Wondering how hard it can be to implement such a logic

KpuCko

@jknott said in Wondering how hard it can be to implement such a logic:

@kpucko

Do you not have backup configs you can restore?

Starting one by one, yes backup is always have. I already have Cloud backup, but there is no auto recover in case of failure.

The problem is that I have to be psychically on the same place as the router to access the network ;-)

KpuCko

@steveits said in Wondering how hard it can be to implement such a logic:

@kpucko It seems to me that (if you have Plus) Boot Environments can provide this, in sort of a brute force way...schedule a reboot in 10 minutes, make the change, and if you are disconnected the router will reboot and revert to the prior environment. Netgate has a video on using it. As I recall they actually suggest something similar in it, but have someone on site pull power to recover.

This seems to be easily doable. I mean I have so called "smart plugs", they are connected to the internet via wifi, and I'm able to access them via phone app, because they go directly to the vendor site. So I'm able to initiate shutdown/power loss, but I'm a bit concerned about this, because I will end up with broken filesystem....

KpuCko

@stephenw10 said in Wondering how hard it can be to implement such a logic:

It's the auto-rollback part that would be needed.

I imagine, like many things, this is hard to do 'right' but might be relatively easy with some scripting.

I'd have to read back through the threads here because someone has probably already done it.

Steve

Yeah, this is also an option. For instance in Juniper, if you don't "commit confirm" your changes in an expected time frame, the config will go back to the previous one.

Mikrotik do it in a bit different way, when you press "Safe mode" and your Winbox session gets dropped your changes are loss.

In my opinion the first logic is better.

Cisco have "reboot in X seconds" so you have to do your changes, and if you don't cancel the reboot, the reboot will happen and run the last saved configuration.
They make difference between running configuration and startup configuration.

SteveITS

@kpucko said in Wondering how hard it can be to implement such a logic:

So I'm able to initiate shutdown/power loss, but I'm a bit concerned about this, because I will end up with broken filesystem

Yes that wouldn't be ideal, however:

1. if I understand Boot Environments correctly, the file system is reverted so there would be no corruption? (???)
2. you could use the "shutdown -r" command, say "shutdown -r +10" (10 minutes)

KpuCko

@steveits said in Wondering how hard it can be to implement such a logic:

@kpucko said in Wondering how hard it can be to implement such a logic:

So I'm able to initiate shutdown/power loss, but I'm a bit concerned about this, because I will end up with broken filesystem

Yes that wouldn't be ideal, however:

1. if I understand Boot Environments correctly, the file system is reverted so there would be no corruption? (???)
2. you could use the "shutdown -r" command, say "shutdown -r +10" (10 minutes)

Yeah, probably you are right.
I haven't tested this before.

Anyway, so we are on the same track.
I believe the Netgate guys will take this into account and will introduce an option to get the access to the router back .;-)

Patch

@stephenw10 said in Wondering how hard it can be to implement such a logic:

this is hard to do 'right'

A possibility may be a system which has the following components

1. Create a zfs snapshot and initiate a delayed restore to the snap shot

2. Show a banner in the GUI (& console) with a countdown to the restore time

3. The banner should also have a link to the delayed restore page enabling adding another 10 minutes to the timer, switching off the delayed restore, or deleting the snapshot

That would enable the user to change any configuration (& software update) remotely and be assured that if they make a mistake it with go back to their set point.

Gertjan

@kpucko said in Wondering how hard it can be to implement such a logic:

Tell me your thoughts.

When I change OpenVPN server settings, I do this on site.
I de activate the Wifi on my iPhone, and I try to connect to my pfSense OpenVPN server after every OpenVPN change.

When I have to change an OpenVPN setting when I'm not on site, I clone the OpenVPN server settings : I start a second one, using the same settings, just another port number : 1095 And I add the related firewall WAN rule. I test this backup emote OpenVPN first.

Now I can edit the main OpenVPN server. When this fails, I have the backup to get back in and correct.

When the main server is stable and accessible, I can de activate the spare 1095 firewall rule, or even stop the spare Openserver.

Or : I call the main site, have a local muppet connecting itself to the console, and giving him the best time of his live (doing some real firewall maintenance stuff) : I'll guide him trough the menu "option 15" and have him restoring the "1" most recent previous config.

Btw generally, no, it's not a good idea neither to change a wheel on a car while you are driving that car.
Many have tried (we all did, I guess), we all di***. So we stopped doing so ;)

NollipfSense

@gertjan said in Wondering how hard it can be to implement such a logic:

Btw generally, no, it's not a good idea neither to change a wheel on a car while you are driving that car.

Liked your analogy, been there done that on L2TP over IPsec, never again.

Patch

@gertjan said in Wondering how hard it can be to implement such a logic:

Btw generally, no, it's not a good idea neither to change a wheel on a car while you are driving that car.

I do not for a minute disagree with the value of testing prior to using a system live.

However if you are managing pfsense at another site, at some stage you have to see if it will fly. Having a parachute on at the time is occasionally very useful. If all goes to plan it is never needed. It is all about layers of protection.

JKnott

@patch said in Wondering how hard it can be to implement such a logic:

It is all about layers of protection.

Like routers from Cisco and others, pfSense supports a dial up modem connection, so there's always that. In fact, some of the mini PC computers, aimed at pfSense, include a serial port for that purpose. It certainly works on mine.

stephenw10

There are workarounds like temporarily allowing some other access so your can revert changes manually. It would still be nice to have a system in place that did that automatically for those times you either forget to open access or make a change that unexpectedly blocks all access.

KpuCko

Guys, don't get me wrong, there are hundred of ways to ensure you have a "backup line", this doesn't mean we shouldn't have "revert back in case of failure logic"

How I ended up in this situation, I have changed "default domain" (entered two domains in the field) of the OpenVPN and I really haven't expected that, this is not supported and I also thought that, if it isn't supported the OpenVPN will simply return an warning, and ignore the value.
There is nothing related to pfSense in that case, it is up to the vendors of OpenVPN to clarify this as a critical or non-critical issue on the configuration and decide how to handle it - to continue, or to fail.

Anyway, I'm not here to blame pfSense developers, but opposite - to give them an idea to think of.

Meanwhile I remembered how the iXsystem guys do it - when you change network settings, you do your changes, then hit apply, because you are ready to test, then a simple timer is activated. If you don't save/confirm your changes in timely manner, they will be reverted back. (the same as Juniper, commit/confirm)