Cannot locate the source of this error: "no IP address found for anyto"

elpardua

Hi, i've been running pfsense for the last week and i'm more than amazed from all the features it has. In one particular VM (over vmware 5.5), i'm running an openvpn instance, that logs against a radius server, and retrieves some rules using Cisco:AVPair rules.

I can connect correctly, but i'm getting this error in the openvpn log.

openvpn: /openvpn.auth-user.php: The command '/sbin/pfctl -a 'openvpn/tunuser' -f /tmp/ovpn_43548'tunuser'.rules' returned exit code '1', the output was 'no IP address found for anyto /tmp/ovpn_43548tunuser.rules:1: could not parse host specification pfctl: Syntax error in config file: pf rules not loaded'

no further information is provided. So i can assume that there is some problem with the firewall ruleset right?

In our freeradius server, this is the portion of config for the user TEST

TEST      Auth-Type := Local, User-Password == "73s7p4ssw0rd.!"
                Cisco-AVPair="ip:inacl#1=permit tcp any host 172.20.175.13",
                Cisco-AVPair+="ip:inacl#1=permit icmp any any",
                Cisco-AVPair+="ip:inacl#1=deny ip any any"

I haven't found too many information about the avpair compatibility in openvpn, but i've understood that somehow openvpn translates the cisco acl format to the pfsense firewall rules syntax. Is this right? I've tried to access to those files in tmp dir, but they dissapear instantly.

Thanks in advance, i found a lot of other useful info in the forums.

Pablo

omnipotens

A shot in the dark try removing the ! from your password that you are passing I seem to remember years ago running into close to the same but either way it looks like its parsing something in your string it don't like.

"Syntax error in config file"

cmb

The password wouldn't be the issue. What are the contents of /tmp/ovpn_43548'tunuser'.rules file? It's ending up with a syntax error there.

elpardua

Thanks for the reply guys. The password isn't definitely the issue, i've tried with other users with no special characters and the issue is the same.

Cmb, i thought just the same, but i cannot locate the file in /tmp. I don't know if it's created and deleted right after connection, or if it's not created at all. I've tried to use the watch command to see if the file is created when i connect, but i'm afraid it's not available in freebsd.

Thanks again both of you!

cmb

Oh, yeah forgot it deletes that file afterwards. In /etc/inc/openvpn.attributes.php find the line:

        @unlink("{$g['tmp_path']}/ovpn_{$pid}{$common_name}.rules");

and comment it out (put // in front), then it'll leave the file there so you can check it.

elpardua

Cool, tomorrow i'll check that and let you know.

Thanks!

elpardua

Great. Now i can access the tmp file, the contents are the following:

"pass in quick on openvpn from anyto any"

So i supposed the rules were parsed by the same php, and then added a space before the "to" in the destination if block of the PHP.

/* Destination */
                        if (trim($rule[$index]) == "host") {
                                $index++;
                                $tmprule .= " to {$rule[$index]} ";
                                $index++;
                                if ($isblock == true)
                                        $isblock = false;
                        } else if (trim($rule[$index]) == "any") {
                                $index++;
                                $tmprule .= " to any";
                        } else {
                                $tmprule .= " to {$rule[$index]}";
                                $index++;
                                $netmask = cisco_to_cidr($rule[$index]);
                                $tmprule .= "/{$netmask} ";
                                $index++;
                                if ($isblock == true)
                                        $isblock = false;
                        }

Now the content of the file seems to be ok

"pass in quick on openvpn from any to any"

But the rule inside the file doesn't match at all with the ones my freeradius sends in the avpair (the ones in my first post). With a Cisco ASA 5520 this same ruleset works ok, maybe some kind of rules aren't supported?

This should be considered as a bug, if so, where should i report it?

cmb

Thanks, fixed missing space.
https://redmine.pfsense.org/issues/5451

If your config matches what's listed there, there shouldn't be an any to any rule. Don't have time to get further into that at this instant, if you find something there, please report back here or on that ticket.

elpardua

Thanks Chris, i'll do some more testing and let you know if i find something else.

A last question. Should the AVPair imported rules be seen in the firewall configuration panel or somewhere else?

Thanks
Pablo