Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature: Allow webinterface access from WAN #141

Closed
m4rcu5 opened this issue Apr 15, 2015 · 5 comments
Closed

Feature: Allow webinterface access from WAN #141

m4rcu5 opened this issue Apr 15, 2015 · 5 comments
Assignees
@fichtner
Labels
feature Adding new functionality
Milestone
15.7

Comments

@m4rcu5
Copy link

m4rcu5 commented Apr 15, 2015

Hi,

Wen deploying an OPNsense machine in the DC with a simple WAN/LAN setup where the protected (though still non installed) servers are in the LAN and the uplinks are in WAN; You set up the box with a WAN+LAN, in which case you can only access the webinterface on the LAN link.
For these kinds of deployments, it would be nice to have a menu option (on the console) to enable web interface access on the WAN to remotely configure the OPNsense installation.
Similar to the 'allowallonwan' option in the pfSense dev console.
@fichtner
Copy link
Member

You can set up a WAN-only deployment that will have the web GUI listening on WAN by default. From there, you can add your firewall exception for WAN and start to add the LAN.

@m4rcu5
Copy link
Author

m4rcu5 commented Apr 18, 2015

That is indeed the other option when deploying in these situations.
Keep in mind though that you are then saved by the anti-lockout rule on the WAN, until you create a LAN interface, then the rules move to there.
I can work with that as well. Feel free to reject the issue or make it low prio.

@fichtner fichtner added the feature Adding new functionality label Apr 21, 2015
@fichtner fichtner added this to the 15.7 milestone Apr 21, 2015
@fichtner fichtner self-assigned this Apr 21, 2015
@fichtner
Copy link
Member

Well, we could widen the anti-lockout to all ports as an additional setting (which is obviously off by default).

@fichtner fichtner mentioned this issue Jun 8, 2015
Closed
@fichtner
Copy link
Member

fichtner commented Jun 8, 2015

The current behaviour isn't bad at all, even if inconvenient at first. Closing.

@fichtner fichtner closed this as completed Jun 8, 2015
@MaximumDamage
Copy link

MaximumDamage commented Sep 23, 2017
edited
Loading

Documentation on Deploying in Datacenter (where LAN will not be accessible)

During installation or afterward, you have to assign WAN only interface
In Shell:

-- in menu press 1 to assign interfaces
--- assign WAN
--- on LAN don't enter anything and press enter
-- reboot

After the reboot, your WebGui will come up.
Goto Firewall > NAT > Port Forward and you will see an Anti-Lockout Rule. This rule is automated and will change once you add LAN. Create your own Anti-Lockout-Rule a static source address is recommended

-- Redirect: No -- Interface: WAN -- Protocol: TCP -- Source: (single host) xxx.xxx.xxx.xxx ( your trusted client ip ) -- Source Port: any -- Destination: WAN address

Add the LAN interface via Interfaces > Assignments or assign interfaces via shell.
You will now see that the default Lockout changed. After setting up your LAN and VPN you will be able to access it through LAN address. So you could delete the rule later on.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fichtner fichtner

Labels
feature Adding new functionality
Milestone
15.7
Development

No branches or pull requests
3 participants
@m4rcu5 @fichtner @MaximumDamage