Anti lockout Setting

phayze

Hi,

I saw the setting that “Check this box to disable anti-lockout rule on WAN”

I read the manual that it only apply to LAN but the GUI mention is WAN.

Can i check which is correct?

mvikman

What version are you using?

I'm on pfSense Plus 23.05.1 and the GUI description says LAN...

phayze

@mvikman Hi, using pfsense+ 23.05.1-RELEASE (amd64). My device is from netgate.

Gertjan

@phayze

'WAN' is show if there is not a <lan> ...</lan> section in <system><interfaces> section (the config.cml)
Initially, when pfSense has been set up, there will be a WAN and a LAN interface.
So, tell us : no LAN ?

phayze

@Gertjan Hi, yes. I have just found out the problem. I had rename the <lan> and it turns out that it will show WAN when it cant find <lan>.

planedrop

@phayze Makes sense, personally I just remove all the rules from the LAN interface but leave it in place in case there are issues caused by removal/renaming it like this one.

But I also think they should change it so that this doesn't happen to the WAN interface if the LAN is renamed, could be dangerous.

Gertjan

@phayze

From the manual :

if ($pconfig['interfaces_lan']) {
	$lockout_interface = "LAN";
} else {
	$lockout_interface = "WAN";
}

So, WAN is shown if there is no 'interfaces_lan' defined == no LAN section.

edit :
check your config.xml file.
In the <system> .... <interfaces> there should be a <lan> section - as there is a <wan> section, and for every other interfaces an <opt1> <opt2> etc.

phayze

@Gertjan Hi, do you have the manual link? I found out yesterday that i got that issue because i change the <lan> name as i using more than 1 wan. I do not want to see wan (lan) which is confusing, therefore i go change the <lan> to another name.

Gertjan

@phayze
Why would you change the LAN interface if some other (third) shouldn't be called OPT1, buyt, for example, WAN2 ?
Try this : don't touch your 'LAN' ^^

manual link?

pfSense is 99,9x % open source. You have your copy.

The URL of the file is : https://pfsense.brit-hotel-fumel.net/system_advanced_admin.php
This file can be found here /usr/local/www/system_advanced_admin.php

phayze

@Gertjan Hi, i just change the 2nd interface which is <lan> to <wan2>. The rest of the interface is default to <optx>. I didnt know that <lan> is important until yesterday. I had rename back to <lan> already.

The link is not working for me. I refer to the manual that show the below. The manual i have is the one that show you the GUI configuration.

if ($pconfig['interfaces_lan']) {
$lockout_interface = "LAN";
} else {
$lockout_interface = "WAN";
}

Gertjan

@phayze

Ah .... you don't want to look in your own pfSense ?

Ok, plan B : opensource : the source :: Github => pfSense

It's PHP, like Basic in the eighties.
It reads like this :
If in the configureation their is a sction called "interfaces_lan"
then use LAN as the lockout_interface.
else use WAN as the lockout_interface.

phayze

@Gertjan Hi, i still haven’t reach the level yet to go that deep inside to have a look. Later go in, mess up, end up cannot work.

stephenw10

You shouldn't change the internal interface names in the config like that. It can have unexpected results, like this.

You can rename the LAN in the GUI to whatever you want but in the config it would still be shown as <lan>.

Steve

Gertjan

@phayze said in Anti lockout Setting:

mess up

The code snipped I've showed was to show you why you see this :

I do not want you to change any of that.

It was because you 'renamed' the LAN interface - in the GUI.
The short conclusion (might be) : don't do that.
So undo what you did, and use another OPTx interface for your second WAN2 purposes.

You can rename the LAN in the GUI to whatever you want but in the config it would still be shown as <lan>.

That's what I thought.
Still, @phayze managed to loose the LAN reference in the config, thus the lockout rule defaults to WAN.

stephenw10

Yes, I imagine OP edited the config directly to make that happen?

If not that's a bug that needs to be reported.

phayze

@stephenw10 said in Anti lockout Setting:

You shouldn't change the internal interface names in the config like that. It can have unexpected results, like this.

You can rename the LAN in the GUI to whatever you want but in the config it would still be shown as <lan>.

Steve

Hi, the reason why i rename because i saw "wan2 (lan)" in the graph. This confused me when wan has lan in it. I have renamed it back and it is shown properly.

phayze

@Gertjan said in Anti lockout Setting:

@phayze said in Anti lockout Setting:

mess up

The code snipped I've showed was to show you why you see this :

I do not want you to change any of that.

It was because you 'renamed' the LAN interface - in the GUI.
The short conclusion (might be) : don't do that.
So undo what you did, and use another OPTx interface for your second WAN2 purposes.

You can rename the LAN in the GUI to whatever you want but in the config it would still be shown as <lan>.

That's what I thought.
Still, @phayze managed to loose the LAN reference in the config, thus the lockout rule defaults to WAN.

Hi, this happened because i rename the <lan> to another name in the config.xml. The interface in the config need to have at least one <lan> interface for this config to show "LAN". I shouldn't have edit the config.xml file which cause this type of issue.

phayze

@stephenw10 said in Anti lockout Setting:

Yes, I imagine OP edited the config directly to make that happen?

If not that's a bug that needs to be reported.

Hi, i feel that maybe the anti-lockout rule can have option to choose which interface to apply on. This allow better control instead of defaulting to WAN when <lan> is missing. And of course, if the config.xml file is not manually edited, this type of issue won't happen. There are many ways to look at it.

Patch

@phayze said in Anti lockout Setting:

Hi, i just change the 2nd interface which is <lan> to <wan2>. The rest of the interface is default to <optx>. I didnt know that <lan> is important until yesterday. I had rename back to <lan> already.

Assuming you have a

• Primary WAN
• Secondary WAN
• Local area network connection

And would like you internal names to be
WAN - Primary WAN
LAN - Your local area network connection
OPT1 - Your secondary WAN, GUI name "WAN2"

I suspect you could do that by

1. Back up your configuration so you can recover is this fails
2. Unplug your secondary WAN
3. Add a explicit GUI firewall rule to your current secondary Wan and Lan interface
4. Reassign / swap the interfaces for Lan & secondary Wan (pfsense -> interfaces -> assignment)
5. Rename the GUI names for LAN and Wan2
6. Correct / move firewall rules etc
7. Save your pfsense backup again

phayze

@Patch said in Anti lockout Setting:

@phayze said in Anti lockout Setting:

Hi, i just change the 2nd interface which is <lan> to <wan2>. The rest of the interface is default to <optx>. I didnt know that <lan> is important until yesterday. I had rename back to <lan> already.

Assuming you have a

• Primary WAN
• Secondary WAN
• Local area network connection

And would like you internal names to be
WAN - Primary WAN
LAN - Your local area network connection
OPT1 - Your secondary WAN, GUI name "WAN2"

I suspect you could do that by

1. Back up your configuration so you can recover is this fails
2. Unplug your secondary WAN
3. Add a explicit GUI firewall rule to your current secondary Wan and Lan interface
4. Reassign / swap the interfaces for Lan & secondary Wan (pfsense -> interfaces -> assignment)
5. Rename the GUI names for LAN and Wan2
6. Correct / move firewall rules etc
7. Save your pfsense backup again

Hi, i had done it and the problem is solved. Thank you.