Messages

https://docs.opnsense.org/manual/settingsmenu.html#listen-interfaces

Hi Franco.  I looked at the setting, and the wording of the warning doesn't convey the message you think it does.

The warning says you should know what you're doing if you want to only listen on certain interfaces.  I work with multiple NGFW vendors for my job.  I know what I'm doing, and it's a best practice to not listen for management traffic on WAN, DMZ, or other untrusted interfaces.  If following that best practice is dangerous on OpnSense, the warning needs to say something like "selecting interfaces here may make the GUI inaccessible if the interface is unavailable when the web GUI starts.  Use with caution."

I appreciate you guys developing the product and making it publicly available.  Making warning messages less dependent on tribal knowledge will be helpful to people who are new to the product.  Also, identifying why the settings were ok on the previous version, but not ok on this version might unearth a bug or provide an opportunity to make the product more robust.

In the meantime, I will remove the interface list setting and try to use policy to block management access on external/untrusted interfaces.

Cheers

Tried pkg update -f (https://www.reddit.com/r/OPNsenseFirewall/comments/obybqf/how_to_roll_back_the_firmware_version/) and a reboot - no change.

Tried update from CLI and saw the error "Starting web GUI...failed" - https://forum.opnsense.org/index.php?topic=9128.0 said to try "/usr/local/sbin/lighttpd -f /var/etc/lighty-webConfigurator.conf" which brought the GUI back up.

After rebooting, GUI was down again.  tried lighttpd command but got this error:
root@FW02:~ # /usr/local/sbin/lighttpd -f /var/etc/lighty-webConfigurator.conf
2023-05-17 16:53:05: (/usr/obj/usr/ports/www/lighttpd/work/lighttpd-1.4.69/src/network.c.537) can't bind to socket: [Public IPv6 address from ISP]:443: Can't assign requested address

After a couple of mins, running the command again works without an error and the GUI loads.

Reboot - no change.
Shutdown and power on - no change
Restored backup from pre-upgrade - no change.

Copied off all my config backups to a TFTP server.

Should I try a clean install of 23.1.7_3 and restore config?  Or just reinstall 22.7 and stay there for a while?

Tried restoring 23.1.7_3 installation to factory defaults - was able to access GUI.  Restored the backup and GUI is inaccessible again.

Upgraded via GUI from latest 22 version to 23.1.  Firewall rebooted, and while traffic is passing, I cannot access the GUI anymore.

Got into CLI and updated further to 23.1.7_3.  Still same behavior.  Also re-configured LAN IP via CLI to reset Web GUI settings.  Still cannot access GUI.

Wireshark shows no response to TCP SYN on 80 or 443 on LAN interface, although it does respond to ARP and Ping.

What can I do to troubleshoot or diagnose further?