External access to opnsense GUI

Started by guest14791, November 04, 2016, 03:24:13 AM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
November 04, 2016, 03:24:13 AM
Hey all,

New opnsense user here.  I have it mostly the way I want, but ran into one thing that I can't solve yet.  I want external access to the GUI.  I am running HTTPS on 444.  So, I made a WAN rule to pass TCP traffic on 444 to the WAN interface, but that doesn't seem to take care of it.  Looking for assistance as to what I am missing.

Thanks
November 04, 2016, 07:55:42 AM #1
My suggestion would be to never open the firewall UI directly to the internet, it's not safe or secure and not good practice. Use a VPN and you can connect to the firewall via it's LAN IP address.
Regards


Bill
November 04, 2016, 09:09:23 AM #2
Dig an openVPN/IPsec tunnel to your box and do the service via the tunnel. Anything else is not state-of-the-art.
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
November 04, 2016, 11:22:50 PM #3
So, is it not possible?  I have a dedicated set of IPs it will be open to, not the world.
November 05, 2016, 11:02:09 AM #4
If those IP's are not on a WAN, don't use the WAN interface to connect to them (use an OPT interface). If they are on the public internet, you open up attacks through source IP spoofing.

As mentioned in this thread, firewalls risk being compromised if traffic is mixed. In a high security environment you would separate production traffic from firewall management traffic by VLAN.

Bart...
November 05, 2016, 03:50:40 PM #5
OK, never mind.  Knew it was a probably a waste of time to ask a simple question on a "support" forum these days.  Instead, I get an idealogical response. thanks.
November 05, 2016, 03:55:15 PM #6
Quote from: prez on November 05, 2016, 03:50:40 PM
OK, never mind.  Knew it was a probably a waste of time to ask a simple question on a "support" forum these days.  Instead, I get an idealogical response. thanks.
It's not an 'idealogical' response, it's the correct response to that specific question. You phrased it poorly to start with by not giving the full details of what you were trying to do and, IIRC, this question has been asked and answered before on these forums. If you think the response you've been given is poor then search first.
Regards


Bill
November 05, 2016, 04:06:56 PM #7
1: I did search, but could not find a thread with a response.
2: Not sure how my question is poor.  It pretty specifically talks about WAN access to the UI. Can you please educate me?
3: When the responses specifically do not answer the question but instead try to tell me what I want to do (because it's better!), it's an idealogical response.  I didn't ask about VPN access to hit the interface from the inside.

The only reason we are at this point, is because nobody wanted to provide a simple response to a simple question.  Why is that so difficult?
November 05, 2016, 04:27:11 PM #8
if the web interface is bound to an internal lan IP address, a NAT rule is required.
November 05, 2016, 04:43:13 PM #9
Thanks Fabian,  I'll look at the NAT rules to see if I am missing something there. 
November 06, 2016, 03:11:12 AM #10
Quote from: prez on November 05, 2016, 04:06:56 PM
2: Not sure how my question is poor.  It pretty specifically talks about WAN access to the UI. Can you please educate me?

For sure, we can try. But quite sure you won't listen anyway.
You asked a question not about how to properly use this product, you asked how you can break a security measure taken in this firewall. It's kinda like asking in a GM forum how to disable the ABS of your new Corvette C7. And for sure you won't get the answer you wanted  - as long as you do not provide a very good explanation why you want to do that. Exposing the GUI of a firewall to the Internet should be the last resort to achieve something.
November 07, 2016, 07:49:18 AM #11
Let's please focus on helping, suspending judgement for good measure. :)

Maybe setting Firewall: Settings: Advanced option "
  • Disable reply-to on WAN rules" helps here too.
July 10, 2018, 07:19:29 PM #12
A little late but...
You didn´t specify if you have a certificate, but anyway:
a) I installed my certificate (and its bundle)
b) configured the web gui to use such certificate
c) configured the web gui to listen to some port
d) created a rule on WAN interface:
WAN interface
any Source
Destination WAN address
from selected port to same port
Redirect target IP    127.0.0.1
Redirect target port   configured port (could be different for security. Don´t use any known port for the "from" part)
Use a good description to remind you that it´s not recommended to open management to the outside

Regards

November 30, 2019, 08:25:03 AM #13
Quote from: prez on November 04, 2016, 03:24:13 AM
Hey all,

New opnsense user here.  I have it mostly the way I want, but ran into one thing that I can't solve yet.  I want external access to the GUI.  I am running HTTPS on 444.  So, I made a WAN rule to pass TCP traffic on 444 to the WAN interface, but that doesn't seem to take care of it.  Looking for assistance as to what I am missing.

Thanks

here's what I have in my wiki, from my setup recipe, about how to do this.

Remote admin

Listen on port 10443

   set listening port to 10443 (from default 443), 'cause most clients use 443 for something internal
    System --> Settings --> Administration
Code Select
<Skip all the other settings>
TCP Port: 10443
Disable Port 80 redirect: < X >
Scroll down and click "Save" (button)

Create Additional Admin user

    System --> Access --> Users
    click on "+" button to "add user"
Code Select

Disabled < >
username: Admin
password: Whatever it is
          type it again
Full Name: Second Admin User
E-mail:
Comment:
Preferred landing Page: index.php
Language: Default
Login Shell: /sbin/nologin
Expiration Date:
Group Membership:
   Not a member of     Member Of
    < >                admins
Certificate:
OTP Seed:
Authorized Keys:
IPsec Pre-Shared Key:

Save and go back (button)

Create Firewall Alias

    Add external hosts for remote admin
    Firewall --> Aliases --> "+" (button)
Code Select
Name: remote_admin  (note limits on naming – no spaces)
Descriptions: Auth remote admin locations
Type: Hosts or Ports
Aliases: 111.222.222.111
        111.222.222.112
        name.bogus.tld

Apply (button)

Create WAN Firewall Rule

    Firewall -> Rules -> WAN
    Create Rule ('+' button labelled 'add new rule')
Code Select
Create rule
Action: pass
Disabled: < > Disable this rule
Interface: WAN
TCP/IP Version: IPv4
Protocol: any
Source / Invert: < >
Source: remote_admin  (put your alias here)
Source: [Advanced]
Destination / Invert: < >
Destination:  This Firewall
Destination port range:
:from: to:
:any any
Log: < > Log packets that are handled by this rule
Category:
Description: RRTI BISI remote admin
Advanced features
Source OS: any
No XMLRPC Sync: < >
Schedule: none
Gateway: default
Advanced Options: [show/Hide]

Save button
Apply Button
February 04, 2021, 01:14:18 PM #14
Clicking "Disable reply-to on Wan rules" in Firewall -> Settings -> Advanced is a must in some setups to get be able to access the webinterface and SSH interface from an external source. You need to disable any other Firewall rules as well and add firewall rules to allow any traffic through the WAN. The answer from BISI Sysadmin is the most complete but doesn't work on OPNsense in newer versions running vlans.
BTW, on some VLAN configs using OPNsense for an edge router, a specific VLAN is used as the internet and sent directly to all servers connected.
Print
Go Up Pages1 2
User actions