Webgui on WAN

[loko]

Hello,
I made a fresh opnsense installation from an ISO.
After the webgui wizzard part is finished, I wanted to access the opnsense webgui also via the WAN.
Therefore I apply a FW rule on the WAN Zone to allow tcp 443.
Then I extend the FW rule for an Any Any, that way I was able to ping the WAN interface, but not webgui.
Under System->Settings->Administration is "Listen interfaces set to 'ALL'
When I check "Enable Secure Shell", I'm able to access ssh via the WAN interface. But still no webgui

I tried to use "pfctl -d" without success.

Can you help me, what im missing?

Cheers

[macklij]

These links may be useful:
https://forum.opnsense.org/index.php?topic=3876.0
https://forum.opnsense.org/index.php?topic=573.0

The obvious dangers are discussed, but they should help.

A useful suggestion seems to be to try disabling reply-to on WAN rules (Firewall > Settings > Advanced)

BTW pfctl -d disables the firewall completely (and maybe NAT too, I am not sure). pfctl -e enables it.

[loko]

Hi macklij,

thanks for your reply.
I had this "reply-to" set to disable on the firewall rule created on WAN.
For testing I changed the webadmin port from 443 to 4443, still no access.
For testing I created a NAT port rule on WAN for destination WAN on port 4443 to the internal LAN IP and 4443, still no access.

Furthermore I dont see any blocked traffic on the Live View in FW diagnostic or even with Packet Capture under Interfaces.

I understand the security risk to make the gui available on WAN but at least I expect to see some blocks or logentries somehow.

[macklij]

Just to check the obvious - your ISP isn't blocking https traffic?

[loko]

Hi macklij,
Yep you right. I checked this too, with using a connection from another location with same result, that the webgui isn't reachable.

[macklij]

Well, at least you know what the issue is. 

Perhaps you can work round it with a VPN - which is probably safer too