NEW WAN port has anti-lockout firewall rule, Why?

sawilson

Please excuse the newby question.

I recently changed one of my LAN ports to a second WAN port to allow me to setup a dual WAN/fallover. I got everything working for the fallover but I when I was working I noticed that the new WAN port has the system anti-lockout entries in it's firewall entries. Why would a WAN port have that entry? I've looked everywhere I can think for a setting to change it and of course, pfsense won't let me delete them directly. Any ideas what's up?

A few more details:

• My original WAN port doesn't have the entries, just the newly added one has them.
• I've never, as far as I know, setup for any WAN access to the GUI, local network only
• I've actually tried to access this from an external internet connection and it isn't allowing access (thank goodness).
• This was previously a LAN port, so I wondered if maybe this is stuck even after I changed it to WAN???
• Tried deleting and re-adding the interface, still the same.

Any help or suggestions would be appreciated.

Best,
Scott

rcoleman-netgate

@sawilson Was your new WAN your old LAN?

sawilson

Yes it was. First try I just changed it and configured the port to WAN and went on. When I discovered this issue I deleted the interface, then re-added it but it still came back with the anti-lockout entries. It's also a bit confusing why I can't actually access the Webgui from outside, given the fact the entries are there, Confused why but still glad it's doesn't seem to be accessible, but CAN I BE SURE? That's why I want to get this fixed. Regardless, Seems like a bug.

FYI, pfsense is running on a dell server with 2 internal ethernet ports and a 4 port ethernet card. I have 2 live networks and a couple of test/lab networks. Before all of this 1 port of the internal ethernet was WAN and all the others were LAN. I switched the 2nd internal port to WAN to set up the fallover.

I've been using pfsense for 4 or 5 years and I'm fairly comfortable with it, the problem is sometimes I go months without touching it much other that a quick look a how things are doing, so I have to relearn/refresh.

One idea I had was to add my own entries for anti-lockout and check the box to stop the auto entries, which is doable but I wonder if it will pickup and delete this problem item. Maybe I'd have to change it back to LAN temporarily????

I'd rather avoid a full re-install if possible.

Thanks for you help,
Scott

sawilson

Not sure if this works, but I'll try to upload a screenshot.


rcoleman-netgate

@sawilson said in NEW WAN port has anti-lockout firewall rule, Why?:

Yes it was

That is why.

sawilson

So how do I fix it? Any suggestions?

rcoleman-netgate

@sawilson Delete the interface completely and re-create it is the most effective way to remove the rule...

rcoleman-netgate

Also there's a System menu setting for it.

SteveITS

@sawilson said in NEW WAN port has anti-lockout firewall rule, Why?:

add my own entries for anti-lockout and check the box to stop the auto entries, which is doable but I wonder if it will pickup and delete this problem item

You can definitely create your own rules. I was going to suggest unchecking the system setting box, and checking it again, to see if it moves. Interesting though, on that screen it specifically mentions LAN, and you do not have an interface named LAN correct?

The 60 K on the rule indicates some traffic has matched the rule.

sawilson

Ryan,

Tried deleting the interface and re-adding it. The entries come back.

As far as the system setting, as I previously asked, One idea I had was to add my own entries for anti-lockout and check the system box to stop the auto entries, which is doable but I wonder if it will pickup and delete this problem item on a WAN port (the description for the entry only speaks of LAN ports). Maybe I'd have to change it back to LAN temporarily????

S.

sawilson

Steve,

The system setting is unchecked to create the entries and checked to stop it. LAN, as I understand it is the type of interface rather than the name. It should obviously ONLY create this auto entry for LAN and never for WAN. This interface was LAN but now is WAN but these anti-lockout firewall entries seem to be "sticky", there even after deleting and reconfiguring the interface.

I'm leaning towards creating my own entries and checking the box to see if that fixes it.

S.

rcoleman-netgate

@sawilson said in NEW WAN port has anti-lockout firewall rule, Why?:

The entries come back.

@rcoleman-netgate said in NEW WAN port has anti-lockout firewall rule, Why?:

Also there's a System menu setting for it.

SteveITS

@sawilson Sorry if I wrote it backwards. I meant, toggle it the other way, then back again.

It doesn't create them for all LANs (interfaces without a gateway), for example our office doesn't have it for our lab network. So it might actually be tied to the name LAN...? (edit: or in your case what was LAN, if it saved the interface the first time around)

sawilson

Steve and to All,

Steve: I see what you're saying, I have 4 "LAN" ports and it only added the rule to one, maybe it just does it during the install to the default LAN port. I guess the idea is of the auto entry is to make sure you have access to configure initially and the rest is up to you.

I actually had added my own pass entries previously, so I just ticked the box in system and Voila! they went away.

Thanks everyone for your help and suggestions,
Scott