Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfSense bricks (WebGui + SSH)

    Scheduled Pinned Locked Moved General pfSense Questions
    7 Posts 3 Posters 904 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • maverickwsM
      maverickws
      last edited by maverickws

      Hi guys,

      A few weeks ago I reported an issue that, with other issues involved (DNS), also had other components to it, namely bricking pfSense. My original post was this: Having issues with pfSense

      So now I am having zero problems in regards of routing, DNS or whatever.
      However, yesterday I was renewing my LE certificates using DNS Manual and I came across a "Call hook error" - detailed on this post and it seems you have to hit renew more than once, even tho the error will always show you'll get it working... that has passed, but I noticed this issue when accessing via SSH to see the logs.

      So now here's the thing:
      Am I not able to ssh using my ldap user. If I try to do that, the pfSense bricks and I DO HAVE TO go on console and restart php-fpm and webConfigurator, that fixes it.
      The issue is not about failing auth - like introducing a wrong password. I would like to leave this clear.

      SSH with LDAP user bricks pfSense. If I "ssh ldapuser@pfsense.url" its enough. Web authentication works perfectly tho. However, if for some reason it can't communicate properly with my LDAP server and the WebGui fails to authenticate against LDAP, it bricks as well. (tested by blocking pfSense firewall IP on the LDAP server fw)

      Both ssh and webgui access is only from inside the network, its all closed to the outside. The LDAP server is external, but its been providing for Gitlab, email, and many other tools and access to many systems without an issue.

      Any clue why this happens?

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        I think your definition of 'brick' differs significantly from mine since I assume you can still ping it, it still hands out DHCP, still routes traffic etc in that state? It hangs php though by the sounds of it.

        Can you auth against the LDAP server in Diag > Auth in the webgui?

        What errors do you see in the system log after it fails?

        What errors do you see in the LDAP server log?

        Steve

        maverickwsM 1 Reply Last reply Reply Quote 0
        • maverickwsM
          maverickws @stephenw10
          last edited by

          @stephenw10

          Hi Stephen.

          When I can't access something via SSH (using local user) I can't say it's just PHP. Using LDAP user via SSH is what triggers it.
          When something is performing residual operation, yet it can't be accessed, to me is bricked. But let's call this is semantics and move on.

          Web auth, as mentioned previously, worked flawlessly using LDAP, as is working now, and on the Diag > Auth the results are as expected.

          I didn't find any errors on the LDAP server log, and, from what I remember - I didn't go thoroughly thru the logs on pfSense - no errors jumped at sight. I was more concerned about renewing the certificate that day.

          I can do it again later, please direct me at which pfsense logs I should look at for errors on this specifically.

          Thank you for your feedback sorry for taking a while to get back at this.

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            pfSense doesn't configure SSH to perform LDAP authentication. You are being locked out by sshguard because it's an invalid login attempt. It thinks you are attacking the firewall.

            Check the logs to confirm it.

            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • maverickwsM
              maverickws
              last edited by

              Hi @jimp thanks for your reply.

              I haven't done it yet since I have to say I am in no hurry to repeat this, but I will do it with time and confirm this is the case.

              Another question in this regard... considering a scenario where access is done via Kerberos/SSSD and access is controlled via RBAC or HBAC, how can I integrate this with pfSense?

              Let's imagine I have an environment where I want users from some group network-admins to be able to SSH to pfSense, but I don't want to give them the local admin user... what would be the correct approach?

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                pfSense doesn't support anything like that currently. Only local users can login via ssh/shell.

                Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • maverickwsM
                  maverickws
                  last edited by

                  Ok @jimp thanks for the feedback. I do hope you can add that to the roadmap, I'm sure it would be useful for many.

                  Best regards.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.