Access to OPNsense Web GUI via WAN after installation


After initializing an OPNsense as a virtual machine, access via WAN is denied. With a newly deployed OPNsense virtual machine on a hypervisor, such as a VMware ESXi host, the Web GUI cannot yet be reached directly from the internet.

In order to be able to access the OPNsense via WAN, as with every new installation, you have to call up and follow the wizard with the option 1) Assign interfaces and 2) Set interface IP address. This to lay the basis for the OPNsense, with the interfaces and the IP configuration for the WAN and LAN interface.

OPNsense VMware ESXi Console

After that, the firewall must be disabled in the vSphere console of the virtual machine.

With option 8) Shell execute the command pfctl -d:

root@OPNsense:~ # pfctl -d
pf disabled

Now the Web GUI can be opened via the WAN IP address in a browser.

In order to enable permanent access to OPNsense via WAN, a new rule must be created under Firewall – Rules – WAN with pass in to this firewall.

OPNsense Firewall Rules WAN
OPNsense – Firewall – Rules – WAN. Click for Zoom.

IMPORTANT! Do not explicitly select a gateway, the gateway must be default. The gateway previously created in the console with Set interface IP address is only required for the WAN interface configuration.

OPNsense Firewall Rules WAN Advanced features

After the default gateway has been selected, the OPNsense must be restarted, with the command reboot, or with option 6 from the OPNsense console menu.

Note! after each restart, the packet-filter (pf) firewall is enabled, the command pfctl -e to enable the pf-firewall is not required. At the beginning, when setting up the OPNsense do not add a second gateway.

  It should not go unmentioned here that the OPNsense is adequately protected against misuse and brute force attacks. It is recommended to only allow the WAN rule for access to the web GUI from known sources. Also a user-defined port number for the web GUI can be defined under System – Settings – Administration for TCP Port in order to override the default setting (80 for HTTP, 443 for HTTPS). For this purpose, 2FA TOTP authentication with Google Authenticator is also possible, this in the post here.

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?

Leave a Reply

Your email address will not be published.