[NOOB] WEB GUI accessible only from one device, same interface. [NEED HELP]

[suziee1995]

At first I would like to say Hello to the OpnSense community since I am totally new here and new to the OpnSense.

Short info:
I finally managed to set up OpnSense firewall on my MiniPC, previously I have been using stock router from my ISP provider.
I am really excited of all the possibilities that OpnSense firewall can offer.
As most people setting up this kind of firewall I was concerned about my privacy.

Unforunetly as for now I do not have Switch so the router that I got from my ISP is set up now as AP for my WIFI devices which is plugged in directly to the OpnSense Firewall.
So as for now I am unable to set up vLAN that would help greatly. I am planning to purchase one in the near future along proper AP that allows vLAN.

OK so down to the problem I have setting up:
I tried to restrict WEB GUI access just to the LAN interface (192.168.1.1/24) specifically to my desktop PC (192.168.1.77) on custom port.(Same Interface)

I achieved part of that successfully:

1. Devices that are connected to the AP are not able to access WEB GUI or ping other devices. This is obviously different interface/subnet: 192.168.3.1/24
- I achieved that through System>Settings>Administration>Listen Interfaces: LAN.

2. I want to access the LAN interface just from my Desktop PC (static IP) on custom port for the WEB GUI.
-In Firewall>Rules>LAN: Please check the Screenshots for the created rule.
-In Firewall>Aliases: I created Alias for the port of the WEB Gui
(I am not sure if I overdo it but I want to manage it better later on if I need to block the access from other LAN/vLAN interfaces in the future)

Then I have proceeded to the Settings>Admninistration> and changed the TCP port to 6667, upon saving I was unable to reach WEB GUI at all.
I then had to backup the system to previous state through the OpnSense.

I would like to ask the Community for any guidance, insight on what I am missing or doing wrong(or both haha)

I have also attached screenshot with Nat Portforward rules, basically just one 'automatic' rule.


I appreciate your help, thank you!

#edit:
Previously uploaded wrong image which was meant to show firewall rule

[viragomann]

2. I want to access the LAN interface just from my Desktop PC (static IP) on custom port for the WEB GUI.
-In Firewall>Rules>LAN: Please check the Screenshots for the created rule.

OPNsense automatically adds an anti-lockout rule to the LAN interface, which allow access from any source in the LAN subnet to the webGUI.
This is, what your sceenshot shows. However according to it, your webGUI is still listening on port 80 and 443.

What your alias does, is not clear to me. Maybe you want to use it in a firewall rule later.

But to set the webGUI for listening on it, you have to state the port in System: Settings: Administration > TCP port.
To also disable redirecting of port 80 to the web interface, check "Disable web GUI redirect rule" below.

After that you have to state the port to access the webGUI, e.g. https://192.168.1.1:6667.
Remember that the webGUI uses a self-signed SSL certificate by default. So you probably need to set you browser to accept it.

If you want to limit access to a single source IP later, add a rule for allowing it and move it to the top of the rule set. Then disable the anti-lockout rule. This can be done in Firewall: Settings: Advanced.
Be careful that you don't lose access, when doing this.

[suziee1995]

Thank you for your help, could you please look at the firewall rule attached below if it's correct.

But to set the webGUI for listening on it, you have to state the port in System: Settings: Administration > TCP port.
To also disable redirecting of port 80 to the web interface, check "Disable web GUI redirect rule" below.

So in System>Settings>Administration
I have changed the port to 6667 and Disabled WEB GUI redirect rule.
 
After that you have to state the port to access the webGUI, e.g. https://192.168.1.1:6667.

-Without Firewall rule I cannot access it from the LAN interface.
-Adding Firewall rule like below I am not able to connect either.

Appreciate your help

[viragomann]

The rule seems correct, presumed 192.168.1.1 is your LAN address.
However, you can also select "This firewall" for the destination to enable access to any interface IP.

-Without Firewall rule I cannot access it from the LAN interface.
-Adding Firewall rule like below I am not able to connect either.

I'm not expecting that adding a pass rule ends up in block access, as long as it's not a policy-routing rule.

What exactly did you get in the browser?

[suziee1995]

Yes 192.168.1.1 is my lan address

It said that the server must been moved to another address, something along these lines.

[Patrick M. Hausen]

something along these lines.

What. Exactly?

Nobody here got a functional crystal ball.

[EricPerl]

It seems the OP is fairly new at this and maybe should stick with the safeguards (the anti-lockout rule).
That rule is updated automatically if the administration port is changed...

Arguably, it doesn't limit access to a single PC (a stated goal) but it's not clear that this PC is given a static IP, so there's another chance for a lockout.
If VLANs are planned, maybe forget about locking down access this way until they are implemented.
In the meantime, any hostile device on the LAN that tries to brute force the password will face sshlockout.

Changing the administration port is mostly useful if the standard port needs to be used for another purpose.
It adds very little from a security point of view (merely removes a discovery step).
Locking down to one machine comes with caveats too.