Anti lockout Setting

Gertjan

@phayze
Why would you change the LAN interface if some other (third) shouldn't be called OPT1, buyt, for example, WAN2 ?
Try this : don't touch your 'LAN' ^^

manual link?

pfSense is 99,9x % open source. You have your copy.

The URL of the file is : https://pfsense.brit-hotel-fumel.net/system_advanced_admin.php
This file can be found here /usr/local/www/system_advanced_admin.php

phayze

@Gertjan Hi, i just change the 2nd interface which is <lan> to <wan2>. The rest of the interface is default to <optx>. I didnt know that <lan> is important until yesterday. I had rename back to <lan> already.

The link is not working for me. I refer to the manual that show the below. The manual i have is the one that show you the GUI configuration.

if ($pconfig['interfaces_lan']) {
$lockout_interface = "LAN";
} else {
$lockout_interface = "WAN";
}

Gertjan

@phayze

Ah .... you don't want to look in your own pfSense ?

Ok, plan B : opensource : the source :: Github => pfSense

It's PHP, like Basic in the eighties.
It reads like this :
If in the configureation their is a sction called "interfaces_lan"
then use LAN as the lockout_interface.
else use WAN as the lockout_interface.

phayze

@Gertjan Hi, i still haven’t reach the level yet to go that deep inside to have a look. Later go in, mess up, end up cannot work.

stephenw10

You shouldn't change the internal interface names in the config like that. It can have unexpected results, like this.

You can rename the LAN in the GUI to whatever you want but in the config it would still be shown as <lan>.

Steve

Gertjan

@phayze said in Anti lockout Setting:

mess up

The code snipped I've showed was to show you why you see this :

I do not want you to change any of that.

It was because you 'renamed' the LAN interface - in the GUI.
The short conclusion (might be) : don't do that.
So undo what you did, and use another OPTx interface for your second WAN2 purposes.

You can rename the LAN in the GUI to whatever you want but in the config it would still be shown as <lan>.

That's what I thought.
Still, @phayze managed to loose the LAN reference in the config, thus the lockout rule defaults to WAN.

stephenw10

Yes, I imagine OP edited the config directly to make that happen?

If not that's a bug that needs to be reported.

phayze

@stephenw10 said in Anti lockout Setting:

You shouldn't change the internal interface names in the config like that. It can have unexpected results, like this.

You can rename the LAN in the GUI to whatever you want but in the config it would still be shown as <lan>.

Steve

Hi, the reason why i rename because i saw "wan2 (lan)" in the graph. This confused me when wan has lan in it. I have renamed it back and it is shown properly.

phayze

@Gertjan said in Anti lockout Setting:

@phayze said in Anti lockout Setting:

mess up

The code snipped I've showed was to show you why you see this :

I do not want you to change any of that.

It was because you 'renamed' the LAN interface - in the GUI.
The short conclusion (might be) : don't do that.
So undo what you did, and use another OPTx interface for your second WAN2 purposes.

You can rename the LAN in the GUI to whatever you want but in the config it would still be shown as <lan>.

That's what I thought.
Still, @phayze managed to loose the LAN reference in the config, thus the lockout rule defaults to WAN.

Hi, this happened because i rename the <lan> to another name in the config.xml. The interface in the config need to have at least one <lan> interface for this config to show "LAN". I shouldn't have edit the config.xml file which cause this type of issue.

phayze

@stephenw10 said in Anti lockout Setting:

Yes, I imagine OP edited the config directly to make that happen?

If not that's a bug that needs to be reported.

Hi, i feel that maybe the anti-lockout rule can have option to choose which interface to apply on. This allow better control instead of defaulting to WAN when <lan> is missing. And of course, if the config.xml file is not manually edited, this type of issue won't happen. There are many ways to look at it.

Patch

@phayze said in Anti lockout Setting:

Hi, i just change the 2nd interface which is <lan> to <wan2>. The rest of the interface is default to <optx>. I didnt know that <lan> is important until yesterday. I had rename back to <lan> already.

Assuming you have a

• Primary WAN
• Secondary WAN
• Local area network connection

And would like you internal names to be
WAN - Primary WAN
LAN - Your local area network connection
OPT1 - Your secondary WAN, GUI name "WAN2"

I suspect you could do that by

1. Back up your configuration so you can recover is this fails
2. Unplug your secondary WAN
3. Add a explicit GUI firewall rule to your current secondary Wan and Lan interface
4. Reassign / swap the interfaces for Lan & secondary Wan (pfsense -> interfaces -> assignment)
5. Rename the GUI names for LAN and Wan2
6. Correct / move firewall rules etc
7. Save your pfsense backup again

phayze

@Patch said in Anti lockout Setting:

@phayze said in Anti lockout Setting:

Hi, i just change the 2nd interface which is <lan> to <wan2>. The rest of the interface is default to <optx>. I didnt know that <lan> is important until yesterday. I had rename back to <lan> already.

Assuming you have a

• Primary WAN
• Secondary WAN
• Local area network connection

And would like you internal names to be
WAN - Primary WAN
LAN - Your local area network connection
OPT1 - Your secondary WAN, GUI name "WAN2"

I suspect you could do that by

1. Back up your configuration so you can recover is this fails
2. Unplug your secondary WAN
3. Add a explicit GUI firewall rule to your current secondary Wan and Lan interface
4. Reassign / swap the interfaces for Lan & secondary Wan (pfsense -> interfaces -> assignment)
5. Rename the GUI names for LAN and Wan2
6. Correct / move firewall rules etc
7. Save your pfsense backup again

Hi, i had done it and the problem is solved. Thank you.