[Howto] Enabling the Web GUI / SSH on your management interface

[dannyyy]

Hi,

I had my difficulties to enable the remote management (HTTPS / SSH) on another network interface than LAN.
Most I read in the documentation as well as on community forums (e.g. Reddit, OpnSense Forum, ...) gave me wrong advises. Same for ChatGPT and any other LLM.

In this example, I use OPT1 as the management interface. But also works with any other

• Go to System -> Settings -> Administration
  
  • Configure the Web GUI / SSH as you like
  • Make sure, that the services binds to the network interface OPT1 (I personally have it temporarily bound to LAN and OPT1 until LAN can be deactived)
• Go to Filewall -> Rules -> Floating
  
  • Adding an interface bound rule will not work. I haven't found any combination of rule settings, that gave me access
  • I just mention the important properties to set. Feel free to adapt it to your needs afterwards
    Action: Pass
    Disabled: no
    Quick: yes
    Interface / Invert: no
    Interface: <empty> (DO NOT SELECT ANY, OTHERWISE IT WON'T WORK!)
    Direction: in
    TCP/IP Version : IPv4
    Protocol: TCP
    Source / Invert: no
    Source: OPT1 net
    Destination / Invert: no
    Destination: This Firewall (ANY DIDN'T WORK IN MY CASE)
    Destination port range: HTTP or SSH
    

With these settings, I was able to use HTTPS and using their default ports.

[EricPerl]

A simple rule on the OPT1 interface directly works just as well.
For destination, OPT1 address should be sufficient.
I assume you meant HTTPS for the port.

[Patrick M. Hausen]

What you are doing with the floating rule is unnecessary and potentially dangerous.

- leave the listen interface of the UI at "All (recommended)
- add a rule allowing access to each interface where necessary

Done.