Access Web GUI over WAN - Router-on-a-Stick setup

Started by HarounM, October 10, 2024, 11:57:08 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 10, 2024, 11:57:08 AM
I have just started using OPNsense and I'm having quite the struggle trying to access the GUI over WAN. I'm running OPNsense virtualized inside a Proxmox VM and I'm just planning on using it as a firewall for the other VMs (that are linked to a virtual bridge with no physical interface) and as a WireGuard server for remote access, so no routing at all. My machine have only one NIC and I do not need more, just that single port to link it to my ISP router/modem. My setup is like this:
___________________________________________________________________________________________________
ISP router/modem (192.168.100.1/24) <--> Proxmox vmbr0 (192.168.133/24) <--> OPNsense WAN (192.168.100.119/24)    |
                                                                                                                                                                                                     |
OPNsense LAN (192.168.133.1/24) <--> Proxmox vmbr1 <--> Proxmox VMs (none right now)                                                 |
_________________________________________________________________________________________________ _|

I have tried to disable the private network block on the WAN interface and add both Nat port-forwarding and fw rules to pass all traffic coming from the WAN net to the WAN net to no avail. Checking the logs, I do see incoming packets that are blocked apparently by a default block fw rule. And inspecting my WAN pass rule, I notice that it is evaluated but never matched.
How could I solve this problem as accessing the Web GUI from a VM is not really practical ?
October 10, 2024, 07:10:56 PM #1
If I understand you, you're attempting to hit 192.168.100.119 to log into the GUI and the firewall is disregarding a rule you have to allow management traffic on that interface from your 192.168.133.0 net? Two things,
1. Make sure your listening on your wan interface for management: System>Settings>Administration>Listen Interfaces
2. Assuming your rule is setup correctly on your wan interface (perhaps you could provide the details of your rule) try checking the "Quick" option, which will make sure that rule is evaluated and matched right away.

October 11, 2024, 06:33:00 AM #2
Quote from: HarounM on October 10, 2024, 11:57:08 AM
I'm having quite the struggle trying to access the GUI over WAN...My machine have only one NIC ...
How could I solve this problem as accessing the Web GUI from a VM is not really practical ?
Having your GUI exposed over the WAN is a bad idea imo. As doing so means it is exposed to all internet users.
Personally I would use a programmable switch or second NIC to expose your LAN and access the GUI from that at least during set up.
October 11, 2024, 07:16:04 AM #3
I'm intrigued and somewhat confused. That would amount to running an entire network (router and hosts) on a single proxmox instance.

BTW, I've only seen the term router-on-a-stick used in the context of VLAN routing where the LAN side is trunked. That doesn't look like what you are trying to do. FWIW, such router also has a WAN port...
So I'll ignore that part.

Before I dig further, do you mind explaining what you want to achieve functionally?
I understand that you're trying to run of bunch of VMs and hook them up on your network.
I suspect you want to isolate your VMs and the other clients of your network.
What's the threat that concerns you? I'm asking because there might be simpler solutions...
October 12, 2024, 12:47:51 AM #4
Thank you everyone for your replies. I just wanted to say that I've solved this problem by rebooting the system after applying the rule (saw it on some tutorial and weirdly enough it worked). Just for the sake of learning and sharing knowledge, here is some clarification on my setup:
- By WAN I'm refering to the interface that OPNsense names as that, but in reality it is bound to my ISP router so it is situated on my main router's LAN that's why I'm not worried about exposing the GUI.
- I could be mistaken by using the term router-on-a-stick, I've just learned it xD
- I'm not using OPNsense as a router (I don't have anything fancy in my network nor do I have the appliances that allow me to use it as such). I'm using OPNsense to have an easy way to setup a Wireguard server that would allow me to remotely access my homelab. Plus, my homelab contains malware analysis VMs so it would be useful to have a firewall controlling them.
October 12, 2024, 07:37:38 PM #5
I'm no expert on any of this by any means so take the following accordingly.

It looks like you're worried about the VMs getting compromised and "attacking" the rest of your LAN.
Maybe functionality like a DMZ or VLANs are more appropriate solutions.

Since you only have one NIC, it essentially forces you to manage everything from the WAN side, which seems unnatural at best. With the VMs are on the LAN side, won't you have to poke holes in the FW just to manage them? Or is console access via the host sufficient?

Anyway, have fun... 
Print
Go Up Pages1
User actions