FW VM instace blocking WebGUI access on WAN after a new interface is assigned

Started by depeche_mode, June 29, 2021, 05:45:49 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
June 29, 2021, 05:45:49 AM Last Edit: June 29, 2021, 07:53:34 AM by depeche_mode
Hello everyone,

Long time listener first time caller here.

I have an OPNSense 21.1.7_1 VMWare instance installed on a VMware ESXi 7.0u2 host.
The FW VM has 2 VMXNET3 interfaces: vmx0 (WAN: static MAC) and vmx1 (INSIDE: auto MAC).
The FW VM has os-vmware package version 1.5_1 installed.

When the FW VM has a single interface (WAN - vmx0) assigned, everything works perfect and I can access WebGUI successfully from the Internet by going to https://PUBLIC-IP-WAN-VMX0/.

However, when I go to Interfaces > Assignments and assign the 2nd interface as well (vmx1 with private IP), I will lose connectivity to the WebGUi from https://PUBLIC-IP-WAN-VMX0/ after I enable the interface and apply the changes.

The loss of access to WebGUI on Public WAN interface (vmx0) is almost immediate after I enable the newly assigned interface (vmx1) and happens 100% of the time.

For troubleshooting, I went to the CLI and observed the Firewall log while I tried to access https://PUBLIC-IP-WAN-VMX0/.
I can see my traffic arriving inbound to the FW destined to 443, however, there is no response from the FW.

The FW appears to be blocking WebGUI access on the WAN interface after the new interface is assigned.

I need to go to the CLI , select Option 1 and assign only interface vmx0 (WAN) in order to regain access to https://PUBLIC-IP-WAN-VMX0/.

Any suggestions or help would be appreciated. I've been stuck on this for some time now.

Please let me know if there is any additional info I can provide that would be helpful.

Thanks in advance!
June 29, 2021, 07:49:41 AM #1
Hi there,

Quote from: depeche_mode on June 29, 2021, 05:45:49 AM
When the FW VM has a single interface (WAN - vmx0) assigned, everything works perfect and I can access WebGUI successfully from the Internet by going to https://PUBLIC-IP-WAN-VMX0/.

However, when I go to Interfaces > Assignments and assign the 2nd interface as well (vmx1 with private IP), I will lose connectivity to the Dashboard from https://PUBLIC-IP-WAN-VMX0/ after I enable the interface and apply the changes.

The loss of access to WebGUI on Public WAN interface (vmx0) is almost immediate after I enable the newly assigned interface (vmx1) and happens 100% of the time.

You are describing the anti-lockout behaviour of the GUI/SSH access rules. ;) It moves to the most trusted interfaces. If you only have one that can be WAN too.

Before you assign a LAN/OPT, make sure you add the relevant pass rule on the WAN interface to be able to reach the GUI or properly connect to the new interface instead.


Cheers,
Franco
June 29, 2021, 07:54:06 AM #2
Thank you Franco!
Print
Go Up Pages1
User actions