URGENT - Locked out - please suggest a way in



  • Damn! I just locked myself out. I can VPN but I can't reach 192.168.1.1. Do you guys have any suggestions?  :-[

    Do I have to have local access to router?  :'(

    I can have a VPN access to 192.168.200.10 and I can browse other hosts but not 192.168.1.1 either through SSH or HTTPs. What am I doing wrong?  ???

    Previously I had ports mapped to 443 and 22 from out side to a single host. I disabled those and I am locked out despite the OpenVPN connection that I have established.

    I have SSH connected to a host inside the network 192.168.1.0/24 as well, but even that can't create a tunnel to 192.168.1.1. Is this really messed up?

    Doing nmap 192.168.1.1/32 from host 192.168.1.60 only gives me port 53 TCP. This is not good. Am I locked out?

    I think that when I removed all other rules in Outbound NAT except for allowing to reach 192.168.1.60 this happened. I didn't touch anything on Lan firewall

    If I have to do a serial connection to this (which requires me finding a laptop with serial port…arggggg), what command should I give to the box when I am in Shell? Is there any way I can turn on the Anti-Lock from there or a specific iptables commands I should give? Please be detailed.  :o

    Thanks a lot,



  • pfSense isn't linux, so you don't use iptables commands.  Get a USB->Serial converter and you'll be able to move forward.  To kill off all the current firewall rules do:

    
    pfctl -F all
    
    

  • Rebel Alliance Developer Netgate

    There are logs of suggestions to get back in here:
    http://doc.pfsense.org/index.php/I_locked_myself_out_of_the_WebGUI,_help!

    If you can get to the console, you can do as submicron suggested. Alternately, you can turn off the firewall with "pfctl -d" and enable it with "pfctl -e".



  • I have used "pfctl -d" and got in. However, can someone detail which ports, rules, nats, etc…should be open so that the OpenVPN users get access to the router just like the LAN users and so that the LAN users get access to all the network and outside?

    I find it a bit annoying that pfsense is different from commercial routers off the shelf that keep the regular traffic open and assume that the LAN network is safe.

    Thanks



  • Why did you disable the "anti-lockout-rule" then? (Which does exactly that: assume that the LAN network is safe)


  • Rebel Alliance Developer Netgate

    @torontob:

    I find it a bit annoying that pfsense is different from commercial routers off the shelf that keep the regular traffic open and assume that the LAN network is safe.

    As GruensFroeschli stated, this is the default out-of-the-box behavior and only something done in later configuration would have altered this behavior.



  • I did not disable that. It is still un-checked - The wording is a bit confusing for it's description but from what I gather if it's un-checked it's enabled.

    I changed the ports to reach the router to some random port and I did use to reach it with httpS (SSL). So, maybe there is a bug and the anti-lock doesn't work with a port change done as I was locked out both through the VPN and the LAN.

    However, I did tamper with firewall rules that day. But as you are saying those should not have effected given the anti-lockout was NOT check-marked.

    Thanks,


Log in to reply