Firewall going back into factory default after reboot



  • Hello All,

    I am using 2.0 Beta (i386) 4 21 sep build ,i have set the firewall (on local disk installation) with rules also with package Snort,Havp and Squid all was operating excellent for 2 months.
    Today i rebooted the Firewall and its lost all configuration i found it in initial state asking for Wan Lan interfaces ,any idea why this could happen and if its possible to avoid it?.
    BTW i did already backup yesterday just in case lucky me :).

    Thanks



  • I've seen this happen when a configured interface isn't detected on startup (for example, remove a configured USB interface before startup).



  • i've had this with all my attempts (4x) on an alix 2d3 embedded nanobsd.
    it simply forgets my vlans (5 vlans) and goes straight to wan detection etc.



  • The only way I found to be safe will be removing the additional interface from the configuration file before rebooting.  Lately, magically, my system creates a clone of the WAN interface.  This interface is not configured and can't be removed any other way than the above, causing the system at reboot to appear to be set back to factory default.  By the way, if you try to reconfigure it from the console, it does not work either.



  • @firewold:

    The only way I found to be safe will be removing the additional interface from the configuration file before rebooting.  Lately, magically, my system creates a clone of the WAN interface.  This interface is not configured and can't be removed any other way than the above, causing the system at reboot to appear to be set back to factory default.  By the way, if you try to reconfigure it from the console, it does not work either.

    Hi
    exactly the only way is to reinstall the system from scratch and reload back-up , btw i do have 3rd interface in the system that not configured at all  ,i intend to use it as dmz later.
    so would it be wise to check before each reboot if additional interface added into config file and remove it?
    thx



  • @tbaror:

    @firewold:

    The only way I found to be safe will be removing the additional interface from the configuration file before rebooting.  Lately, magically, my system creates a clone of the WAN interface.  This interface is not configured and can't be removed any other way than the above, causing the system at reboot to appear to be set back to factory default.  By the way, if you try to reconfigure it from the console, it does not work either.

    Hi
    exactly the only way is to reinstall the system from scratch and reload back-up , btw i do have 3rd interface in the system that not configured at all  ,i intend to use it as dmz later.
    so would it be wise to check before each reboot if additional interface added into config file and remove it?
    thx

    That is the way I do it.  It is a pain to start from scratch all the time.


  • Rebel Alliance Developer Netgate

    If someone comes up with a good way to reproduce any of these issues it would help. I've never seen it happen, so it's hard to speculate as to what might be happening.

    As to getting going again, just get back into the interface one way or another and try to restore a backup from Diagnostics > Backup/Restore, on the Config History tab.



  • @jimp:

    If someone comes up with a good way to reproduce any of these issues it would help. I've never seen it happen, so it's hard to speculate as to what might be happening.

    As to getting going again, just get back into the interface one way or another and try to restore a backup from Diagnostics > Backup/Restore, on the Config History tab.

    Hi
    I would like to post diagnostic but once its getting in such situation there is no way (for me) to make interface up again i find myself reinstalling system all over again, so the only way i see is to post complete pc image, or if you can indicate another way to retrieve the current config for posting.

    Thanks


  • Rebel Alliance Developer Netgate

    Press ctrl-c, or type "exit" at the interface prompts
    break to a shell and:

     cp /conf/config.xml /conf/config.broken
    

    And then try a factory reset from the menu

    If you can mount a usb stick and copy it there, that would help too

    mount -t msdos /dev/da0 /mnt
    cp /conf/config.xml /mnt/config.broken
    umount /mnt
    

    Or at least look in the config, specifically at the interfaces portion, and see if you can tell us what it looks like (maybe pictures of the screen?)



  • @jimp:

    Press ctrl-c, or type "exit" at the interface prompts
    break to a shell and:

     cp /conf/config.xml /conf/config.broken
    

    And then try a factory reset from the menu

    If you can mount a usb stick and copy it there, that would help too

    mount -t msdos /dev/da0 /mnt
    cp /conf/config.xml /mnt/config.broken
    umount /mnt
    

    Or at least look in the config, specifically at the interfaces portion, and see if you can tell us what it looks like (maybe pictures of the screen?)

    Ok Jimp i will do it (mount usb) and post it by next Monday.
    Thanks



  • i've watched mine boot up after the upgrade on the console and it runs through without errors etc, just doesn't see any configured interfaces and starts the wan detection.
    i then boot into the working slice and i have to reinstall snort etc to get it back to normal.



  • @jimp:

    If someone comes up with a good way to reproduce any of these issues it would help.

    I think there are a few issues here. One is that on some reboots pfSense wants to reconfigure the interfaces. I have seen this a number of times when the set of detected interfaces is different from the set of confgured interfaces. I believe this can be reliably and most conveniently reproduced by removing a configured USB interface before startup. I have a USB ethernet interface which occasionally doesn't get detected on startup after a panic. To the best of my recollection I have been able to recover every time by leaving the console at the prompt for the WAN (?) interface and removing and inserting the USB interface until its green (power?) LED comes on then typing ctrl-ATL-DEL on the keyboard to get a reboot. I have also seen a reconfigure on startup when a configured PCI interface is not detected at all but this is probably a little more awkward to reproduce than removing a USB interface.

    A second issue is the appearance of "phantom" or clone interfaces. I posted a reproducer for "clone" interfaces in http://forum.pfsense.org/index.php/topic,27643.0.html



  • What type of connection is WAN?  If it is PPTP or PPPoE, was it configured from the setup wizard?  You could check your config.xml for an interface entry with some other name besides wan, lan, or opt# that may be there.



  • Using pfSense-2.0-BETA4-20100923-1042
    Hardware Compaq DL360 G1 PIII/866 512 MO.

    Wan : dhcp 192.168.1.100/24
    Lan static (set from console) 192.168.7.254/24

    After a reboot ip address on Lan is lost. Openvpn configured with 192.168.11.0/24. No new hardware on the machine. No usb device.



  • ccnet:
    If that isn't about the interface assignment prompt coming up at boot, you should make a separate topic for that.



  • In my case it happens when installing the OpenVPN export package.  An additional not configured IF that is actually used by the WAN in my system.
    If this interface is not removed from the configuration the system will reboot in what appears to be factory default.  At this point you can only re-install pfsense.



  • Hello all,

    Here is my current Firewall config file, currently FW is stacked with network detection.
    Please advice

    Thanks

    config.txt


  • Rebel Alliance Developer Netgate

    @tbaror:

    Hello all,

    Here is my current Firewall config file, currently FW is stacked with network detection.
    Please advice

    Thanks

    If you remove this line:

    From just above "", does it work?

    Not sure how/why that got inside that tag.



  • If you remove this line:

    From just above "", does it work?

    Not sure how/why that got inside that tag.

    I think you right, since i did file comparable with last backup i did and  "ppppoe1" is highlighted straight away.
    I will remove this line and check it , also don't have any clue how it been added to config file.
    Thanks



  • @jimp:

    @tbaror:

    Hello all,

    Here is my current Firewall config file, currently FW is stacked with network detection.
    Please advice

    Thanks

    If you remove this line:

    From just above "", does it work?

    Not sure how/why that got inside that tag.

    Jimp,
    Same problem here.
    After i saw your post, i went to check my config also.

    i had <em0>just above

    removed the line, reinstalled, and uploaded the config.
    pfsense came back up. (NOTE: my packages did not reinstall)

    PF info:
    2.0-BETA4  (i386)
    built on Wed Sep 22 21:47:59 EDT 2010
    FreeBSD 8.1-RELEASE-p1</em0>



  • Ok,
    After i started adding my packages again the rouge interface reappeared.

    packages installed:
    openvpn export (note: this failed to install but was still in the installed pages list)
    HAVP
    Snort
    Squid
    Squid Guard.

    Note sure it is related, but it seemed odd



  • Ok,
    After i started adding my packages again the rouge interface reappeared.

    packages installed:
    openvpn export (note: this failed to install but was still in the installed pages list)
    HAVP
    Snort
    Squid
    Squid Guard.

    Note sure it is related, but it seemed odd

    Hi Vito

    I think we have something in common in booth of our FW  except Squid Guard we have the same package structure
    for me its happen twice  in  1st time SQUID was not install but the last addition where OpenVpn.
    could it be that OpenVpn is adding something to Interface ?when its happen in the 2nd time i just got into OpenVpn>client section (but not the very last action in the fw)since i didn't configure it yet started to do client configuration but then cancel it,  then exit configuration.



  • I have not done a fresh clean install to test more.
    But i have not had the problem on the past few snaps.



  • I have been having an issue with network mismatch on the beta and snort with a rogue wan interface that  gets duplicated. I have pasted the info from my original thread

    I have been experiencing a problem that I dont know how to correct (if it is fixable) and was hoping someone could help.

    I am running on the current beta version and this has happened since the 9/17 build (first time with pfsense). This may also be a problem with the snort package directly. If so, please move the topic.

    As the title says, I am getting a duplicate WAN interface. I have two netgear gigabit cards. RE0 is wan and RE1 is the lan. Everything works fine until I configure snort in the global settings when its already set up to monitor the WAN interface. After I apply the settings, I will notice that in the interface menu in pfsense I will have three interfaces instead of 2. I will have the wan interface listed wich is what i originally configured RE0 to be and then a Lan interface that I configued re1 to be. Then at the bottom of the list another RE0 appears. it does have the option to change what physical card to select in the pull down either RE0(wan) or re1 (lan). The big problem here is, I cant delete the RE0 entry and if I reboot, I get a never ending network interface mismatch error and it wants me to reset up the interfaces like it does when you first install the firewall.  Unfortunately it never completes that state and keeps asking me to set it up over and over.
    When trying to delete the entry via the interface menu i get
    Fatal error: Cannot unset string offsets in /usr/local/www/interfaces_assign.php on line 25
    I have even tried disabling the wan interface and deleting it and still same error.

    After a long process of package isololation it seems like it only happens after Snort is installed and configured. I do have snort configured to monitor the Wan interface.

    Prior to installing the snort package i do have the following packages installed and setup

    Country Block 1.7 (have had 1.5 and 1.6 as well)
    Cron 0.1.5
    darkstat 3.0.712
    diag_new_states 0.2

    So I dont know how to keep that duplicate interface from showing up.

    Is there a file that I can edit to manually remove it? I know if I export settings, then restore to factory defaults then import the settings again it will give me the mis match error. So I have edited the xml to remove the bad re0 entry and can resetup but the problem will reapear if I mess with snort. Well so I am experiencing.

    Anyone got any suggestions on how to remove that bogus interface? Any Help would be greatly appreciated.

    I included screnshots . They are edited to keep ips and full mac addresses private. 



  • One somewhat workaround that I found will allow me to run snort and all but the issue will come back if I change settings and re-save them

    What I have done so far is setup pfsense the way I want it including packages. Get Snort installed and configured the way I want it. Yes it will duplicate the interface. Then I backup all the settings in pfsense. (the exported xml.)

    Then I edit the xml and remove the duplicated interface. It is listed in the interface section but with no settings. So I delete it, then save. I then go to pfsense and select restore to defaults.

    This will erase everything back to as if you just installed it. Then I reset lan interface IP so I can access the web config at the console.

    Then once I am in the webgui I import the backup xml that I exported earlier. Then it will reinstall all packages and settings ect then reboot. When pfsense comes back, I will have all packages running including snort with all settings and no duplicated wan interface.

    This is a pain in the butt to do all the time. However its the only work around I know of at them moment. Unless someone knows the exact file that I can edit to remove the duplicated interface so I dont get caught in that endless mismatch error.


  • Rebel Alliance Developer Netgate

    I found a case where it might be possible that the interface could be duplicated in certain conditions under snort.

    If anyone was seeing this problem and had snort installed, if you could reinstall snort any time after 10:20am EDT today and then try to see if you can replicate the issue.


  • Rebel Alliance Developer Netgate

    And I found one more case that definitely could have caused this to happen in snort.

    There was a block of code that did this in snort:

    $ifcfg = &$config['interfaces'][$int];
    

    If $int was set to the physical interface (e.g. em0) instead of the friendly name (e.g. wan) it would cause that entry to be created, and the config would be corrupted if it were saved in that broken state.


  • Rebel Alliance Developer Netgate

    Efonne spotted another place where this can happen. I committed one more fix and bumped the version of the snort package. Try it again, see if you can still replicate it.

    There will be an update in the next snapshot or so that will also help prevent this from happening in the underlying pfSense code in case it's used improperly in other places.



  • Thanks Jimp!

    I owe ya a cold beer. :-)



  • As i posted in the other topic, your fix for snort has resolved my issues.

    I removed snort, reinstalled it, edited the config file, then deleted the cache and rebooted.

    Then I attempted saving settings in multiple areas and no duplicate interface.

    Thanks for the quick fix on this issue.


Log in to reply