Login for pfsense not working

parry

@johnpoz Well I regret to say that after reinstalling pfsense 2.7.2 a number of times and trying to login with the default admin and pfsense uid/pw I see that the console says I logged in but the page stays on the login page. I have tried to reset the webconfigurator, and the system to the default admin/pfsense, but all I get is that the console says I have logged in but the web browser stays on the login page and wipes the user/pw from the input
Help requested. (and no, I don't have the installer still in the USB slot)

Gertjan

@parry said in Login for pfsense not working:

I have logged in but the web browser stays on the login page and wipes the user/pw from the input

Ask your pfSense what is going on ?
You have the console access, so :
Option 8, and then

tail -f /var/log/nginx.log

or

tail -f /var/log/system.log

to see the system log while logging in.

stephenw10

You tried connecting from multiple browsers or different clients?

That's not an incorrect login.

Gertjan

@stephenw10 said in Login for pfsense not working:

That's not an incorrect login.

@parry
There is a log for this also !

[25.03-BETA][root@pfSense.bhf.tld]/root: tail -f /var/log/auth.log
....
Message from syslogd ...
<32>1 2025-02-26T15:10:47.251179+01:00 pfSense.bhf.tld php-fpm 55042 - - /index.php: webConfigurator authentication error for user 'admin' from: 2a01:dead:beef:a6e2::c7
<32>1 2025-02-26T15:10:47.251179+01:00 pfSense.bhf.tld php-fpm 55042 - - /index.php: webConfigurator authentication error for user 'admin' from: 2a01:dead:beef:a6e2::c7
<37>1 2025-02-26T15:10:47.255392+01:00 pfSense.bhf.tld sshguard 47919 - - Attack from "2a01:dead:beef:a6e2::c7" on service unknown service with danger 10.

and be aware : when you insist, this will happen :

<37>1 2025-02-26T15:14:03.423164+01:00 pfSense.bhf.tld sshguard 47919 - - Attack from "2a01:dead:beef:a6e2::c7" on service unknown service with danger 10.
<38>1 2025-02-26T15:14:03.423211+01:00 pfSense.bhf.tld sshguard 47919 - - Blocking "2a01:dead:beef:a6e2::c7/128" for 110 secs (2 attacks in 196 secs, after 1 abuses over 196 secs.)

so I just managed to lock myself out for 110 seconds ....

I guess I have to add "2a01:dead:beef:a6e2::c7/128" to the pfSense "Hey, its me, you can trust this IP" list.

parry

@Gertjan Thanks for responding. My challenge is that I have to set up a new pfsense instance without disturbing the rest of the network so I am doing this on a separate machine. That means that the WAN does not get an ip address. I can't use a switch at the ONT to split into 2 separate paths because the ISP sees that they have granted 2 new IPs or at least sees 2 mac addresses connected to its network and shuts the connection down. I just provided a fixed IP.
Perhaps that's a problem. The ngnix log file shows the id string of the device I logged into and nothing else.

I see is multiple repetitions of "You need to read the LICENSE file in /usr/share/doc/legal/intel_iwi.LICENSE. Then it says "if you agree with the license, set legal.intel.iwi.license_ack+1 in /boot/loader.conf - which baffles me. Errors I see include (a) module_register_init: MOD_LOAD (iwi_monitor_fw, 0xffffffff80e...,0) error 1 and (b) pfSense kernel: netgate0: <unknown hardware>.

I also get Root mount waiting on CAM, but that just seems like it is not a problem based on what I have seen online.

I dug up a Windows 7 system and logged in to this 2.7.2 system, noting that a flyout told me to allow cookies, That worked, I tried Safari on my present macos and that worked, (I usually do everything through firefox on this system) so I allowed cookies on my Firefox 135.0.1 version browser on my Mac and still got the error with the console showing a login but not being able to get past the browser login.Ubuntu 22 worked without setting anything. I guess I have to poke around some more with my browser to understand what the problem is. So my apologies for dragging you into this. BUt ....., I have a pfsense 2.5 version running with no access problems- and the reason Im going through all of this is that I need to upgrade it. To be honest, I have spent days trying to install and run Wireguard on this second system which is causing so many issues including suddenly having this login problem (and perhaps this is more a Firefox browser issue), but 2.7.2 is proving to be a challenge for me. Thank you again and for noting the deadbeef lockout. But I saw that I was being locked out and rebooted.

stephenw10

None of those errors/warnings are related. And none should be a problem.

Yes, this is a browser issue. Do you have any plugins loaded in Firefox? Is it running in 'strict' privacy mode?

johnpoz

I run FF 135.01 and have no issues logging into my 2.7.2 vm..

stephenw10

Same. And I have a bunch of plugins but none applying to pfSense webgui access.

johnpoz

If you want to get rid of the iwi license warning

https://forum.netgate.com/post/1158758

But as mentioned by Steve that wouldn't be a problem - its just log spam to be honest, and the above link keeps it from showing up.

Gertjan

@parry

Normally, I don't enter "admin" neither my password, the browser (Firefox 135.0.1) handles all that ^^
But, when I was entering a random password, after 2 retires, I was locked out.

I totally forgot that I whitelisted my LAN IPs (LAN and OpenVPN access) ..... but only IPv4.
Or, IPv4 is rarely used on my LANs these days. Its all IPv6 now.
So I got myself also locked out, like you.
There is no 'you are locked out' message on the screen, because the browser just can't connect to the pfSense LAN IP anymore ... no more replies .... it was hitting a wall, no like talking into a black hole.

I 'corrected' the issue :

2a01:dead:beef:a600::/56 are all 256 of my ISP IPv6 prefixes. This will do for the moment, although with that setting I totally disabled all login protection ....

edit : btw : not really a pfSense thing. Every network device with some security in mind does the same thing. Not the stuff you buy at Wallmart, of course.
Try entering 10 times the wrong ID code of your iPhone after power on. You'll see what happens .... (read about this before trying or you will have huge regrets !!)

parry

@Gertjan and others:
It was very helpful to understand that pfsense has a lockout which I had not seen before. What complicated issues further was that every now and again the connection between my browser and the pfsense firewall would go down momentarily. I traced that to an Ethernet NIC - after testing it with other machines. I would just watch the ping between 2 workstations connected directly by ethernet with no intervening switches or routers and every 2-20 minutes, the ping would not be returned for maybe 20 seconds. I am sure that this did not help. Exactly what effect it would have, I'm not sure - maybe receiving a spurious version of my pw etc. But I admit that I don't really know. So perhaps this was a combination of being locked out, problems with the NIC and general incompetence on my part ;)

As far as I can tell, there are no remaining login problems. So thanks to all who responded.