LAN IF anti-lockout rule bleeding into WireGuard IF?

[jimjohn]

Hi,

I am now running a WireGuard Road Warrior tunnel (only locally for testing). Everything works as expected, but I have access to my OPNsense web GUI, which I do not want to have when using the WireGuard tunnel. I could not see the packages in the live log and the only rule I found that could explain that behavior is the anti-lockout-rule which is auto-generated (see attachment).

What I do not understand is if this anti-lockout-rule, which is only enabled for the LAN interface, can "bleed" into the WireGuard interface (I added an interface alias on wg0 to use it in my firewall rules).

The rule belongs to the LAN and not the WireGuard interface. What am I missing?

[Greelan]

Not entirely sure about the cause of this but if you exclude the WG interface from the listen interfaces for the web GUI under System/Settings/Administration, does that make a difference?

[jimjohn]

Not entirely sure about the cause of this but if you exclude the WG interface from the listen interfaces for the web GUI under System/Settings/Administration, does that make a difference?

It is excluded already, only LAN is checked, all other interfaces are not.

[Greelan]

Maybe it is something to do with the fact that you are creating the tunnel within the same network that the client is on (LAN) and so the routing is not working as you expect or want it to. Try a pcap on packets coming from the client to see whether you can figure out where they are going

Or rather than messing around with this setup, which is only interim, just configure it on WAN and see what happens there. WG is stealthy and so you are not really creating much of a risk