SG-1100 always that flaky or I got a dud?

DaddyGo

@yannb said in SG-1100 always that flaky or I got a dud?:

Is there anything in the IVPN setup I linked above that could brick the router?

I've configured a lot of VPN types already and haven't broken the stuff so far ...so my answer is if the config is good then it works

@yannb "I'm comfortable with shell etc. (front-end web engineer…)"
you didn't say that at the beginning, just that you are a noob...

let's go and then press the console...

BTW:
but you know that NGFW is not a web...
philosophy needs to be learned, so feel free to read the curriculum as well

stephenw10

If it's not booting for some reason you need to connect to the console to see why.

Even if you choose to default the config or to reinstall you need to connect to the console.

The only thing you can do without the console is to have it pull in a config file from a USB stick if you have a backup of a working config.

The fact the OpenVPN client service did not restart and that it seems to be failing to boot but not bootl-looping makes me think it may be configured with a client setup that needs a password but one was not added. In that situation when the client starts at boot it will be waiting for a password at the console.

This instruction on their site is incorrect:

Only your account ID is used for authentication. The password field can be left empty or set to anything if your client software requires a non-blank password. 

That's clearly copy/pasted from generic instructions. You need to enter a password there even if the server end ignores it.

You should never need to reboot to get an OpenVPN connection up. You might need to clear the state table to get your client routed over the new connection.

They have you remove the outbound NAT rule on the WAN for the LAN subnet which is a bad design IMO. They don't talk about changing or setting the default gateway or adding policy routing. I would choose to leave the default as WAN and policy route clients that need it ovcer the VPN.
Much of that is discussed in our hangout on this here:
https://www.youtube.com/watch?v=lp3mtR4j3Lw

Steve

yannb

@stephenw10 THANKS!!

I'm following the Connecting to the Console Port instructions. I'm on OS X Catalina, using sudo screen /dev/cu.usbserial 115200 in iTerm but I don't see anything about what the default password is in the docs.

Also… on the next page, it says I need to open a ticket to reinstall pfsense. There's no way I can just reset it to factory settings?

Thanks!

Rico

You need to open a ticket to get the Image...it‘s free and fast.

-Rico

akuma1x

@yannb The password for the console access is your account password from the OSX account. That threw me too, the first few times I tried.

And, if you get in thru the console successfully, yes, you can factory reset in there.

yannb

@akuma1x oh… I'm too used to log in stuff over the net The process is on my Mac I guess. That makes sense. Thanks!!!

yannb

@stephenw10 You're a mad genius!!

After getting the console via USB thing sorted out and restarting my SG-1100, could see it get stuck on:

t upnee iroode...e.Cfiuring opbac ia.dn.n
nuiniacs.ofurinVLA ntrfcsd.
igrinQ ierfaces.doofcintrfac.ne
CfinA etio.teae..de.
Cr ial.d.n..nuh Passwrd:

Entered my IVPN password and it kept on starting up and I can log back in the GUI.

Side note: the console output is supposed to be in English? Is that how it's supposed to look like?

Also, can I just unplug the USB thing straight up or do I have to quit the screen process first somehow?

Thankfully I could understand the Passwrd part

I guess I'll go watch that YouTube video you hooked me up with… Thanks again!!

I didn't have to reinstall anything…

stephenw10

No it's not supposed to look like that.

When you see that in OSX it's almost always because there is more that one thing trying to access the com port at the same time. It's easy to create to terminal connections to it when you first try this. You can kill the processes or just reboot the Mac and re-connect and will probably be fine.

However you can just about see that it's asking for a password after configuring the interfaces which is exactly where I would expect it to stop when it tries to bring up the OpenVPN client with no password set. Since there is no valid password required you should just be able to enter anything there and it will continue to boot. Then you can set something bogus in the client setup via the gui. Edit: Which I see you did.

Steve

pi

@DaddyGo

Hi,

There’s nothing wrong with that first highlight, everyone starts like...noob.
the second highlight, well I haven't seen anyone who has learned to use pfSense in 3 days...

That’s funny. I’m a couple of months into pfSense and I’m still breaking it, probably weekly. Still a rookie but have become a pro at console, usb-restore :)

DaddyGo

@pi said in SG-1100 always that flaky or I got a dud?:

That’s funny. I’m a couple of months into pfSense and I’m still breaking it, probably weekly.

Unfortunately, I can't do that anymore because there are a lot of production environments in which we use pfSense.

All success can be gained through a lot of experience

Go for it...