Confused why I can't block access to my webui on the WIFI subnet.

[Arimil]

I'm using Caddy as a reverse proxy to serve SSL certs for my webui and a few other things running on the firewall.

On my WIFI subnet I've created a rule that blocks access to 443 and 444 (the port I changed the webui to bind to without the proxy). If I try to access these ports via the IP e.g. 192.168.1.1:444, 192.168.1.1:443. These connections are being blocked.

However if I try to access through the reverse proxy e.g. firewall.mydomain.com it's still accessible despite firewall.mydomain.com resolving to 192.168.1.1 and since it's being served using https that would be on port 443.

Do I need to add the domains for these services to the alias?

Anyway here's the rule config:
Action: Reject
Quick: checked
Interface: WIFI
Direction: in
TCP/IP Version: IPv4
Protocol: TCP/UDP
Source: WIFI net
Destination: Gateways
Destination port range from: OPNsense_Access_Ports
Destination port range to: OPNsense_Access_Ports

Gateways is an alias pointing to: 192.168.1.1, 192.168.2.1
OPNSense_Access_Ports is an alias pointing to: 444, 443

[viragomann]

However if I try to access through the reverse proxy e.g. firewall.mydomain.com it's still accessible despite

If the access is proxied you have to block the proxy port, which might be 443.

However, as destination address you should better use "this firewall" instead to block access to any IP of OPNsense.

[Arimil]

I can confirm that caddy is running on 443 as shown here:


Also thanks for the tip about using `This Firewall` that allowed me to delete the Gateways alias, however even after making that change anything that runs through the Caddy proxy is still accessible on the WIFI vlan.

Oddly enough the block on port 444 is working, so it seems there's something preventing 443 from being blocked?

[dseven]

On my WIFI subnet I've created a rule that blocks access to 443 and 444 (the port I changed the webui to bind to without the proxy). If I try to access these ports via the IP e.g. 192.168.1.1:444, 192.168.1.1:443. These connections are being blocked.

However if I try to access through the reverse proxy e.g. firewall.mydomain.com it's still accessible despite firewall.mydomain.com resolving to 192.168.1.1 and since it's being served using https that would be on port 443.

There's a contradiction here. In the first paragraph you say that 192.168.1.1:443 is blocked. In the second paragraph you say that port 443 on the same IP is not blocked. I can't be both. Are you sure that "firewall.mydomain.com" isn't resolving to multiple A records that include some other interfaces? By default, Unbound will add A/AAAA records for all of the interfaces that it's listening on. Your browser may be selecting one that's not in your blocked list....

[Arimil]

Yes that's the problem, it is blocked but I can still access it, if I use the domain which causes it to be routed through Caddy it is serving the page on 443 through https even though that port should be blocked, thus preventing access to the webui. However if I go to https://192.168.1.1:443 I get a rejected response as expected.

[dseven]

Suggest you check [Services > Unbound > General > Do not register system A/AAAA records], then add a Host Override for "firewall.mydomain.com" pointing to IP address 192.168.1.1

[Arimil]

I'm already doing that with adguard, they are not accessible outside my network.

[Monviech (Cedrik)]

Just create an Access List in Caddy that restrics networks that should not be able to open these websites.

Create an inverted one with networks that should be blocked and attach it to your domain.