[NOOB] WEB GUI accessible only from one device, same interface. [NEED HELP]

[suziee1995]

At first I would like to say Hello to the OpnSense community since I am totally new here and new to the OpnSense.

Short info:
I finally managed to set up OpnSense firewall on my MiniPC, previously I have been using stock router from my ISP provider.
I am really excited of all the possibilities that OpnSense firewall can offer.
As most people setting up this kind of firewall I was concerned about my privacy.

Unforunetly as for now I do not have Switch so the router that I got from my ISP is set up now as AP for my WIFI devices which is plugged in directly to the OpnSense Firewall.
So as for now I am unable to set up vLAN that would help greatly. I am planning to purchase one in the near future along proper AP that allows vLAN.

OK so down to the problem I have setting up:
I tried to restrict WEB GUI access just to the LAN interface (192.168.1.1/24) specifically to my desktop PC (192.168.1.77) on custom port.(Same Interface)

I achieved part of that successfully:

1. Devices that are connected to the AP are not able to access WEB GUI or ping other devices. This is obviously different interface/subnet: 192.168.3.1/24
- I achieved that through System>Settings>Administration>Listen Interfaces: LAN.

2. I want to access the LAN interface just from my Desktop PC (static IP) on custom port for the WEB GUI.
-In Firewall>Rules>LAN: Please check the Screenshots for the created rule.
-In Firewall>Aliases: I created Alias for the port of the WEB Gui
(I am not sure if I overdo it but I want to manage it better later on if I need to block the access from other LAN/vLAN interfaces in the future)

Then I have proceeded to the Settings>Admninistration> and changed the TCP port to 6667, upon saving I was unable to reach WEB GUI at all.
I then had to backup the system to previous state through the OpnSense.

I would like to ask the Community for any guidance, insight on what I am missing or doing wrong(or both haha)

I have also attached screenshot with Nat Portforward rules, basically just one 'automatic' rule.


I appreciate your help, thank you!

#edit:
Previously uploaded wrong image which was meant to show firewall rule

[viragomann]

2. I want to access the LAN interface just from my Desktop PC (static IP) on custom port for the WEB GUI.
-In Firewall>Rules>LAN: Please check the Screenshots for the created rule.

OPNsense automatically adds an anti-lockout rule to the LAN interface, which allow access from any source in the LAN subnet to the webGUI.
This is, what your sceenshot shows. However according to it, your webGUI is still listening on port 80 and 443.

What your alias does, is not clear to me. Maybe you want to use it in a firewall rule later.

But to set the webGUI for listening on it, you have to state the port in System: Settings: Administration > TCP port.
To also disable redirecting of port 80 to the web interface, check "Disable web GUI redirect rule" below.

After that you have to state the port to access the webGUI, e.g. https://192.168.1.1:6667.
Remember that the webGUI uses a self-signed SSL certificate by default. So you probably need to set you browser to accept it.

If you want to limit access to a single source IP later, add a rule for allowing it and move it to the top of the rule set. Then disable the anti-lockout rule. This can be done in Firewall: Settings: Advanced.
Be careful that you don't lose access, when doing this.

[suziee1995]

Thank you for your help, could you please look at the firewall rule attached below if it's correct.

But to set the webGUI for listening on it, you have to state the port in System: Settings: Administration > TCP port.
To also disable redirecting of port 80 to the web interface, check "Disable web GUI redirect rule" below.

So in System>Settings>Administration
I have changed the port to 6667 and Disabled WEB GUI redirect rule.
 
After that you have to state the port to access the webGUI, e.g. https://192.168.1.1:6667.

-Without Firewall rule I cannot access it from the LAN interface.
-Adding Firewall rule like below I am not able to connect either.

Appreciate your help

[viragomann]

The rule seems correct, presumed 192.168.1.1 is your LAN address.
However, you can also select "This firewall" for the destination to enable access to any interface IP.

-Without Firewall rule I cannot access it from the LAN interface.
-Adding Firewall rule like below I am not able to connect either.

I'm not expecting that adding a pass rule ends up in block access, as long as it's not a policy-routing rule.

What exactly did you get in the browser?

[suziee1995]

Yes 192.168.1.1 is my lan address

It said that the server must been moved to another address, something along these lines.

[Patrick M. Hausen]

something along these lines.

What. Exactly?

Nobody here got a functional crystal ball.

[EricPerl]

It seems the OP is fairly new at this and maybe should stick with the safeguards (the anti-lockout rule).
That rule is updated automatically if the administration port is changed...

Arguably, it doesn't limit access to a single PC (a stated goal) but it's not clear that this PC is given a static IP, so there's another chance for a lockout.
If VLANs are planned, maybe forget about locking down access this way until they are implemented.
In the meantime, any hostile device on the LAN that tries to brute force the password will face sshlockout.

Changing the administration port is mostly useful if the standard port needs to be used for another purpose.
It adds very little from a security point of view (merely removes a discovery step).
Locking down to one machine comes with caveats too.

[Vilhonator]

If your OpnSense has 3 ports instead of 2 and you don't use IPv6, then easier and bit more secure way to setup what you are intending to do, is to enable all 3 ports and create individual block and allow rules for each interface.

First make sure your opnsense is in a state, where everything works as should (most crucial things are firewall rules blocking all traffic to specific IP and allowing internet access for any device).

If that is the case, backup your current configuration. To do so, go to System ---> Configuration ---> Backups tick "encrypt configuration file" and type your password password (OTHER THAN YOUR USER PASSWORD! this is completely optional, but without encryption, the configuration file is plain text xml file which shows everything from your user names and passwords in plain text!) then select "Download configuration" and select destination where you want to store it.

Next go to firewall ---> NAT ---> Port forwarding and delete any forwarding rules you have created.

After that, go to Firewall ---> Rules ---> WAN and make sure you don't see any rules there.

After that, go to Firewall ---> Rules ---> LAN and make sure you can only see the 2 default allow all rules for IPv4 and IPv6.

Then go to interfaces ---> Assignments and at the bottom, if your opnsense has unused physical ports left you should see "Assign a new interface", on "Description" type "WIFI" or whatever you like and then, Click "Add" option, and save changes after that (if it appears at top of the window).

Now go to interfaces ---> WIFI (or whatever description you gave to new interface) and tick "Enable Interface" for "IPv4 Configuration Type" click box and choose "Static IPv4", and at bottom, Assign IP 192.168.100.1 to it (This must be different from your "LAN" interface, assigning IP belonging to same private range makes things A LOT easier, but if you know which are IP ranges preserved for private networks, you can use any of them)

After that, create another separate backup (next step is tricky and can break things BADLY).

Once you have 2 backups (1 which enables you to undo ALL new changes and another which brings you back to state where you have interfaces configured), go to System ---> Gateways and click add.

Gateway name is LAN, Interface is "LAN", uncheck "Disable gateway monitoring", IP address and monitoring ip both are the IP address of your opnsense LAN interface. Leave others to default values.

If you placed new interface to different ip range, then you need to add another gateway, this way your new interface, changes you make are same as with LAN. If you gave your new interface IP of 192.168.100.1/24 (or anything like 192.168.2.1/24), then you can ignore this part and move to next.

After that, click save and after that, apply changes.

Next go to system ---> Routing ---> Configuration and add new static route.

Network Address is 192.16.0.0/16 and gateway is LAN. If your new interface has different IP range, then you need to create another rule for it and assign correct ranges to it. (I wouldn't recommend, when done wrong, routing can break things BADLY and I can only remember private range which most commonly used 192.168.0.0/24 private network uses)

Routing part can be ignored or at least left inactive untill you have switch and setup vlans (I had some issues with vlans not properly working till I added routing rules, hence I added instructions for that).

After that, click save and apply changes.

Then it is time to make sure that your LAN (at least) didn't loose internet and you can access everything, so connect your PC to LAN port, open command prompt (or terminal) and type "ping 192.168.1.1", if it responds, then ping google.com and also open webrowser and make sure you have access to internet and your opnsense gui. If this fails, well that is what backups are for.

If you didn't get any issues so far, it is time to move on.

Go to Firewall ---> Rules ---> Wifi (or whatever is the name of your new interface) add new rule and follow these instructions TO THE LETTER.

"Action" is "Pass"

"Apply the action immediately on match" is ticked

"Direction" is "In"

"TCP/IP Version" is set to "IPv4"

"Protocol" is set to "TCP/UDP"

"Source" is set to "WIFI net"(or your "interface name" net)

"Destination" is set to "WIFI Address" (or your "interface name" Address, you might have to manually type the IP address, which is under "other" and brings new text box, make sure box next to it is set to /24)

"Destination port range" is set to "DNS"

check the "Log" box and under "Description" type "ALLOW DNS", click save and after that, apply changes (if you can see "Default allow all" rules, move new rule to the top of rule list before applying changes")

After that, click the "clone" option on the left corner of the rules, change "Action" to "block", "Protocol" from "TCP/UDP" to "any", "Destination" from "WIFI Address" to "This Firewall", "Destination port range" from "DNS" to "any" and change description to "block firewall access"

Save and apply changes, make sure the new block rule is below DNS rule.

Clone the new block rule, and change destination from this firewall to LAN net and give it good description. save and apply changes.

After this, if your new interface is missing the apply all rules, create new rule, action is "pass", direction is "in", "TCP/IP Version" is IPv4, source is "Wifi net", T and leave rest to default values (Optionally, you can clone the "allow all" rule from LAN, then you have to just change Interface from LAN and source from LAN net to correspond new interface). Click save, and then apply changes, make sure new apply all rule is at the bottom of the rule list

Then you can proceed to setup DHCP server for new interface.

After you have setup DHCP for new interface, attach the LAN port of your AP to new interface port of Opnsense, connect to wifi on another device and see, if you can get to internet. You shouldn't be able to ping opnsense, nor access webgui or SSH using LAN or WIFI interface IPs or opnsenses public IP address, only DNS should be accessible (under Firewall ---> Log Files ---> Live view you should be able to see any blocked connections to firewall and any allowed connections to DNS).

If all your networks have internet and only LAN interface can access opnsense, then all is as it should be, and you can start testing connectivity in general, if not, then revert back to last working backup.

You can disable logging for any block rules generated at this point

[Vilhonator]

If that is too much work or instructions are too complicated to follow, Optionally you can just add new interface, name it management, add "Block all rule to "Management net" and "block all rule to this firewall" for LAN net, "allow all to this firewall" rule for management interface and "allow DNS for LAN" rule and you are done. Then, everytime you need to access opnsense, you have to connect your PC to LAN interface which is lot safer. To prevent hackers etc. gaining access to your firewall, you should block connections from ANY NETWORKS which has ANY devices connected (including your daily use computer. As long as your computer has access to internet AND your router or firewall, hackers are able to exploit that)

Shortly, you should have 2 networks, 1 that has no internet access and can access all local networks or just your firewall, and 1 that has access only to internet and can't access firewall or router.

[Vilhonator]

Also instead of manually having to type IPs (and creating loads of rules), you can simply use aliases, just add your host IPs to aliases.

Alias to apply any host belonging to network 192.168.1.0/24, you create alias, set Type to host and type 192.168.1.0/24 on content.

Alias to apply any host within same private network range as 192.168.1.0/24 is, content is 192.16.0.0/16

for individual local IPs, you don't have to type /24 at the end (as long as they use 24 bit subnet which is 255.255.255.0), just local IP suffices.

for public IPs, subnet bit is required (you can google whois IP and search WHOIS records for any public IP there is, it will display the information you need)