WebGUI access from WAN??

[norspang]

I'd like to access the WebGUI from the webinterface but can't get it to work

Does anyone know how to get it to work?
(Just installed my box yesterday, came from PfSense)

[chol]

Hello,
it is nice that you tried OPNsense.

If you come from pfSense, the set-up of OPNsense should not be much different.

Do you still have your OPNsense appliance connected to a monitor/console? If so please configure the network interface(s) first. If not please go back and connect your monitor/console, it is the easiest and fastest way to get your initial connection problem solved. The configuration through the OPNsense console menu is also highly recommended for virtual machine installs. In the console menu one can ping out to a IP address to see if the WAN is set-up right.

See:
Setup wizard

and

How To Install OPNsense on VirtualBoxP

Hope that helps.

[norspang]

I got it all configured, i got WAN, WWAN and a BRIDGE with LAN and WIRELESS, I got internet connection through the BRIDGE, so all is working fine.... except that i need to be able to access the WUI from the WAN..
some of the errors i found at pfsense i have not found here YET...... hope not to find them at all....

[franco]

This isn't really recommended, but you can enable access to the GUI from the WAN. If you can, you should:

o Do a NAT from a higher port from WAN (e.g. 12345) to LAN 443
o Use a password that meets today's standards
o Pin access to the GUI by restricting WAN port access by IPs

We do have bugs, but we enjoy fixing them as they come up.

[norspang]

I'll try that Monday.
Of course I'll will make a restriction that only allow a few trusted IP adresses

[norspang]

no luck :-(

I tried to NAT 12345 to 192.168.1.1 without any FW Rules but the one for NAT.
Then I tried to NAT to 127.0.0.1. Still no luck :-(

[ristridin]

Hi,

in order to gain access to your opnsense via wan, you just need to configure a firewall rule
External IP/Host -> WAN address -> OPNsense Managment Port (443)

best regards,
Boris

[norspang]

Hi Boris

That is the roule made by the NAT

[chol]

Maybe an IP alias > virtual IP address would help? It's a extra virtual IP added to an network interface (WAN), that could be used or forwarded by the firewall

[DoubleJ]

In general it is not a good idea to open up web UI access on WAN to your router.
However sometimes you find yourself in a situation where you need it temporary.

This is from some pfsense forum and also works in opnsense.
Console access is required though...

Go into the shell and type: pfctl -d

This disables the firewall completely, and you should be able to access the web UI via WAN interface.
Turning it back on: pfctl -e

Take note that any change you make in the web UI, will result in opnsense immediately enabling the firewall again. So you might have to disable it many times, during one session.

[franco]

A small caveat with 'pfctl -d' is that this also disables NAT, so be careful not to annoy your LAN users.

[Xames81]

Wich are the best secure option to access on gui of firewall outside? VPN? can help on rules of VPN then web gui?

Thanks.

[cerien]

sorry to revive an old thread, but it is really related. i've just installed OpnSense 20.1, and trying to access the gui from the wan interface
- in the system /  settings / administration / webgui, listen is to any interface
- I've created a fw rule to accept any source, destination wan address (or this firewall), https, not working
- I've created a nat rule, to accept any source, destination wan address (or this firewall), 8443, redirect 192.168.1.1/443, not working
- if I stop the firewall via pfctl -d, I can access the gui from the lan - but it is too radical

What could be wrong ?

J.

[jwright]

Try disabling reply-to on WAN rules (Firewall > Settings > Advanced)

[mfedv]

No need for the NAT rule if you change the TCP port for the Web GUI to a different port that is not overlapping with 1:1 NAT or nginx or haproxy usage (e.g. try 4443). You need to add this port number to the URL for all access then, even from LAN.

Then add filter rule to allow access to this port from WAN.

Might still be some other filter rule forbids this; with luck it is a rule with logging; even better luck if it has a description, this helps finding the culprit in the firewall log.