Firewall - Best Practice?

[smthing]

I've seen some examples where people setup Firewall rules for the OPNsense Gateway, but don't really understand the practice.

Example: How to access the WEB Gui from the WAN port.
Almost all guides recommend a NAT Port Forward the HTTPS port (without changing port no.) from the WAN interface to the LAN interface. And then open up the firewall from the LAN side.

Is there a reason for this? Why not open up the firewall from the WAN side and skip the NAT Port Forward?

[bartjsmit]

Best practice is not to expose any management interfaces to the internet. Use a VPN for remote access

[smthing]

Best practice is not to expose any management interfaces to the internet. Use a VPN for remote access

That's understood in general cases and pretty well known.

I'm more curious about the process of using NAT Port Forward from WAN -> LAN side of the gateway and then open the firewall for LAN access. Is there any benefit from doing this?

[meyergru]

Yes. To have the same URL from inside and out.

[phoenix]

Best practice is not to expose any management interfaces to the internet. Use a VPN for remote access

That's understood in general cases and pretty well known.

I'm more curious about the process of using NAT Port Forward from WAN -> LAN side of the gateway and then open the firewall for LAN access. Is there any benefit from doing this?

Then why don't you follow the suggestion to use a VPN? You can set-up a secure connection with Wireguard and only the allowed users will be able to access the LAN interface from the internet - much more secure and works a treat, I've been using it for years without problems.

It would certainly bother me if I exposed my LAN interface to the interface via NAT, I'm sure there's plenty of hackers that would find that config a challenge.

[smthing]

Yes. To have the same URL from inside and out.

Good point and makes sense.

Then why don't you follow the suggestion to use a VPN? You can set-up a secure connection with Wireguard and only the allowed users will be able to access the LAN interface from the internet - much more secure and works a treat, I've been using it for years without problems.

It would certainly bother me if I exposed my LAN interface to the interface via NAT, I'm sure there's plenty of hackers that would find that config a challenge.

Thank you. The WEB GUI was an example and I can understand the assumption. The question is however about the practice. And as mentioned above, it's probably due to having the same URL.