Introduction
Eventually, we all make the mistake of locking ourselves out of our firewalls. Let’s look at how to fix locking yourself out of OPNsense. Let’s look at how to fix locking yourself out of OPNsense.
With OPNsense, this is mainly due to an error in Interface configuration and firewall rules. You know, when we are too “strict” and deny traffic from private networks on the interface we use for management.
How to fix locking yourself out of OPNsense
Cause 1: Firewall rules are blocking you
These can be user-treated rules or the rules added when you select to block private address ranges on an interface.
There is an easy solution, but it requires console access. If OPNsense runs in a virtual machine, that is relatively easy, especially in the lab or when you are the hypervisor administrator. Now, if OPNsense is running on an appliance, you’ll probably need physical access to that device. Bring a keyboard and a monitor with whatever cable (VGA/DVI/HDMI/DisplayPort/USB-C) is required, or connect a physical console cable to connect to the device. This can only be done remotely if the console port is available over ethernet.
Log in with an account with sufficient rights and drop into the shell by selecting option 8.
Type:
pfctl -d
Hit “Enter”. This turns the OPNsense device into a router only by disabling the firewall. That means you now have access again via HTTPS or SSH on the interfaces you list for administration despite the error you made in the firewall rules for those interfaces.
Connect via the Web GUI and fix that mistake. When done, turn the firewall back on. To do so type:
pfctl -e
Hit “Enter”. The firewall is now enabled again.
Test whether you still have Web GUI or SSH access. If so, mission accomplished.
Cause 2: You no longer have HTTPS/SSH listening on the interface you have access to
By default, you listen to all non WAN interfaces. You might have reduced this to one or more but accidentally forgot to select the one(s) you need.
No fear, under /conf/conf.xml, you can edit the administrative webgui and ssh settings. In the example below, I have customized those settings (via the WebGUI) to listen to the specified ports.
WebGUI
SSH
Add the missing interface(s) or allow the WebGUI and SSH to listen to all of them again by reverting the settings back to default and not specifying any interfaces, as in the example below.
WebGUI
SSH
To edit these files, you can use vi, which is available by default. If you prefer Nano or such, you can install it via the FreeBSD package manager:
pkg install nano
Voila, those are the most common ways to get out of a pickle when you have locked yourself out of OPNsense.