How to access to GUI OPNsense from WAN ?

[Patrick M. Hausen]

Plus, why someone who has to ask "how do I add a rule" is attempting such a supposedly unnecessarily complex and convoluted setup ...?

[novel]

Sorry, I don't understand how exactly this should work...
Can you provide a detailed network diagram (devices, addresses, routes, ...) of your old setup where this  worked?
Are there any other services in this setting like portmapper? What is the exact role of your VPS (Now i remember this, but it is not mentioned in this thread!)?

As said in other threads: Details are missing! You cannot assume that everyone knows your setup or that Patrick or me will always remember details posted across 3-5 threads.

this is why I with regret, even with Private Messages, I have had to stop trying to help. We keep getting single couple-liners to ask a question, but he has this convoluted setup that he fails to include on each thread. So everyone tying to help has to spend a lot of time to discover that in the end. Sorry OP but you have been asked many times to include all your setup. We're trying to help for free whilst holding day jobs. It's not fair to do it the way you are doing it so far.

I am newbie on OPNsense. I don't understand some words..So, I am honest. It doesn't work. I can predict what information I have to give you. I am not  expert right? So  OPNsense has much rules. Every post or question I have to upload all my setup from opnsense?

Please give me details what information you want then I will give. If I did some errors about me I am really sorry to everyone.

I forgot that I have CGNAT, then I cannot connect from wan. Now I connect to vpn to get public ip from vpn so I try to confirutation that said Patrick.

Please ask me what information do you want. I really I don't know what information is good to give you.

I am sorry!

[novel]

+1

Could really be much easier to help and understand the situation and the whole desired setup.

I AM SORRY. PLEASE, ask me what kind information from setup do you want. then I do...

[novel]

Plus, why someone who has to ask "how do I add a rule" is attempting such a supposedly unnecessarily complex and convoluted setup ...?

because Inside when add a rules ... with + ....inside has a lot of choices. That is a reason why ask...

I use OPnsense a couple of days. Please you have to understand this. I migrated from other firewall.

I am sorry!

[novel]

Firewall > Rules > WAN

Click on the "+" to add a rule. Add this rule:

Action: allow
Source: any
Destination: WAN address
Destination port: 443

That's should be it. I would also go to Firewall > Settings > Advanced and check "Disable anti-lockout". I don't like "magic" things going on without explicit configuration.

Also please start to read the documentation.

As I said other post...I use second ethernet cable that connect other network adapter on opnsense. So just said WAN2 .. <----Wan2 comes from raspberry to run wireguard vpn as client. This is done because I am behind nat ....With this solution I already bypass CGNAT.


So I have to go Firewall > Rules > WAN2  instead WAN right ?? to open tcp 443  Right?


Do I need to go Firewall > NAT > Port forward to open tcp 443 port ???

[phoenix]

FWIW, I use a Wireguard connection to my OPNsense server and connect using that - I can then access the LAN interface for full management of the firewall if I need to. That seems to me to be the simplest solution to this problem.

[novel]

FWIW, I use a Wireguard connection to my OPNsense server and connect using that - I can then access the LAN interface for full management of the firewall if I need to. That seems to me to be the simplest solution to this problem.

What means FWIW

Do you run wireguard client to opnsense and wireguard server on VPS ? Would you like to explain to setup? I want to do the same yours.

Do you have incoming traffic to opnsense?

[phoenix]

FWIW, means For What It's Worth (i.e. just my opinion). :)

There's a page that describes how to install Wireguard on OPNsense here: https://docs.opnsense.org/manual/how-tos/wireguard-client.html

Follow those instructions and then set-up a wireguard client on your mobile phone or your home PC or whatever you use then connect to OPNsense and you'll have full access to the LAN and the web interface to OPNsense on your LAN IP.

It's not really that difficult to get running and yes, I have incoming traffic to my internal servers.

[phoenix]

BTW, there are plenty of other sites that have details of how to install and use Wireguard, take a look at some of those sites here: https://www.startpage.com/do/dsearch?query=%22how+to%22+install+wireguard+on+OPNsense

[novel]

FWIW, means For What It's Worth (i.e. just my opinion). :)

There's a page that describes how to install Wireguard on OPNsense here: https://docs.opnsense.org/manual/how-tos/wireguard-client.html

Follow those instructions and then set-up a wireguard client on your mobile phone or your home PC or whatever you use then connect to OPNsense and you'll have full access to the LAN and the web interface to OPNsense on your LAN IP.

It's not really that difficult to get running and yes, I have incoming traffic to my internal servers.

Thank you for reply

Are you behind CGNAT  ? Do you know what is CGNAT ??


With above setup are you able to port forward from opnsense and bypass CGNAT ???

[bimbar]

CGNAT can not be bypassed.

You might want to check out zerotier for your VPN needs when the public side of the opnsense is unreachable.
Alternatively, you should have a public IPv6 which should be reachable.

Anyway you should not expose the admin interface of your opnsense or any other firewall to the internet.

[tiermutter]

I think there are always problems with the translation here too, making it so hard to understand...
"Bypassing" is the wrong word, I think he only want to achieve that he can access OPNsense services via WAN.
As said, this can be done easily by v6, but this is not "bypassing", it is just using another protocol...

[novel]

CGNAT can not be bypassed.

You might want to check out zerotier for your VPN needs when the public side of the opnsense is unreachable.
Alternatively, you should have a public IPv6 which should be reachable.

Anyway you should not expose the admin interface of your opnsense or any other firewall to the internet.

Wrong... With my setup I have public from vpn then with old firewall I had have incoming traffic to firewall and port forward. With ipv4 from ISP I couldn't have port forward and public ip.

I want to do the same with OPNsense. I am going to find information for zerotier

[novel]

I think there are always problems with the translation here too, making it so hard to understand...
"Bypassing" is the wrong word, I think he only want to achieve that he can access OPNsense services via WAN.
As said, this can be done easily by v6, but this is not "bypassing", it is just using another protocol...

Ok , It is not bypassing. The same world I read it other forums. I don't have IPV6. Do you have any other solution?

[tiermutter]

"have not" could mean that v6 is not activated, but does not mean that your provider will not provide v6. ;)
Sure your provider will not provide v6?