OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • General Discussion »
  • External access to opnsense GUI
« previous next »
  • Print
Pages: [1] 2

Author Topic: External access to opnsense GUI  (Read 12425 times)

guest14791

  • Guest
External access to opnsense GUI
« on: November 04, 2016, 03:24:13 am »
Hey all,

New opnsense user here.  I have it mostly the way I want, but ran into one thing that I can't solve yet.  I want external access to the GUI.  I am running HTTPS on 444.  So, I made a WAN rule to pass TCP traffic on 444 to the WAN interface, but that doesn't seem to take care of it.  Looking for assistance as to what I am missing.

Thanks
Logged

phoenix

  • Sr. Member
  • ****
  • Posts: 478
  • Karma: 54
    • View Profile
Re: External access to opnsense GUI
« Reply #1 on: November 04, 2016, 07:55:42 am »
My suggestion would be to never open the firewall UI directly to the internet, it's not safe or secure and not good practice. Use a VPN and you can connect to the firewall via it's LAN IP address.
Logged
Regards


Bill

chemlud

  • Hero Member
  • *****
  • Posts: 1907
  • Karma: 89
    • View Profile
Re: External access to opnsense GUI
« Reply #2 on: November 04, 2016, 09:09:23 am »
Dig an openVPN/IPsec tunnel to your box and do the service via the tunnel. Anything else is not state-of-the-art.
Logged
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

guest14791

  • Guest
Re: External access to opnsense GUI
« Reply #3 on: November 04, 2016, 11:22:50 pm »
So, is it not possible?  I have a dedicated set of IPs it will be open to, not the world.
Logged

bartjsmit

  • Hero Member
  • *****
  • Posts: 1408
  • Karma: 156
    • View Profile
Re: External access to opnsense GUI
« Reply #4 on: November 05, 2016, 11:02:09 am »
If those IP's are not on a WAN, don't use the WAN interface to connect to them (use an OPT interface). If they are on the public internet, you open up attacks through source IP spoofing.

As mentioned in this thread, firewalls risk being compromised if traffic is mixed. In a high security environment you would separate production traffic from firewall management traffic by VLAN.

Bart...
Logged

guest14791

  • Guest
Re: External access to opnsense GUI
« Reply #5 on: November 05, 2016, 03:50:40 pm »
OK, never mind.  Knew it was a probably a waste of time to ask a simple question on a "support" forum these days.  Instead, I get an idealogical response. thanks.
Logged

phoenix

  • Sr. Member
  • ****
  • Posts: 478
  • Karma: 54
    • View Profile
Re: External access to opnsense GUI
« Reply #6 on: November 05, 2016, 03:55:15 pm »
Quote from: prez on November 05, 2016, 03:50:40 pm
OK, never mind.  Knew it was a probably a waste of time to ask a simple question on a "support" forum these days.  Instead, I get an idealogical response. thanks.
It's not an 'idealogical' response, it's the correct response to that specific question. You phrased it poorly to start with by not giving the full details of what you were trying to do and, IIRC, this question has been asked and answered before on these forums. If you think the response you've been given is poor then search first.
Logged
Regards


Bill

guest14791

  • Guest
Re: External access to opnsense GUI
« Reply #7 on: November 05, 2016, 04:06:56 pm »
1: I did search, but could not find a thread with a response.
2: Not sure how my question is poor.  It pretty specifically talks about WAN access to the UI. Can you please educate me?
3: When the responses specifically do not answer the question but instead try to tell me what I want to do (because it's better!), it's an idealogical response.  I didn't ask about VPN access to hit the interface from the inside.

The only reason we are at this point, is because nobody wanted to provide a simple response to a simple question.  Why is that so difficult?
Logged

fabian

  • Hero Member
  • *****
  • Posts: 2738
  • Karma: 195
  • OPNsense Contributor (Language, VPN, Proxy, etc.)
    • View Profile
    • Personal Homepage
Re: External access to opnsense GUI
« Reply #8 on: November 05, 2016, 04:27:11 pm »
if the web interface is bound to an internal lan IP address, a NAT rule is required.
Logged

guest14791

  • Guest
Re: External access to opnsense GUI
« Reply #9 on: November 05, 2016, 04:43:13 pm »
Thanks Fabian,  I'll look at the NAT rules to see if I am missing something there. 
Logged

Zeitkind

  • Full Member
  • ***
  • Posts: 178
  • Karma: 25
    • View Profile
Re: External access to opnsense GUI
« Reply #10 on: November 06, 2016, 03:11:12 am »
Quote from: prez on November 05, 2016, 04:06:56 pm
2: Not sure how my question is poor.  It pretty specifically talks about WAN access to the UI. Can you please educate me?

For sure, we can try. But quite sure you won't listen anyway.
You asked a question not about how to properly use this product, you asked how you can break a security measure taken in this firewall. It's kinda like asking in a GM forum how to disable the ABS of your new Corvette C7. And for sure you won't get the answer you wanted  - as long as you do not provide a very good explanation why you want to do that. Exposing the GUI of a firewall to the Internet should be the last resort to achieve something.
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 12587
  • Karma: 1075
    • View Profile
Re: External access to opnsense GUI
« Reply #11 on: November 07, 2016, 07:49:18 am »
Let's please focus on helping, suspending judgement for good measure. :)

Maybe setting Firewall: Settings: Advanced option "
  • Disable reply-to on WAN rules" helps here too.
Logged

Alvaro C

  • Newbie
  • *
  • Posts: 1
  • Karma: 0
    • View Profile
Re: External access to opnsense GUI
« Reply #12 on: July 10, 2018, 07:19:29 pm »
A little late but...
You didn´t specify if you have a certificate, but anyway:
a) I installed my certificate (and its bundle)
b) configured the web gui to use such certificate
c) configured the web gui to listen to some port
d) created a rule on WAN interface:
WAN interface
any Source
Destination WAN address
from selected port to same port
Redirect target IP    127.0.0.1
Redirect target port   configured port (could be different for security. Don´t use any known port for the "from" part)
Use a good description to remind you that it´s not recommended to open management to the outside

Regards

Logged

BISI Sysadmin

  • Newbie
  • *
  • Posts: 15
  • Karma: 0
    • View Profile
Re: External access to opnsense GUI
« Reply #13 on: November 30, 2019, 08:25:03 am »
Quote from: prez on November 04, 2016, 03:24:13 am
Hey all,

New opnsense user here.  I have it mostly the way I want, but ran into one thing that I can't solve yet.  I want external access to the GUI.  I am running HTTPS on 444.  So, I made a WAN rule to pass TCP traffic on 444 to the WAN interface, but that doesn't seem to take care of it.  Looking for assistance as to what I am missing.

Thanks

here's what I have in my wiki, from my setup recipe, about how to do this.

Remote admin

Listen on port 10443

   set listening port to 10443 (from default 443), 'cause most clients use 443 for something internal
    System --> Settings --> Administration
Code: [Select]
<Skip all the other settings>
TCP Port: 10443
Disable Port 80 redirect: < X >
Scroll down and click "Save" (button)

Create Additional Admin user

    System --> Access --> Users
    click on "+" button to "add user"
Code: [Select]
Disabled < >
username: Admin
password: Whatever it is
          type it again
Full Name: Second Admin User
E-mail:
Comment:
Preferred landing Page: index.php
Language: Default
Login Shell: /sbin/nologin
Expiration Date:
Group Membership:
   Not a member of     Member Of
    < >                admins
Certificate:
OTP Seed:
Authorized Keys:
IPsec Pre-Shared Key:

Save and go back (button)

Create Firewall Alias

    Add external hosts for remote admin
    Firewall --> Aliases --> "+" (button)
Code: [Select]
Name: remote_admin  (note limits on naming – no spaces)
 Descriptions: Auth remote admin locations
 Type: Hosts or Ports
 Aliases: 111.222.222.111
        111.222.222.112
        name.bogus.tld

Apply (button)

Create WAN Firewall Rule

    Firewall -> Rules -> WAN
    Create Rule ('+' button labelled 'add new rule')
Code: [Select]
Create rule
 Action: pass
 Disabled: < > Disable this rule
 Interface: WAN
 TCP/IP Version: IPv4
 Protocol: any
 Source / Invert: < >
 Source: remote_admin  (put your alias here)
 Source: [Advanced]
 Destination / Invert: < >
 Destination:  This Firewall
 Destination port range:
:from: to:
:any any
 Log: < > Log packets that are handled by this rule
 Category:
 Description: RRTI BISI remote admin
 Advanced features
 Source OS: any
 No XMLRPC Sync: < >
 Schedule: none
 Gateway: default
 Advanced Options: [show/Hide]

Save button
Apply Button
Logged

rolfd2i

  • Newbie
  • *
  • Posts: 1
  • Karma: 0
    • View Profile
Re: External access to opnsense GUI
« Reply #14 on: February 04, 2021, 01:14:18 pm »
Clicking "Disable reply-to on Wan rules" in Firewall -> Settings -> Advanced is a must in some setups to get be able to access the webinterface and SSH interface from an external source. You need to disable any other Firewall rules as well and add firewall rules to allow any traffic through the WAN. The answer from BISI Sysadmin is the most complete but doesn't work on OPNsense in newer versions running vlans.
BTW, on some VLAN configs using OPNsense for an edge router, a specific VLAN is used as the internet and sent directly to all servers connected.
Logged

  • Print
Pages: [1] 2
« previous next »
  • OPNsense Forum »
  • English Forums »
  • General Discussion »
  • External access to opnsense GUI
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2022 All rights reserved
  • SMF 2.0.18 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2