Can I assign a specific WAN IP for Caddy to listen on?

[Patrick M. Hausen]

All the IP aliases should show up in the ifconfig output for WAN/pppoe0. That's why it's not working. Please open one of them in the UI, e.g. .181, and show the details.

[fbeye]

I do not think I follow... The only place .181 [or any of the other 5 ips] is mentioned is the virtual ip aliases, and in port forwarding. I am sorry but not sure where in the UI to find the details.

[Patrick M. Hausen]

In the list you already posted (Virtual IPs) click on the little pencil on the right, then make a screen shot of all the details in that dialog. If there is an "Advanced settings" switch, activate that, too.

[fbeye]

Well, now looking at it it appears I would possibly need a Gateway entry?

Correct me if I am wrong but would that be the WAN IP, default Static IP 207.108.121.182?  Also looking at it, am I even supposed to have a /32? It is a Block of 8, 6 usable. Or would it be /29 as it's a block of 8.

[fbeye]

Well, I am a simple minded fool. WoW, Once I found the problem, it was so obvious..
Soooooo, like I said, I was running NGINX on an internal host and all was fine.. When I went to Caddy on the FW, I forgot to remove the prior 443/80 Port-Forward NAT RULE!!!!

It appears to be working now.
Man alive.

[Patrick M. Hausen]

NAT takes priority in OPNsense ;)

[fbeye]

No doubt. Had I even remembered doing that it would not have taken so long.. It just slipped my mind. What I did was say to myself "ok, we know it works on internal lan, what did i do to make that work" and then the NAT popped in the head. Anyway

Thank you all for helping me and being patient.

[fbeye]

One last question, maybe maybe not relevant BUT I know the "default" answer to "can i expose my opnsense gui to the internet in case I wanna remote in" is NO! And makes sense, but is there a safe way to allow WAN Access to the OPN GUI? I mean even restricting to specific WAN IP's. Or connect via WG or Caddy?

[tomk_1313]

One last question, maybe maybe not relevant BUT I know the "default" answer to "can i expose my opnsense gui to the internet in case I wanna remote in" is NO! And makes sense, but is there a safe way to allow WAN Access to the OPN GUI? I mean even restricting to specific WAN IP's. Or connect via WG or Caddy?

Technically: yes
Practically: HELL NO
Insanely: "if there is a will there is a way"

So, IF, and only IF you are prepared to jump through few burning hoops, you "_can_" get a safe admin access to your router.
There are two ways of doing it:
1. setup an VPN, then you VNP to your local network and can administer it.
2. for more crazy people (like me)
- setup caddy / HAproxy, that you already do.
- get your self a cloud flare account.
- setup your DNS is such a way that your router access is only cached.
- get your access working with proper signed keys that are exchanged with cloudflare, and nobody else has those (possible in HAproxy, haven't looked in caddy for that) - so even if somebody tries to spoof them self as CF, they won't have the keys.
- allow your caddy to only accept connections from CF IP addresses (easy in HA, haven't tried in caddy)
- set your CF policies to "paranoid level".
There are few more things you can do, but ... I'll leave it to reader to imagine more ways to get this secure.

Now, remember two things: 1. the old adage "you're not paranoid if there are people actually going after you" and 2. "Internet is full of people that are going after anybody".

[fbeye]

Interesting.
Currently what I am doing is using my WG on my LAN and then connecting to the FW through WG. Problem is that my work laptop won't let me install WG so I am limited to viewing via ipad/iphone...Really not liking that.
So currently using the 1.) setup.

I would love to access the FW, on those rare occasions, on a full screen laptop scenario which was why I asked.
I do have Cloudflare and purchased domains, except for the FW WAN Interface but I do have cloudflare set for my example.org which has a static ip as well, so I assume I can just use caddy as I do like qbittorrent or calibreweb, but with opnsense fw.

Still, like you said, lots of certificate safety practices I would need to implement.
I guess I feel I would struggle with the DNS stuff because like I said, the FW itself has a .182 WAN IP and no domain, but my .181 [set as a virtual ip] does have cloudflare and a domain. So the DNS stuff would sort of get my brain to hurt.

I mean, it is an option I can look more into... But at least I have my WG FW access from the LAN side.

[tomk_1313]

I guess I feel I would struggle with the DNS stuff because like I said, the FW itself has a .182 WAN IP and no domain, but my .181 [set as a virtual ip] does have cloudflare and a domain. So the DNS stuff would sort of get my brain to hurt.

I don't think you understand reverse proxy. If you have Caddy installed and it's "working" - ie, you can connect from the internet to a service you run on local lan, what is stoping you from pointing caddy at you router LAN web service ?
Let's say your:
- whatever service is 192.168.0.2:80 - first service your have on your caddy with example.org
- your router being 192.168.0.1:4343 - a second service that your caddy can serve at router.example.com
It's pretty academic. it's actually one of the most popular low effort cracking into someones network - just setup a reverse proxy at target edge and you browse like it's your home ... and super low effort is ssh pipe facility that everybody forgets to disable.

[fbeye]

I got everything working and through cliudflare and all works on WAN IP I want etc. What was causing all the drama was the fact I forgot I had NAT Port Forwarding to my working prior NGINX system. But now all is working flawlessly.