"Reset to factory defaults" at console doesn't work (solution)

SteveITS

I was trying to reset a 2100 which had been configured with VLANs to isolate the LAN ports, and static public IP subnets on WAN and LAN, plus private on other interfaces. I used console option "4) Reset to factory defaults."

What I observed was (all at the console):

• Setting WAN to DHCP and setting a LAN IP worked but in the background pfSense did not remove the static IPs from WAN or LAN, it added more
• The default route was still set to the original static public WAN IP gateway (per netstat -r)
• Same thing with LAN, setting an IP did not remove the old IPs or VLANs, and DHCP was not serving IPs on LAN1-4
• Assigning interfaces choosing to configure VLANs, and not configuring any, did not remove the VLANs as it noted ("WARNING: all existing VLANs will be cleared if you proceed!")
• with an invalid default route, console option 4 appears to hang at:

Enter an option: 4

You are about to reset the firewall to factory defaults.
The firewall will reboot after resetting the configuration.
All additional packages installed will be removed.
Do you want to proceed [y|n]? y

I waited as long as a couple minutes or thereabouts. I could CTRL+C to abort.

After I added a route via route change default 10.0.0.1 then I could ping out and DNS worked, and console option 4 shows this extra message after a few seconds:

Enter an option: 4

You are about to reset the firewall to factory defaults.
The firewall will reboot after resetting the configuration.
All additional packages installed will be removed.
Do you want to proceed [y|n]? y

Netgate pfSense Plus is rebooting now.

My theory is, the menu/script is trying to make DNS lookups or otherwise connect out, and can't. It may have timed out and continued if I waited longer? It didn't show any sort of timeout error. I would have thought option 4 would swap out a default config file and reboot, and not need to connect out to anything.

So, is this a bug? I doubt it's specific to the 2100 so I posted this here.

VLAN assignment and ifconfig output for reference:

Enter an option: 1


Valid interfaces are:

mvneta0 00:e0:ed:bc:dd:ec   (up) NETA controller
mvneta1 00:e0:ed:bc:dd:ed   (up) NETA controller

Do VLANs need to be set up first?
If VLANs will not be used, or only for optional interfaces, it is typical to
say no here and use the webConfigurator to configure VLANs later, if required.

Should VLANs be set up now [y|n]? y

WARNING: all existing VLANs will be cleared if you proceed!

Do you want to proceed [y|n]? y



VLAN Capable interfaces:

mvneta0 00:e0:ed:bc:dd:ec   (up)
mvneta1 00:e0:ed:bc:dd:ed   (up)

Enter the parent interface name for the new VLAN (or nothing if finished):


VLAN interfaces:

mvneta1.4094    VLAN tag 4094, parent interface mvneta1
mvneta1.4093    VLAN tag 4093, parent interface mvneta1
mvneta1.4092    VLAN tag 4092, parent interface mvneta1
mvneta1.4091    VLAN tag 4091, parent interface mvneta1
mvneta1.4090    VLAN tag 4090, parent interface mvneta1

If the names of the interfaces are not known, auto-detection can
be used instead. To use auto-detection, please disconnect all
interfaces before pressing 'a' to begin the process.

Enter the WAN interface name or 'a' for auto-detection
(mvneta0 mvneta1 mvneta1.4094 mvneta1.4093 mvneta1.4092 mvneta1.4091 mvneta1.4090 or a): mvneta0

Enter the LAN interface name or 'a' for auto-detection
NOTE: this enables full Firewalling/NAT mode.
(mvneta1 mvneta1.4094 mvneta1.4093 mvneta1.4092 mvneta1.4091 mvneta1.4090 a or nothing if finished): mvneta1

Enter the Optional 1 interface name or 'a' for auto-detection
(mvneta1.4094 mvneta1.4093 mvneta1.4092 mvneta1.4091 mvneta1.4090 a or nothing if finished):

The interfaces will be assigned as follows:

WAN  -> mvneta0
LAN  -> mvneta1

Do you want to proceed [y|n]? y

Writing configuration...done.
One moment while the settings are reloading... done!
route: writing to routing socket: Network is unreachable
Netgate 2100                             Netgate Device ID: xxxxxxxxxx
Serial: xxxxxx                            Netgate Crypto ID: xxxxxxxxxxx

*** Welcome to Netgate pfSense Plus 23.05-RELEASE (arm64) on router ***

 Current Boot Environment:  default
    Next Boot Environment:  default

 WAN (wan)       -> mvneta0    -> v4/DHCP4: 10.0.0.77/24
                                  v6/DHCP6: 2601:249:300:x:x:x:x:ddec/64
 LAN (lan)       -> mvneta1    -> v4: 192.168.1.1/24
(...)
[23.05-RELEASE][admin@router]/root: netstat -r
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            64.x.x.x.rdns. UGS     mvneta0

(...)
[23.05-RELEASE][admin@router]/root: ifconfig
mvneta0: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: WAN
        options=800b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,LINKSTATE>
        ether 00:e0:ed:bc:dd:ec
        inet6 fe80::2e0:edff:febc:ddec%mvneta0 prefixlen 64 scopeid 0x1
        inet6 2607:x::x prefixlen 125 vhid 155
        inet6 2601:249:300:x::1a52 prefixlen 128
        inet 10.0.0.77 netmask 0xffffff00 broadcast 10.0.0.255
        inet 64.x.x.x netmask 0xfffffff8 broadcast 64.x.x.x vhid 150
        

stephenw10

Hmm, odd. What pfSense version was that?

I wouldn't expect any connectivity to be required for that. It copies in the default config and reboots into it. Or it should at least!

I tested that on the 2100 in 21.05.1 and it worked as expected.
Did you see any errors logged?

Steve

SteveITS

@stephenw10 23.05, the forum code tag makes the pane scrollable but it’s there. I didn’t upgrade first, the public IPs are for our data center so it couldn’t connect out. I wanted to get it back to being online. (This was a temp backup router for a week)

Yes I could have changed IPs on my laptop but figured it wasn’t necessary, then beat my head against the wall a bit before realizing I had gotten into a state where I couldn’t connect over the LAN ports so had to finish.

You can see in the code output it just stops after the y/n question. No error at that point. One thing I didn’t try was wait a long time. Maybe it eventually times out.

I have one 4860 to restore tomorrow after a reinstall, will try again though a different situation.

Is changing WAN to DHCP supposed to remove the static IP? I would have thought so…(the 64.x.x.x and 2607: x: :x IPs)

stephenw10

Yes I would expect it to remove the IP on the interface. It wouldn't remove VIPs.

It sounds like that unit might have had other issues and it never completed the reset. That definitely worked in 23.05 on the 2100.

Steve

SteveITS

@stephenw10 Ah some of those were VIPs and it had CARP for them. Still the default gw/route ought to be tied to the primary WAN. Will see for the next one.

FYI I didn’t receive an email for either of your posts, not in quarantine either.

SteveITS

@SteveITS never mind just got the email for the second one.

SteveITS

@stephenw10 OK so it appears I was not patient enough. Since I was wiping the HA pair anyway (the 4860) I tried console option 4 on it. It did work but it took about 4-5 minutes. I timed it but not exactly just using the PC clock.

One other notable thing on at least the first boot was this long pause. It might have been around the same 4-5 minutes:

Starting CRON... done.
 Starting package bandwidthd...done.
 Starting package OpenVPN Client Export Utility...done.
 Starting package System Patches...done.
 Starting package IPsec Profile Wizard...done.
 Starting package freeradius3...done.
			[<-- long delay and blank line here]
 Starting package suricata...done.
 Starting package pfBlockerNG...done.
 Starting /usr/local/etc/rc.d/pfb_dnsbl.sh...done.
 Starting /usr/local/etc/rc.d/pfb_filter.sh...done.
Netgate pfSense Plus 23.05-RELEASE amd64 Mon May 22 15:04:36 UTC 2023
Bootup complete

After the config reset those are still there but without the delay or blank line, in a different order:

Starting CRON... done.
 Starting package bandwidthd...done.
 Starting package freeradius3...done.
 Starting package IPsec Profile Wizard...done.
 Starting package OpenVPN Client Export Utility...done.
 Starting package pfBlockerNG...done.
 Starting package suricata...done.
 Starting package System Patches...done.
 Starting /usr/local/etc/rc.d/pfb_dnsbl.sh...done.
 Starting /usr/local/etc/rc.d/pfb_filter.sh...done.
Netgate pfSense Plus 23.05-RELEASE amd64 Mon May 22 15:04:36 UTC 2023

That may just be random, I confess I don't watch the console much. :)

Interestingly System/Packages shows all previously installed packages are still installed, though unconfigured. Option 4 specifically says "All additional packages installed will be removed." Sounds either like incorrect advice or a bug there?

stephenw10

Yeah, the actual packages may remain but I would not expect to see them in the menus, is that right?

That does seem like a bug though, the packages should be uninstalled.

stephenw10

Ha, like this: https://redmine.pfsense.org/issues/14378

Though there I only saw it when using the button. Which is odd since that should run the same scripts.

SteveITS

@stephenw10 :) I added my note.

They were in the menus because I could click and verify they were unconfigured as if they were newly installed (or the config removed, which was the goal).

I'm going to work with the 2100 some more when I have time. I think there are a couple of issues w/r/t restores and interfaces but want to understand/replicate.

stephenw10

Do you also see the packages get re-installed in the logs?

SteveITS

@stephenw10 Last night I was only looking at the console, and then when done testing I reinstalled to get ZFS. I did not notice it installing packages but it doesn't mean it didn't. I can look on the 2100. Where would it show?

stephenw10

You can see it in the boot log I attached on that ticket: https://redmine.pfsense.org/attachments/5025

It loads the default config but then reinstalls all the previous packages.

Steve

SteveITS

@stephenw10 I see it, will look.

I wonder if it's tied to the "reinstall all packages after an upgrade" code which was new in 22.01.

SteveITS

I tried the console factory default on the same 2100, with a valid Internet connection. It had no delay.

I then installed apcupsd via the GUI, and reset to defaults again. Afterwards the package was not installed. So, not sure what the difference was between yesterday and today.

I doubt the hardware (and hence ADI vs Arm) matters. Possibly, is an Internet connection required to remove a package? (callback to my 4m delay above) Or "many" packages or certain packages are handled differently than one package (seems unlikely)?