Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
WebGUI accessible on WAN interface
« previous
next »
Print
Pages: [
1
]
Author
Topic: WebGUI accessible on WAN interface (Read 13790 times)
oroel
Newbie
Posts: 7
Karma: 0
WebGUI accessible on WAN interface
«
on:
December 03, 2016, 12:08:26 pm »
My OPNSense FW is behind a cable modem. I'd like to enable VPN to access my home network and therefore turned the modem into "bridge mode" (my provider is Kabel Deutschland, btw). After doing that I can access the WebGUI of my OPNSense firewall from outside. Why is that? My understanding is, that OPNSense doesn't allow connections to the WebGUI on the WAN interface.
I've tried to find a setting for disabling access to the WebGUI, but didn't find any. Do I need to set up firewall rules for blocking? I the anti-lockout rule in the NAT settings the culprit for that behavior?
Logged
chemlud
Hero Member
Posts: 2483
Karma: 112
Re: WebGUI accessible on WAN interface
«
Reply #1 on:
December 03, 2016, 01:13:14 pm »
Öhm, is the VPN connected and you enter the IP of the LAN interface? Or really the IP of the WAN interface?
Unplug cable modem and connect WAN to a machine with DHCP enabled, wait till IP is handed out and try to reach the opnsense from WAN...
Logged
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare
felix eichhorns premium katzenfutter mit der extraportion energie
A router is not a switch - A router is not a switch - A router is not a switch - A rou....
fabian
Hero Member
Posts: 2769
Karma: 200
OPNsense Contributor (Language, VPN, Proxy, etc.)
Re: WebGUI accessible on WAN interface
«
Reply #2 on:
December 03, 2016, 02:20:10 pm »
A better way to try it is by using a smartphone (just enter the public IP of the firewall when you are not connected via a wireless LAN), because you will see how it works from the public internet (maybe it is not even the same provider).
Logged
oroel
Newbie
Posts: 7
Karma: 0
Re: WebGUI accessible on WAN interface
«
Reply #3 on:
December 05, 2016, 11:47:50 am »
Thank you for the quick responses! And, sorry for me being a bit slow-family got my full attention this weekend.
@chemlud
No, VPN isn't setup yet. I'm accessing the WebGUI with the public ip adress provided by Kabel Deutschland.
@fabian
The WebGUI is also accessible via smartphone from a different provider.
The build in webserver should in my understanding listen to connections on the LAN (e.g. 10.0.0.1:403) but not the WAN interface. But it seems to listen to all (0.0.0.0:403) interfaces.
I am very willing to accept that I misconfigured the firewall, but since I didn't do a lot of configuration work I am stuck.
Logged
chemlud
Hero Member
Posts: 2483
Karma: 112
Re: WebGUI accessible on WAN interface
«
Reply #4 on:
December 05, 2016, 01:09:30 pm »
Save config -> fresh install -> look if GUI on WAN -> import config -> look if GUI on WAN ;-)
Something along this line?
Logged
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare
felix eichhorns premium katzenfutter mit der extraportion energie
A router is not a switch - A router is not a switch - A router is not a switch - A rou....
oroel
Newbie
Posts: 7
Karma: 0
Re: WebGUI accessible on WAN interface
«
Reply #5 on:
December 05, 2016, 01:49:07 pm »
No, not again! :-)
This is a fresh install and I am a bit unwilling to pull my appliance off the wall, unscrew everything, plug in the serial cable and a SD card, do a fresh install and do all the steps in reverse, just to figure out that I fell into the trap of a standard phone center question "did you reset everything?" again. The "reset everything" may help, but it doesn't answer the question why I see the login screen.
So, before I start thinking about the reset, am I the only one who sees the login screen on the WAN interface? And is there a setting to disallow this behavior?
Logged
franco
Administrator
Hero Member
Posts: 17660
Karma: 1611
Re: WebGUI accessible on WAN interface
«
Reply #6 on:
December 05, 2016, 05:13:01 pm »
The default config works like this:
If you only have one interface, namely WAN, everything is open, which makes sense, because you only have one way of access.
If you only have one interface, namely LAN, everything is open, see above.
If there is a WAN and LAN, WAN will block by firewall default *and* by bogons/private networks.
What's the current interface setup (how many + names)?
Cheers,
Franco
Logged
oroel
Newbie
Posts: 7
Karma: 0
Re: WebGUI accessible on WAN interface
«
Reply #7 on:
December 05, 2016, 05:54:58 pm »
I've LAN and WAN interfaces and the "Block private networks " rule is active on the WAN.
To be more specific:
The WAN has two rules:
* Block private networks
* Block bogon networks
The LAN has following rules:
* Anti-Lockout Rule
* Default allow LAN to any rule
* Default allow LAN IPv6 to any rule
And there is also NAT active:
* Anti-Lockout Rule on the LAN Interface
«
Last Edit: December 05, 2016, 06:01:03 pm by oroel
»
Logged
oroel
Newbie
Posts: 7
Karma: 0
Re: WebGUI accessible on WAN interface
«
Reply #8 on:
February 05, 2017, 07:48:13 pm »
Same issue with a clean install of OPNsense 17.1-amd64. (I am very tempted to use !!!!!!111!)
This looks like an fat ugly bug to me, since the WAN interface has explicitly the "Block private Network" flag set.
I am wondering if the bug is in my understanding of the flag and reaching the login screen from outside is a wanted feature. I also seem to be the only one stumbling across this issue. Please can someone explain to me if this is expected behavior of the firewall to show a login screen to the public? And what can be done to block this.
Logged
franco
Administrator
Hero Member
Posts: 17660
Karma: 1611
Re: WebGUI accessible on WAN interface
«
Reply #9 on:
February 05, 2017, 08:03:13 pm »
This is not an issue if you think that OPNsense is used to face an ISP.
If you have private ranges on your WAN and want to access the web GUI, simply do:
o disable block private networks
o Allow TCP port 443 from any source to WAN address
This should be it, no NAT required...
Cheers,
Franco
Logged
oroel
Newbie
Posts: 7
Karma: 0
Re: WebGUI accessible on WAN interface
«
Reply #10 on:
February 05, 2017, 10:08:30 pm »
Quote from: franco on February 05, 2017, 08:03:13 pm
If you have private ranges on your WAN and want to access the web GUI, simply do:
Thank you for your quick response. If I understand you correctly do you describe a way to access the WebGUI from outside. But my question is how do I
block
the webGUI from being accessible from the rest of the world. And I would say that this also should be the standard behavior of a firewall not to be available from the WAN interface (except you are using VPN).
Logged
franco
Administrator
Hero Member
Posts: 17660
Karma: 1611
Re: WebGUI accessible on WAN interface
«
Reply #11 on:
February 06, 2017, 05:37:41 am »
Not sure how you manage that, you can't access the GUI from WAN with a LAN in place unless you specify it.
There's an VPN Tunnel mentioned, are you connecting via VPN when this happens? What VPN type? OpenVPN on port 443?
Logged
oroel
Newbie
Posts: 7
Karma: 0
Re: WebGUI accessible on WAN interface
«
Reply #12 on:
February 07, 2017, 03:48:42 pm »
Franco, I can access the WebGui from the WAN interface without VPN.
And that is a bug in my opinion, since the OPNsense is a fresh setup without any settings modifications from my side. Is there any way to block the web GUI from being accessible from WAN?
Logged
haxle
Newbie
Posts: 1
Karma: 0
Re: WebGUI accessible on WAN interface
«
Reply #13 on:
February 19, 2017, 06:46:55 pm »
Pfsense does the same thing on a default login, it's the "anti-lockout rule". I'm not sure about opnsense but in Pfsense you can remove it in the advanced menu under admin access. Alternatively if you setup any port forwarding for port 80 it will disable the gui access from want by default
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
WebGUI accessible on WAN interface