[SOLVED]WebUI is accessible over Internet

Started by Morta, November 17, 2021, 05:45:04 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
November 17, 2021, 05:45:04 PM Last Edit: November 18, 2021, 12:05:05 AM by Morta
How I can disable access of WebUI for WAN Port?
November 17, 2021, 05:50:44 PM #1
OOTB it's disabled (as long as there is more than WAN iirc). Configure under System -> Settings -> Administration
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
November 17, 2021, 05:56:41 PM #2
Hint: if you are connected to the LAN network and just typing the WAN IP address into your browser, you are still initiating the connection from LAN and are therefore permitted.

To truly test if the administration UI is enabled on WAN you need to be connected to the Internet somehow differently and really come from outside.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
November 17, 2021, 07:02:56 PM #3
OK.

Now I want make the server accessible over http,https with NAT rule.

Can I follow the forum tutorial or have I to change more options?

I did already the forum Tutorial but the WebUI had priorty and doesn't works.
November 17, 2021, 07:24:46 PM #4
Please post

1. all details about your NAT rule
2. a plan of your network including IP addresses
3. a description of what this is supposed to do and in which way it doesn't

"something something doesn't work" is by far too little information to come up with any diagnose.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
November 17, 2021, 07:37:46 PM #5 Last Edit: November 17, 2021, 07:41:15 PM by Morta
NAT rules

Bridge

DHCPv4 leases


I want that 5erver(192.168.1.100) webserver is accesible at Port 80,433 on WAN (Router)
So that I can hit free-vpn.ch(85.195.234.234) display the website which is hosted on 5erver behind router.

I can't ping the devices under the LAN. So isn't possible to ping lapt0p(192.168.0.106) to 5erver(192.168.0.100)
November 17, 2021, 07:39:53 PM #6
Please show the details of one of the two NAT rules after you clicked on the small "edit/pencil" icon.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
November 17, 2021, 07:45:43 PM #7



I can't also not ping the devices in the same bridge from lapt0p to 5erver as example...
November 17, 2021, 07:52:02 PM #8
Change the "Filter rule association" to "Pass" and the "TCP/IP version" to "IPv4". Then it should work.

For IPv6 don't use NAT but create a firewall rule (Firewall > Rules > WAN) permitting ports 80 and 443 to the fixed IPv6 address of your server inbound.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
November 17, 2021, 07:59:14 PM #9
Quote from: pmhausen on November 17, 2021, 07:52:02 PM
Change the "Filter rule association" to "Pass" and the "TCP/IP version" to "IPv4". Then it should work.

For IPv6 don't use NAT but create a firewall rule (Firewall > Rules > WAN) permitting ports 80 and 443 to the fixed IPv6 address of your server inbound.

It doesn't work.

I can't accessible also not a client in the same bridge network. As example from lap0tp to 5erver. Why?

And the the clients doesn't have a IPv6 from ISP only one from the router. Why?
November 17, 2021, 08:05:32 PM #10
Did you try with a device connected to the "outside Internet", i.e. through tethering with your mobile phone?

So called "hairpin" connections from inside to the outside address do not work out of the box. You need extra configuration for that. Let's get the port forwarding straight, first. So please try with an outside device.

Second, I cannot help you with your IPv6 if you don't tell us how precisely your ISP is routing IPv6 down your line. DHCPv6? Prefix delegation? Static prefix or changing every couple of hours? ... and so on. We would need to know all of that.

How familiar are you with basic networking concepts like this? Did you read the OPNsense documentation?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
November 17, 2021, 08:50:44 PM #11 Last Edit: November 17, 2021, 08:53:34 PM by Morta
Quote from: pmhausen on November 17, 2021, 08:05:32 PM
Did you try with a device connected to the "outside Internet", i.e. through tethering with your mobile phone?

So called "hairpin" connections from inside to the outside address do not work out of the box. You need extra configuration for that. Let's get the port forwarding straight, first. So please try with an outside device.

Second, I cannot help you with your IPv6 if you don't tell us how precisely your ISP is routing IPv6 down your line. DHCPv6? Prefix delegation? Static prefix or changing every couple of hours? ... and so on. We would need to know all of that.

How familiar are you with basic networking concepts like this? Did you read the OPNsense documentation?

DHCPv6

https://www.tuxone.ch/2021/02/fiber7-access-mit-pfsense.html

I did that and the clients has now a IPv6 from the ISP






I tried to connect with the Handy and it' doesn't work




November 17, 2021, 08:55:02 PM #12
Does the system you named "Server" have the LAN IP address of the OPNsense as its default gateway?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
November 17, 2021, 09:10:37 PM #13
Quote from: pmhausen on November 17, 2021, 08:55:02 PM
Does the system you named "Server" have the LAN IP address of the OPNsense as its default gateway?

The 5erver have a IP 192.168.1.100 and a fixed IPv6 (ping -v6 joelmueller.ch) from ISP and is a client of the router(opnsens) also directly connected to LAN(bridge0) but I can't ping the local ipv4 neither ipv6.

Yes. ip addr shows me two IPv6 adresse and 192.168.1.100 as IPv4
November 17, 2021, 09:32:48 PM #14 Last Edit: November 17, 2021, 09:34:22 PM by Morta
The IPv6 issue I could fix with change the setting of the WAN port. Now I have a route and can ping a IPv6 adress but I don't understand why I can't ping local IPv4 addresses of the DHCPv4/24 subnet?

So have I to activate a option?
Print
Go Up Pages1 2
User actions