Interface bug (or misunderstanding)

[coatmaker618]

I'm doing weird things and I found OPNSense behaving different than I would expect.  Is it a bug or a misunderstanding on my part?

I am trying to setup OPNSense to have the web interface accessible on the WAN! (Don't worry, it's nested behind a standard OPNSense router so WAN != internet for THIS router)

I have been having weird issues with this setup, and I eventually did a factory reset of OPNSense & I noticed 2 things:
1) A package (HAProxy) is still installed.  While I'm happy it's there as I did want it, I don't know if there's a separate way to clear packages if that's not desired?
2) The web interface stopped working when I tried to access it via the WAN.

#2 made sense, as the sane default is WAN block all & LAN allow all.  No big deal, this is good design & I proceeded to disable the firewall with the cli "pfctl -d".  And as expected, it worked like a charm, webgui was there :)

The problem arose when I went through the wizard and allowed bogon & private networks on the WAN (remember, not the internet in this case).  I checked firewall rules, and WAN even has the "anti-lockout rule"! Great! Exactly what I want, now just "pfctl -e" and -- wait, now I can't access the webgui.  "pfctl -d" and the webgui loads.

So my question is, why is the webgui blocked by the firewall on the WAN even with the anti-lockout rule on the WAN?  I have no manually set firewall rules & have done nothing beyond the wizard.

Is there another toggle somewhere I'm missing to prevent this (as, I get it, this is normally a terrible design)? Or is this just a design nobody ever tested?



Notes:
I'd be happy to explain my setup if that's needed to debug -- whether the solution is re-architect my network, fix this "bug" (if it is a bug), or find a hidden toggle--please let me know! I want to get this system to a stable & functional state.

If there's any logs/debug info that would help please let me know what it is!

Attached is a screenshot of the firewall rules on the WAN.

[I3iker]

Hallo

Check on System->Settings-> Administration on what Interface you are listening?
Dns Rebind Check?

[coatmaker618]

DNS rebind check is disabled, but I'm currently accessing it via IP address.

Listen Interfaces is currently all (recommended & default) but I do want to make it only WAN eventually.

[I3iker]

Have you tried a Allow all on the WAN for testing only!
And checked the logs.
Maybe a Health check on the firewall.

Using the firmware section (System ‣ Firmware ‣ Status) you can perform a health check on the system, on the bottom of the status overview is a button named Run an audit which can be expanded to offer the Health selection.

[coatmaker618]

Ok, found some more quirks.  I thought I had a functioning setup, the trick was to only add WAN interface on initial setup (not add LAN).  I later added a bunch of OPT interfaces.

Now, somehow, the firewall seemingly added rules about blocking BOGON/local IP addr on the WAN (I want those allowed & I am certain I unchecked those), and it moved the "anti-lockout rule" to one of the OPT interfaces.  Is there a way to disable those rules apart from the wizard?

I did not check this as I was adding the OPT interfaces as it did not occur to me that anything like this would happen >_<


As for the previous questions--I can't confirm I checked the firewall logs or applied the allow all rule when everything was in the correct state so it's hard to say as things have changed.  If I can get the "Automatically generated rules" back the way I want them, I will happily check firewall logs & try making an allow all rule again.  After going through the wizard I was able to get BOGON/localIP addr to be allowed on WAN (we'll see if that stays) but I was NOT able to change the anti-lockout rule from OPT1 to WAN.


Thanks for showing me the health check.  While it came out fine, I had not heard about that before, so that was a new one! Learned something new that will definitely be useful in the future :)