how can I prevent the Web Gui being accessible via all default gateways?

Started by OzziGoblin, February 19, 2023, 05:15:56 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 19, 2023, 05:15:56 AM
Hi, Please forgive me, I'm new to OpnSense and this forum

I'm hoping someone can help me as I'm unable to find a solution to this.
I have a network configured with multiple subnets and vlans and the admin web gui is accessible from all the default gateways.

Is there anyway to prevent this?

thanks
February 19, 2023, 06:09:14 AM #1
Have you checked Settings>Administration>Listen Interfaces? Its 'All' by default.
February 19, 2023, 03:10:59 PM #2
Quote from: OzziGoblin on February 19, 2023, 05:15:56 AM
Hi, Please forgive me, I'm new to OpnSense and this forum

I'm hoping someone can help me as I'm unable to find a solution to this.
I have a network configured with multiple subnets and vlans and the admin web gui is accessible from all the default gateways.

Is there anyway to prevent this?

thanks

you need to add a firewall rule to block access to your firewall
ex. guestnet
block, interface guestnet, source any, destination this firewall/guestnet address, port 80/http

for each interface ithink you need to, except your main lan
February 19, 2023, 11:59:35 PM #3
thanks for your help zan, Settings>Administration>Listen Interfaces worked perfectly :D
February 20, 2023, 12:01:59 AM #4
Quote from: tong2x on February 19, 2023, 03:10:59 PM
Quote from: OzziGoblin on February 19, 2023, 05:15:56 AM
Hi, Please forgive me, I'm new to OpnSense and this forum

I'm hoping someone can help me as I'm unable to find a solution to this.
I have a network configured with multiple subnets and vlans and the admin web gui is accessible from all the default gateways.

Is there anyway to prevent this?

thanks

you need to add a firewall rule to block access to your firewall
ex. guestnet
block, interface guestnet, source any, destination this firewall/guestnet address, port 80/http

for each interface ithink you need to, except your main lan


I think it is better to used the supplied feature of OPNsense itself. And i would assume this will also works after you change the web GUI port.

That said, the best strategy is for "untrusted/guest" networks is to
  * Create a *last* rule to reject RFC1918. -> Meaning a user can go to internet but can not access anything on the lan
  * before this rule i like to create a rule to allow ICMP  to the gateway. This is mainly for (my own) debugging if issues
  * before this rule create any other LAN access exceptions (DNS/NTP, etc.)
Print
Go Up Pages1
User actions