generated for both LAN and WAN interfaces. However, I was confused myself with the default "sshlockout" rule is auto-generated  :-X. But this is of course to block access to SSH secure shell and HTTP web management interface, which is the opposite of anti-lock rule of course :).

Long story short. Let's create our own dedicated management interface on OPNsense including an anti-lockout rule:

• In Interfaces -> Assignments. I added the device (port) to the list. And press save.
• Go to Interfaces -> [YOUR_INTERFACE]. Select "Enable interface" and select "Prevent interface removal". And maybe give it a better description something like: "LAN_MANGEMENT". Then I also set IPv4 Configuration Type to: Static IPV4. And down below under Static IPv6 configuration. I give the OPNsense firewall a static IPv4 address: 192.168.2.1, with 24 subnet mask (so not 192.168.1.1 in case you were using this already on another interface).
• For easy of use, I also enabled DHCPv4 on this management interface. So go to: Services -> ISC DHCPv4 -> [LAN_MANGEMENT] interface. Select "Enable DHCP serv on the LAN_MANAGEMENT interface. And I gave it a range from: 192.168.2.100 to: 192.168.2.199. And press Save.
• In Firewall -> Aliases -> New alias. Name: "anti_lockout_ports". Type: "Port(s)". Content: 80 (enter), 443 (enter) and 22 (enter). Description: "Anti-lockout ports".
  
• Finally, I go to Firewall -> Nat -> Port forward. In my case the anti-lockout rule was there already. If not, create a new rule -> Select the interface (eg. "LAN_MANAGEMENT"). Protocol: TCP. Destination: "LAN_MANAGEMENT address". Destination port select: "anti_lockout_ports" (our alias we created earlier). As Redirect target IP, I provided: 192.168.2.1 (the firewall static IP address I gave it in step 2.) Give it a description like: "Anti-Lockout Rule". And press Save.
  
• And press "Apply changes".

If you are sure you have the correct firewall rule in place (see my steps above). You could optionally disable the default anti-lockout rule on the LAN interface, by going to: Firewall -> Settings -> Advanced -> "Disable anti-lockout" by checking "Disable administration anti-lockout rule". Which thus disables the default anti-lockout rule on the LAN interface like you mentioned before.

If I said something wrong, please let me know. I will update this post.

Thanks for the reply!

I followed your steps and they should work, but now my problem is that in my firewall logs, My MGMT device (192.168.99.100) is getting blocked when trying to access 192.168.1.1:443 (WebGui). It is being caught by the 'Default Deny / state violation rule' which cannot be disabled on that interface, unless there is another way that I do not know. Any ideas on how to remedy this? Again, thanks for taking the time to answer my post!

[EricPerl]

The management interface is added to access OPN at the IP of the interface (where the ports are opened).
You seem to look at this as defining a network for machines that can access the GUI.

Anyway, to allow this machine to access the GUI (either on MGMT.address or LAN.address, as long as the GUI is set up to be available on all interfaces), you need to add a FW rule on your MGMT interface.