WebGUI accessible on WAN interface

[oroel]

My OPNSense FW is behind a cable modem. I'd like to enable VPN to access my home network and therefore turned the modem into "bridge mode" (my provider is Kabel Deutschland, btw). After doing that I can access the WebGUI of my OPNSense firewall from outside. Why is that? My understanding is, that OPNSense doesn't allow connections to the WebGUI on the WAN interface.

I've tried to find a setting for disabling access to the WebGUI, but didn't find any. Do I need to set up firewall rules for blocking? I the anti-lockout rule in the NAT settings the culprit for that behavior?

[chemlud]

Öhm, is the VPN connected and you enter the IP of the LAN interface? Or really the IP of the WAN interface?

Unplug cable modem and connect WAN to a machine with DHCP enabled, wait till IP is handed out and try to reach the opnsense from WAN...

[fabian]

A better way to try it is by using a smartphone (just enter the public IP of the firewall when you are not connected via a wireless LAN), because you will see how it works from the public internet (maybe it is not even the same provider).

[oroel]

Thank you for the quick responses! And, sorry for me being a bit slow-family got my full attention this weekend.

@chemlud

No, VPN isn't setup yet. I'm accessing the WebGUI with the public ip adress provided by Kabel Deutschland.

@fabian

The WebGUI is also accessible via smartphone from a different provider.

The build in webserver should in my understanding listen to connections on the LAN (e.g. 10.0.0.1:403) but not the WAN interface. But it seems to listen to all (0.0.0.0:403) interfaces.

I am very willing to accept that I misconfigured the firewall, but since I didn't do a lot of configuration work I am stuck.

[chemlud]

Save config -> fresh install -> look if GUI on WAN -> import config -> look if GUI on WAN ;-)

Something along this line?

[oroel]

No, not again! :-)

This is a fresh install and I am a bit unwilling to pull my appliance off the wall, unscrew everything, plug in the serial cable and a SD card, do a fresh install and do all the steps in reverse, just to figure out that I fell into the trap of a standard phone center question "did you reset everything?" again. The "reset everything" may help, but it doesn't answer the question why I see the login screen.

So, before I start thinking about the reset, am I the only one who sees the login screen on the WAN interface? And is there a setting to disallow this behavior?

[franco]

The default config works like this:

If you only have one interface, namely WAN, everything is open, which makes sense, because you only have one way of access.

If you only have one interface, namely LAN, everything is open, see above.

If there is a WAN and LAN, WAN will block by firewall default *and* by bogons/private networks.

What's the current interface setup (how many + names)?


Cheers,
Franco

[oroel]

I've LAN and WAN interfaces and the "Block private networks   " rule is active on the WAN.

To be more specific:

The WAN has two rules:
  * Block private networks
  * Block bogon networks

The LAN has following rules:
  * Anti-Lockout Rule
  * Default allow LAN to any rule
  * Default allow LAN IPv6 to any rule

And there is also NAT active:
  * Anti-Lockout Rule on the LAN Interface

[oroel]

Same issue with a clean install of OPNsense 17.1-amd64. (I am very tempted to use !!!!!!111!)

This looks like an fat ugly bug to me, since the WAN interface has explicitly the "Block private Network" flag set.

I am wondering if the bug is in my understanding of the flag and reaching the login screen from outside is a wanted feature. I also seem to be the only one stumbling across this issue. Please can someone explain to me if this is expected behavior of the firewall to show a login screen to the public? And what can be done to block this.

[franco]

This is not an issue if you think that OPNsense is used to face an ISP.

If you have private ranges on your WAN and want to access the web GUI, simply do:

o disable block private networks
o Allow TCP port 443 from any source to WAN address


This should be it, no NAT required...


Cheers,
Franco

[oroel]

If you have private ranges on your WAN and want to access the web GUI, simply do:

Thank you for your quick response. If I understand you correctly do you describe a way to access the WebGUI from outside. But my question is how do I block the webGUI from being accessible from the rest of the world. And I would say that this also should be the standard behavior of a firewall not to be available from the WAN interface (except you are using VPN).

[franco]

Not sure how you manage that, you can't access the GUI from WAN with a LAN in place unless you specify it.

There's an VPN Tunnel mentioned, are you connecting via VPN when this happens? What VPN type? OpenVPN on port 443?

[oroel]

Franco, I can access the WebGui from the WAN interface without VPN.

And that is a bug in my opinion, since the OPNsense is a fresh setup without any settings modifications from my side. Is there any way to block the web GUI from being accessible from WAN?

[haxle]

Pfsense does the same thing on a default login, it's the "anti-lockout rule". I'm not sure about opnsense but in Pfsense you can remove it in the advanced menu under admin access. Alternatively if you setup any port forwarding for port 80 it will disable the gui access from want by default