Cannot access Web GUI through a VLAN

Started by danieldk, November 03, 2024, 12:01:07 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 03, 2024, 12:01:07 PM Last Edit: November 03, 2024, 12:06:04 PM by danieldk
Setup:


  • OPNsense 24.10_7
  • Created a VLAN 100
  • Created an assignment called LANVLAN, IP address 192.168.43.1.
  • Added firewall rules for LANVLAN from the LANVLAN net to anywhere.
  • Set up the DHCP server for LANVLAN.

Also important: the Web GUI is set to listen on all interfaces.

A client on the VLAN gets an IP address. The firewall rules also work - I can access external hosts through the WAN. I can also SSH into the OPNsense router, etc. I cannot access the Web UI through a web browser, nothing happens until it times out. Now the fun part:

Code Select

~ % curl -v http://192.168.43.1/
*   Trying 192.168.43.1:80...
* Connected to 192.168.43.1 (192.168.43.1) port 80
> GET / HTTP/1.1
> Host: 192.168.43.1
> User-Agent: curl/8.7.1
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 301 Moved Permanently
< Location: https://192.168.43.1/
< Content-Length: 0
< Date: Sun, 03 Nov 2024 10:54:48 GMT
< Server: OPNsense
<
* Connection #0 to host 192.168.43.1 left intact


As you can see, connections to the HTTP port work and as expected, the client is redirected to HTTPS. But then:

Code Select

~ % curl -v https://192.168.43.1/
*   Trying 192.168.43.1:443...
* Connected to 192.168.43.1 (192.168.43.1) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* Recv failure: Connection reset by peer
* LibreSSL/3.3.6: error:02FFF036:system library:func(4095):Connection reset by peer
* Closing connection
curl: (35) Recv failure: Connection reset by peer


Just hangs until it times out. So the connection is dropped. There is no firewall rule blocking it, it seems that the WebUI itself is dropping the connection. This can be confirmed by changing the WebGUI to use HTTP rather than HTTPS in the Administration settings (remember that HTTP works, see above). So, rather than getting a redirect, we now expect to get the login page. However:

Code Select

~ % curl -v http://192.168.43.1/
*   Trying 192.168.43.1:80...
* Connected to 192.168.43.1 (192.168.43.1) port 80
> GET / HTTP/1.1
> Host: 192.168.43.1
> User-Agent: curl/8.7.1
> Accept: */*
>
* Request completely sent off
* Recv failure: Connection reset by peer
* Closing connection
curl: (56) Recv failure: Connection reset by peer


Given that HTTP worked before setting the Web UI to HTTP, it seems like the Web UI itself is dropping connections coming from the VLAN?
November 03, 2024, 03:33:01 PM #1
Figured out the issue. I was testing with macOS' VLAN support. Turns out it is just very broken, I think it was something in the TLS connection that caused the failure (maybe related MTU size?). There were also other ways the connection would get dropped. For instance, when SSHing into OpenWrt and then running top would often also break the connection. Tested now with a switch with VLAN tagging and it works as expected.
Print
Go Up Pages1
User actions