HTTPS forwarding in OPNSense
Posted on Sat 28 January 2023 in Technical
This took a few days to work out and I finally found it buried in an Opnsense forum post, so here it is in a slightly easier to find way.
Objective
To forward HTTP(S) traffic to a virtual machine running Nginx (or any other HTTP proxy or load balancer) through a gateway running OPNsense.
Solution
1. Change the Web GUI port
Even if the Web GUI is inaccessible from the public interface of an Opnsense VM, it's still listening on it on both port 80 and port 443, so change the port.
In System > Settings > Administration > Web GUI, assuming you have set the protocol to HTTPS, change TCP Port to something other than 443:
Press Save and the configuration will reload. You may need to click on the link in the notification bar for it to complete.
2. Create aliases for the HTTP(S) service
This was the bit I didn't get. I was trying to define NAT ports and IPs manually. More about aliases in OPNSense
Assume your internal network is 192.168.1.0/24 and your web server is at 192.168.1.10. The WAN address is the address is the IP address of your gateway.
In Firewall > Aliases > View
-
Click the plus button to add a new alias.
-
Enter the following:
- Enabled: check
- Type: Hosts
- Name: Reverse Proxy (or whatever, this is the identifier)
- Content: 192.168.1.10
- Statistics (as required)
- Description: The reverse proxy host
-
Click Save
-
Click the plus button to add a new alias again.
-
Enter the following:
- Enabled: check
- Type: Port(s)
- Name: Reverse Proxy Ports
- Content: 80, 443 (each port is a separate item)
- Statistics: (as required)
- Description: Reverse proxy ports
-
Click Save and Apply Settings.
3. Create a NAT rule
In Firewall > NAT > Port Forward
-
Click the Plus button to add a new Port Forward rule
-
Enter the following:
- Interface: WAN
- TCP/IP version: IPv4
- Protocol: TCP
- Destination: WAN Address
- Destination port range: from Reverse Proxy Ports to Reverse Proxy Ports (this will be in the dropdown under Aliases)
- Redirect Target IP: Reverse Proxy (from the dropdown)
- Redirect Target Ports: Reverse Proxy Ports (from the dropdown)
- Pool Options: Default
- NAT Reflection: Enable
- Filter rule association: Rule
-
Click Save and Apply settings.
This also creates a rule in Filewall > Rules > WAN for the aliases.
If your web server/load balancer VM is up and you at least have a default configuration available, you should get a page.
H/T to huticip in the Opnsense forums.