External access to opnsense GUI

[prez]

Hey all,

New opnsense user here.  I have it mostly the way I want, but ran into one thing that I can't solve yet.  I want external access to the GUI.  I am running HTTPS on 444.  So, I made a WAN rule to pass TCP traffic on 444 to the WAN interface, but that doesn't seem to take care of it.  Looking for assistance as to what I am missing.

Thanks

[phoenix]

My suggestion would be to never open the firewall UI directly to the internet, it's not safe or secure and not good practice. Use a VPN and you can connect to the firewall via it's LAN IP address.

[chemlud]

Dig an openVPN/IPsec tunnel to your box and do the service via the tunnel. Anything else is not state-of-the-art.

[prez]

So, is it not possible?  I have a dedicated set of IPs it will be open to, not the world.

[bartjsmit]

If those IP's are not on a WAN, don't use the WAN interface to connect to them (use an OPT interface). If they are on the public internet, you open up attacks through source IP spoofing.

As mentioned in this thread, firewalls risk being compromised if traffic is mixed. In a high security environment you would separate production traffic from firewall management traffic by VLAN.

Bart...

[prez]

OK, never mind.  Knew it was a probably a waste of time to ask a simple question on a "support" forum these days.  Instead, I get an idealogical response. thanks.

[phoenix]

OK, never mind.  Knew it was a probably a waste of time to ask a simple question on a "support" forum these days.  Instead, I get an idealogical response. thanks.

It's not an 'idealogical' response, it's the correct response to that specific question. You phrased it poorly to start with by not giving the full details of what you were trying to do and, IIRC, this question has been asked and answered before on these forums. If you think the response you've been given is poor then search first.

[prez]

1: I did search, but could not find a thread with a response.
2: Not sure how my question is poor.  It pretty specifically talks about WAN access to the UI. Can you please educate me?
3: When the responses specifically do not answer the question but instead try to tell me what I want to do (because it's better!), it's an idealogical response.  I didn't ask about VPN access to hit the interface from the inside.

The only reason we are at this point, is because nobody wanted to provide a simple response to a simple question.  Why is that so difficult?

[fabian]

if the web interface is bound to an internal lan IP address, a NAT rule is required.

[prez]

Thanks Fabian,  I'll look at the NAT rules to see if I am missing something there. 

[Zeitkind]

2: Not sure how my question is poor.  It pretty specifically talks about WAN access to the UI. Can you please educate me?

For sure, we can try. But quite sure you won't listen anyway.
You asked a question not about how to properly use this product, you asked how you can break a security measure taken in this firewall. It's kinda like asking in a GM forum how to disable the ABS of your new Corvette C7. And for sure you won't get the answer you wanted  - as long as you do not provide a very good explanation why you want to do that. Exposing the GUI of a firewall to the Internet should be the last resort to achieve something.

[franco]

Let's please focus on helping, suspending judgement for good measure.

Maybe setting Firewall: Settings: Advanced option "

• Disable reply-to on WAN rules" helps here too.

[Alvaro C]

A little late but...
You didn´t specify if you have a certificate, but anyway:
a) I installed my certificate (and its bundle)
b) configured the web gui to use such certificate
c) configured the web gui to listen to some port
d) created a rule on WAN interface:
WAN interface
any Source
Destination WAN address
from selected port to same port
Redirect target IP    127.0.0.1
Redirect target port   configured port (could be different for security. Don´t use any known port for the "from" part)
Use a good description to remind you that it´s not recommended to open management to the outside

Regards