HELP: Did lock me out from opnsense

[bringha]

Hi there,

I am in big trouble as i have locked me out from opnsense completely:

I accidentially disabled the lan port in GUI and I do not get the console up an running (no login). What options do I have now to get access to the system and patch the setting for the LAN again? Where is this config stored?

Looking forward to your reply!

With despreate greetings

Br

[franco]

Config is under /conf/config.xml and the backups under /conf/backup/ -- moving the latest good backup over /conf/config.xml and rebooting should fix it.

Worst case you can use an image (cdrom/vga/serial) and boot into live mode (exit installer if it auto-started or chose the live cd at the prompt), mount from there and fix.

PS: SSH+root console has a config restore feature, item "13".

[bringha]

Hi Franco

Thanks for your reply!!!!!

I made an USB absed image and tried to boot! Unfortumately it hangs at the same place as when booting from disk. The last message  I see is

Ums0: <vendor 0x557 product 0x2419 class 0/0 rev 1.10 ...> on usbus0
Ums0: 3 buttons and 2 corrdinates ID = 0

Is this an APCI problem?

BR C

[franco]

Hm, what kind of image did you use and do you have a monitor attached or serial cable?

[bringha]

Hello together,

after a long night I managed to get my opnsense firewall back to access.Here what the problem was and what I did:

• I accidentially disabled the LAN Port
• I should have done a restore of the old configuration as Franco suggested
• Access via ssh was not possible as this is running over the LAN Port also in my config
• Access via console was not possible as there was no login prompt
• Reboot and access via HW console did not work as Output stopped after the HW checks, no login prompt
• Access via the serial Installer image booted from USB was not possible as any output to screen after the message 'try to run /sbin/init' was not displayed on the screen, no login prompt

I finally managed to boot a vanilla FreeBSD installer and could open a shell, mount the OPNsense disk and reinstalled the old config. Everything is fine now again.

It is a while ago that I accessed the Opnsense via console (normally I use ssh remotely) but something must have changed obviously in the loader step 3 (?).

When I activated the maximum detailed boot log outputs, I could see that the last output was the aforementioned 'now try to run /sbin/init' (or so) which is if I remember correctly when entering stage 3 of the boot process in Freebsd. No clue why the Output over serial console then stops ...

If I may express a wish then it would look like:

• Prevent any deactivation of LAN in the GUI (at least with a sec warning that this would lead to a lock out of the FW). Similar model has been already implemented in the firewall rules
• Double check the loader.conf: The serial image has in loader.conf set boot_serial="YES" (which it should), but has commented out boot_multicons. I have a Supermicro Board with IPMI Serial console redirection (which is to be activated in BIOS and then enables a virtual console window in the IPMI GUI (Board is great and very energy efficient ). I assume that this cause a conflict. I could not yet check it what happens when I activate boot_multicons (the current family SLA demands now for some stable days  ). For comparison I will also check once again comparing the loader.conf setting with the Vanilla FreeBSD Installer Image ... 

Anyhow, will send an update when having done the analysis. @Franco: Once again a big thank you for the fast responses ...

Br br

[abel408]

Hey bringha... Sorry to bring up an old thread, but did you ever get your login prompt back? My opnsense is stuck after mounting the opnsense disk and then just displays my USB devices. Only thing I can do is scroll lock and page up and down the boot output. I also believe I locked my self out some how by enabling ids. I also have a supermicro board. I wonder if I can access the console from ipmi...

[abel408]

Thanks Franco for your help. I was able to revive my system by using a FreeBSD live cd and mounting my gmirror. The I edited the /conf/config.xml file to NOT include the lan interface on IDS. After that and a reboot, OPNSense started up and I was able to ssh and log into the web interface once again.

I also fixed my console by going to System -> Settings -> Administration and changing the primary console from Serial to VGA. Not sure why it was set to Serial. I'm guessing an OPNSense update changed it as I wasn't having any console issues when it was first installed.