Possible PfSense Bug
-
Greetings!
Been using PfSense for a few years now, and seeing something new that I can't find by google.
While logged in, the firewall will suddenly stop allowing traffic through the firewall, but will show the webGUI. If I was logged in before, it will log me out. In either case I cannot login (copy and paste password / user… so not that, plus I can login before and after). After a couple of minutes, I can login again, but it will throw a CSRF error and have me click the "try again" button. After this, I can login. Also, once I am able to login again, the firewall has started allowing traffic again as well. The system logs aren't showing anything which could even be close to an explanation, and the console doesnt even register the failed logins during this "problem time".I tried upgrading to 2.3.0_1 to see if fixed, still there. Host is running within ESXI 6.0 VM.
Anyone have any ideas?
-Shades
-
Odd. So in the end nothing changed, but it starts working again on its own?
Wondering if the GUI being sluggish/unresponsive/otherwise weird is because you're legitimately losing Internet connectivity, and hitting the update checking bug that hangs the GUI when you have no Internet. So that's just a symptom of the root issue of losing Internet rather than a cause.
Check Status>Monitoring, quality graph there. Any loss at the time the disconnect occurs?
-
" but it will throw a CSRF error "
I have seen this for some time now, not sure when started seeing it, maybe always happened? But for sure seen it back with 2.2.6 maybe before? But only happens when you try and log in quick.. I can generate the error every time… If you hit the page and click login right away it fails with that CSRF... If you hit the page and wait a couple of seconds before login then never a problem.
If you have to type the username and password you would prob never run into this?? its only when you hit login very quickly have page first loads have i seen this.
I have lastpass set to autologin me in. It fills in the username and password and then in a second or so it does the submit and you get in. If in a hurry and click login too soon then error.
As to your other problem, never seen that.. And I also run as vm on esxi 6u2 build 3620759
-
Greetings,
So it's not just a CSRF error, I literally cannot login at all, it throws a "Username or Password incorrect" for a few minutes and then starts working again.
I am using KeePass most of the time, but this is actually the one case where I am manually typing it in. I am actually now not able to login at all after a few minutes, I have to reboot the system and i can get in. I tried resetting web-configurator and php-fpm. A reboot fixes the traffic problem too. NTOP shows about 60 percent connection drop. Filter logs show no increase in blocks. CLI is fully functional. No log entries. -
so your running ntop on the vm as well? What other packages?
ntop and ntopng were packages that were removed from 2.3
https://doc.pfsense.org/index.php/2.3_Removed_Packages -
Sorry, PfTop (option 9).
Weirdly enough, when I reboot the system, it allows me to auto-login based off the session sometimes too, if I hit refresh.I double checked to confirm, only default packages installed, no extras.
-
FYI, I am starting to see these in the log now that I upgraded to 2.3.1p1 when the weirdness happens:
May 31 15:51:54 kernel arp: 00:0c:29:59:6b:bb is using my IP address 10.99.170.70 on em0!
I did a fresh install this time too, to make sure it wasnt the old cruft giving me grief. However, not seeing this problem on any of my dedicated hardware pfsense devices.
-
To provide more info / context… that is my firewalls mac which the firewall is complaining about having an apparent IP conflict with...
-
More information:
I cannot access any port forwards at all, and they do not show up on netstat as even being active.
the external interface is still seeing the traffic come in (checked with TCPDUMP).
Restart of webconfigurator and php-fpm does not remedy the issue.
The host's passwd function does not work to correct the "incorrect password" from shell.
I am unable to ping my external gateway, but I can ping all of my internal "LAN" hosts.
Switching between e1000 and vmxnet3 interfaces makes no difference. -
New update: dmesg is showing it tried to access promiscuous mode, which I had disabled. trying to enable that.
-
To provide more info / context… that is my firewalls mac which the firewall is complaining about having an apparent IP conflict with...
That's at least part of your problem. It's not complaining about a conflict with its own MAC unless you managed to get the same IP on multiple NICs on the same system. Regardless of the reason, that's broken and needs to be fixed before proceeding with anything else.
New update: dmesg is showing it tried to access promiscuous mode, which I had disabled. trying to enable that.
That has nothing to do with promiscuous at the ESX level, guessing you were probably packet capturing, or are looking at pflog0.
-
I am confused exactly what you mean by 'That is not it's own mac' … that was a statement not a question on my side.
TO prove it, here is a screenshot.
-
That has nothing to do with promiscuous at the ESX level, guessing you were probably packet capturing, or are looking at pflog0.
Probably something to do with the status of traffic show on the rules page, I havent done pftop myself directly on this device.
-
I am confused exactly what you mean by 'That is not it's own mac' … that was a statement not a question on my side.
TO prove it, here is a screenshot.Yes, you are confused.
The screenshot shows 00-0c-29-74-3b-e0 on a vmx0 interface. Here is the error you posted-
May 31 15:51:54 kernel arp: 00:0c:29:59:6b:bb is using my IP address 10.99.170.70 on em0!
As was stated, you need to fix this. -
You are correct, weird it would crash like that though.
Fixed now.Much thanks!
-
It wasn't crashing anything, you were communicating with two diff devices and switching back and forth between them, which obviously isn't going to work right.
