External access to opnsense GUI

[guest14791]

Hey all,

New opnsense user here.  I have it mostly the way I want, but ran into one thing that I can't solve yet.  I want external access to the GUI.  I am running HTTPS on 444.  So, I made a WAN rule to pass TCP traffic on 444 to the WAN interface, but that doesn't seem to take care of it.  Looking for assistance as to what I am missing.

Thanks

[phoenix]

My suggestion would be to never open the firewall UI directly to the internet, it's not safe or secure and not good practice. Use a VPN and you can connect to the firewall via it's LAN IP address.

[chemlud]

Dig an openVPN/IPsec tunnel to your box and do the service via the tunnel. Anything else is not state-of-the-art.

[guest14791]

So, is it not possible?  I have a dedicated set of IPs it will be open to, not the world.

[bartjsmit]

If those IP's are not on a WAN, don't use the WAN interface to connect to them (use an OPT interface). If they are on the public internet, you open up attacks through source IP spoofing.

As mentioned in this thread, firewalls risk being compromised if traffic is mixed. In a high security environment you would separate production traffic from firewall management traffic by VLAN.

Bart...

[guest14791]

OK, never mind.  Knew it was a probably a waste of time to ask a simple question on a "support" forum these days.  Instead, I get an idealogical response. thanks.

[phoenix]

OK, never mind.  Knew it was a probably a waste of time to ask a simple question on a "support" forum these days.  Instead, I get an idealogical response. thanks.

It's not an 'idealogical' response, it's the correct response to that specific question. You phrased it poorly to start with by not giving the full details of what you were trying to do and, IIRC, this question has been asked and answered before on these forums. If you think the response you've been given is poor then search first.

[guest14791]

1: I did search, but could not find a thread with a response.
2: Not sure how my question is poor.  It pretty specifically talks about WAN access to the UI. Can you please educate me?
3: When the responses specifically do not answer the question but instead try to tell me what I want to do (because it's better!), it's an idealogical response.  I didn't ask about VPN access to hit the interface from the inside.

The only reason we are at this point, is because nobody wanted to provide a simple response to a simple question.  Why is that so difficult?

[fabian]

if the web interface is bound to an internal lan IP address, a NAT rule is required.

[guest14791]

Thanks Fabian,  I'll look at the NAT rules to see if I am missing something there. 

[Zeitkind]

2: Not sure how my question is poor.  It pretty specifically talks about WAN access to the UI. Can you please educate me?

For sure, we can try. But quite sure you won't listen anyway.
You asked a question not about how to properly use this product, you asked how you can break a security measure taken in this firewall. It's kinda like asking in a GM forum how to disable the ABS of your new Corvette C7. And for sure you won't get the answer you wanted  - as long as you do not provide a very good explanation why you want to do that. Exposing the GUI of a firewall to the Internet should be the last resort to achieve something.

[franco]

Let's please focus on helping, suspending judgement for good measure.

Maybe setting Firewall: Settings: Advanced option "

• Disable reply-to on WAN rules" helps here too.

[Alvaro C]

A little late but...
You didn´t specify if you have a certificate, but anyway:
a) I installed my certificate (and its bundle)
b) configured the web gui to use such certificate
c) configured the web gui to listen to some port
d) created a rule on WAN interface:
WAN interface
any Source
Destination WAN address
from selected port to same port
Redirect target IP    127.0.0.1
Redirect target port   configured port (could be different for security. Don´t use any known port for the "from" part)
Use a good description to remind you that it´s not recommended to open management to the outside

Regards

[BISI Sysadmin]

Hey all,

New opnsense user here.  I have it mostly the way I want, but ran into one thing that I can't solve yet.  I want external access to the GUI.  I am running HTTPS on 444.  So, I made a WAN rule to pass TCP traffic on 444 to the WAN interface, but that doesn't seem to take care of it.  Looking for assistance as to what I am missing.

Thanks

here's what I have in my wiki, from my setup recipe, about how to do this.

Remote admin

Listen on port 10443

   set listening port to 10443 (from default 443), 'cause most clients use 443 for something internal
    System --> Settings --> Administration

Code: [Select]

<Skip all the other settings>
TCP Port: 10443
Disable Port 80 redirect: < X >
Scroll down and click "Save" (button)
Create Additional Admin user

    System --> Access --> Users
    click on "+" button to "add user"

Code: [Select]

Disabled < >
username: Admin
password: Whatever it is
          type it again
Full Name: Second Admin User
E-mail:
Comment:
Preferred landing Page: index.php
Language: Default
Login Shell: /sbin/nologin
Expiration Date:
Group Membership:
   Not a member of     Member Of
    < >                admins
Certificate:
OTP Seed:
Authorized Keys:
IPsec Pre-Shared Key:

Save and go back (button)
Create Firewall Alias

    Add external hosts for remote admin
    Firewall --> Aliases --> "+" (button)

Code: [Select]

Name: remote_admin  (note limits on naming – no spaces)
 Descriptions: Auth remote admin locations
 Type: Hosts or Ports
 Aliases: 111.222.222.111
        111.222.222.112
        name.bogus.tld

Apply (button)
Create WAN Firewall Rule

    Firewall -> Rules -> WAN
    Create Rule ('+' button labelled 'add new rule')

Code: [Select]

Create rule
 Action: pass
 Disabled: < > Disable this rule
 Interface: WAN
 TCP/IP Version: IPv4
 Protocol: any
 Source / Invert: < >
 Source: remote_admin  (put your alias here)
 Source: [Advanced]
 Destination / Invert: < >
 Destination:  This Firewall
 Destination port range:
:from: to:
:any any
 Log: < > Log packets that are handled by this rule
 Category:
 Description: RRTI BISI remote admin
 Advanced features
 Source OS: any
 No XMLRPC Sync: < >
 Schedule: none
 Gateway: default
 Advanced Options: [show/Hide]

Save button
Apply Button

[rolfd2i]

Clicking "Disable reply-to on Wan rules" in Firewall -> Settings -> Advanced is a must in some setups to get be able to access the webinterface and SSH interface from an external source. You need to disable any other Firewall rules as well and add firewall rules to allow any traffic through the WAN. The answer from BISI Sysadmin is the most complete but doesn't work on OPNsense in newer versions running vlans.
BTW, on some VLAN configs using OPNsense for an edge router, a specific VLAN is used as the internet and sent directly to all servers connected.