NEW WAN port has anti-lockout firewall rule, Why?
-
Yes it was. First try I just changed it and configured the port to WAN and went on. When I discovered this issue I deleted the interface, then re-added it but it still came back with the anti-lockout entries. It's also a bit confusing why I can't actually access the Webgui from outside, given the fact the entries are there, Confused why but still glad it's doesn't seem to be accessible, but CAN I BE SURE? That's why I want to get this fixed. Regardless, Seems like a bug.
FYI, pfsense is running on a dell server with 2 internal ethernet ports and a 4 port ethernet card. I have 2 live networks and a couple of test/lab networks. Before all of this 1 port of the internal ethernet was WAN and all the others were LAN. I switched the 2nd internal port to WAN to set up the fallover.
I've been using pfsense for 4 or 5 years and I'm fairly comfortable with it, the problem is sometimes I go months without touching it much other that a quick look a how things are doing, so I have to relearn/refresh.
One idea I had was to add my own entries for anti-lockout and check the box to stop the auto entries, which is doable but I wonder if it will pickup and delete this problem item. Maybe I'd have to change it back to LAN temporarily????
I'd rather avoid a full re-install if possible.
Thanks for you help,
Scott -
Not sure if this works, but I'll try to upload a screenshot.
image url) -
-
So how do I fix it? Any suggestions?
-
@sawilson Delete the interface completely and re-create it is the most effective way to remove the rule...
-
Also there's a System menu setting for it.
-
@sawilson said in NEW WAN port has anti-lockout firewall rule, Why?:
add my own entries for anti-lockout and check the box to stop the auto entries, which is doable but I wonder if it will pickup and delete this problem item
You can definitely create your own rules. I was going to suggest unchecking the system setting box, and checking it again, to see if it moves. Interesting though, on that screen it specifically mentions LAN, and you do not have an interface named LAN correct?
The 60 K on the rule indicates some traffic has matched the rule.
-
Ryan,
Tried deleting the interface and re-adding it. The entries come back.
As far as the system setting, as I previously asked, One idea I had was to add my own entries for anti-lockout and check the system box to stop the auto entries, which is doable but I wonder if it will pickup and delete this problem item on a WAN port (the description for the entry only speaks of LAN ports). Maybe I'd have to change it back to LAN temporarily????
S.
-
Steve,
The system setting is unchecked to create the entries and checked to stop it. LAN, as I understand it is the type of interface rather than the name. It should obviously ONLY create this auto entry for LAN and never for WAN. This interface was LAN but now is WAN but these anti-lockout firewall entries seem to be "sticky", there even after deleting and reconfiguring the interface.
I'm leaning towards creating my own entries and checking the box to see if that fixes it.
S.
-
@sawilson said in NEW WAN port has anti-lockout firewall rule, Why?:
The entries come back.
@rcoleman-netgate said in NEW WAN port has anti-lockout firewall rule, Why?:
Also there's a System menu setting for it.
-
@sawilson Sorry if I wrote it backwards. I meant, toggle it the other way, then back again.
It doesn't create them for all LANs (interfaces without a gateway), for example our office doesn't have it for our lab network. So it might actually be tied to the name LAN...? (edit: or in your case what was LAN, if it saved the interface the first time around)
-
Steve and to All,
Steve: I see what you're saying, I have 4 "LAN" ports and it only added the rule to one, maybe it just does it during the install to the default LAN port. I guess the idea is of the auto entry is to make sure you have access to configure initially and the rest is up to you.
I actually had added my own pass entries previously, so I just ticked the box in system and Voila! they went away.
Thanks everyone for your help and suggestions,
Scott