CE and Plus wierdness

rbwillis

Hi Folks, I have a wierd situation and could use some assistance.

I've been running a version of CE on a Protectli unit for a couple of years now and never had any issues. However, recently I tried logging in but was unable to, even though I knew the credentials were correct. I then went to another PC on my home net and was able to login with the same credentials. Going back to the first PC I noticed the login screen said that I was trying to login to a pfsense plus unit and it will not accept my creds. I went back to the 2nd PC and its login screen indicates a CE login. I double checked the info screen and confirmed that my unit is indeed running CE. I've never installed Plus (at least to my knowledge :-)

Does anyone have an idea as to what's going on and why two pc's on the same subnet are showing different logins?

Any insight would be appreciated, Thank you! - Randy

Gertjan

@rbwillis said in CE and Plus wierdness:

insight

Can we have an insight also, like a screen shot ?

Not sure what to think about it.
I've seen the stories where the Windows 11 login looked like a Windows 95 login.

This

could be seen on a CE version, as the images, bitmaps etc etc are probably the same.
System flags/parameters determine what will be shown, and if these are 'wrong' then the images could change ?
That wouldn't change the fact that CE is using FreeBSD 14, and pfSense + FreeBSD 15.
And some other difference as a better ZFS support. Newer kea support etc.

Gblenn

@rbwillis The plus thing is wierd, but did you try to reload the web page on PC 1? Sometimes I have seen the login page, I can enter the credentials but the self signed cert is not accepted by the browser. After a reload, things work fine again...

johnpoz

@rbwillis the logical answer to this would be your hitting different installs of pfsense.

What makes more sense pfsense presents itself as CE to machine A and accepts your creds, but presents as plus to machine B and doesn't take your creds..

Or that machine A is talking pfsense 1, and B is talking to some other pfsense 2.

Are you wireless or wired here? Simple answer would be your on your neighbors wifi.. Have seen that more than once actually helping friends.. Your not connected to your linksys wireless, your connected to the guy across the streets linksys wireless. Kind of the reason you change your ssid and use your own psk, not the default ;)

Look at your arp table on machine 1 and machine 2 - is the IP that is your gateway (pfsense) the same mac address?

lets assume pfsense IP is 192.168.0.1 on both of these machines - do an

arp -a

On each machine - what is the mac for 192.168.0.1?

$ arp -a

Interface: 192.168.9.100 --- 0x5
  Internet Address      Physical Address      Type
  192.168.9.10          00-11-32-7b-29-7d     dynamic
  192.168.9.253         00-08-a2-0c-e6-24     dynamic

My pfsense is 192.168.9.253 in that output, now look on your machine B - is the IP for pfsense the same mac (physical address)

Here is from my nas on the same network

 arp -an
? (192.168.9.99) at 70:6e:6d:f3:11:93 [ether] on ovs_eth0
? (192.168.9.253) at 00:08:a2:0c:e6:24 [ether] on ovs_eth0

Notice the same mac 00:08:a2:0c:e6:24, if they are not the same - then your not talking to the same pfsense.

Gertjan

@Gblenn said in CE and Plus wierdness:

but the self signed cert is not accepted by the browser ...

Or the cert dates are invalid - they do expire.
Or, what I saw last week : my browser, Firefox told me that self generated cert that I've put in place wasn't usable. No exception possible. The previous cert used I had the HSTS option set, and as pfSense comes default with this option not checked (so activated) :

I had to dive into the firefox 'known certs database' (something like that) and remove it.

By default, HSTS lock you out for a year or so.
All the big player use it these days. Example here. What it means (afiak) : even if you manged to spoof the cert, if you already visited the site ones, the spoofed one will fail. HSTS means : no way to proxy this site ...

Anyway, I'm back to my "5 box a year" solution which works flawlessly - no more cert issues - like ever.
It's always the same : you deal with it, or you have your wallet deal with the problem.

Gblenn

@Gertjan said in CE and Plus wierdness:

Or the cert dates are invalid - they do expire.

Yes, that's more correct of course!!

rbwillis

@Gertjan - Thanks for your reply, both machine's are running W10. Curious where that lonig pg id hosted?

@Johnpoz - Thanks, both machines are wired via Ubiquiti switch so no and SSID issue. Also confirmed (via direct conect to the console) that CE is loaded on the appliance.
Tried the password reset option which didchange it on PC2 but not PC1
I'll check the arp table and report back.

@Gblenn - Come to think of it I vaguely recall renewing a cert over the holidays, didn't think anything of it. But:
-Why would a new cert change my login creds?
-Why would the new cert show a different version?
and more important...
-Any idea how to roll it back or fix it?

Thanks everyone for the assist!

johnpoz

@rbwillis if you are hitting 2 different machines - then yeah the cert not going to match up with what your client has if it use to talk to pfsense 1 vs now this other one running plus.

It would seem impossible to me that pfsense could present like that if it is in fact the same device.. Could be something cached in a browser maybe.. But if was the same device and browser showing some cached pages from another pfsense you had talked to on the same IP.. The password would be the same if its actually the same pfsense instance.

But as a sanity check I would for sure look at the mac your seeing for what is your pfsense IP your hitting.

You are using IP to talk to pfsense gui - or are you putting in a fqdn? Possible those resolve to 2 different IPs on 2 different client machines.

Personally I find it highly improbable that your actually talking to the same pfsense instance from from your 2 different clients - it just seems impossible how pfsense could present 2 different pages one + and the other CE, and even if it did - the username and password would be the same no matter what web page it presented.

-Why would a new cert change my login creds?
-Why would the new cert show a different version?

They wouldn't

The logical answer to what your seeing is your talking to two different instances of pfsense.

Gblenn

@rbwillis said in CE and Plus wierdness:

• Come to think of it I vaguely recall renewing a cert over the holidays, didn't think anything of it. But:
  -Why would a new cert change my login creds?

It wouldn't but it may look like it's not accepting your login. I gues in such a case one would be looking at a cached page, that needs to be refreshed.

-Why would the new cert show a different version?

Definitely shouldn't, and that part is a mystery, unless it was some mistake on your part, like wrong IP? Sometimes you enter an IP, but when you click, the autoenter feature of the webbrowser has given you something else...

stephenw10

Yeah check the cert checksums on each page (assuming both are https) and make sure they really are different.

You could have something cached on one of the client machines. If it ever connected to a Plus device on the standard LAN address.

rbwillis

@stephenw10
So, here are the arp-a logs from both machines.

Different PC's hitting the same MAC with two different login screens.

johnpoz

@rbwillis your hitting port 8008 on one and just normal 443 on the other.. 8008 is the captive portal login I do believe. I know the captive portal is 800 something might be 2 or 3 depending if http or https, but I think if you fire up more than one that can change, etc.

But clearly that is not the normal web gui port on 8008. So yeah your normal admin login might not work on whatever your hitting there on that odd port.

stephenw10

Yup it adds two new ports for each instance I believe.

johnpoz

@stephenw10 yeah I just enabled a couple and 2 different ports got added, so like 8002,3 and then 8004,5

If you track down per pid on what is listening, you can track it to the command that is running, etc

And then here is my 2nd one running

So 8008 to me would be like the 3rd captive portal running. Or something like that, maybe 4th.. Not sure how exactly chooses those ports or how it cycles through them when you add more instances - or if you check to run a https one as well, etc.

but yeah seems like he is hitting a captive portal gui vs just the normal web gui.

rbwillis

@johnpoz - Is there a simple way to point my requests back to a "normal" web gui or do I need to mod something?
Where does that captive portal login reside? Can I just delete it?

stephenw10

Do you actually have captive portal enabled at all? It's in Services > Captive Portal.

If you are not entering port 8008 directly then you're being redirected to it by the captive portal. On something.

rbwillis

@stephenw10
Captive portal is not set up.

I have HP Wolf security on my machine...could that be redirecting me?
I tried disabling all the services, but still landed on the same page.

stephenw10

Hmm, well it sure looks like that one client is behind some other pfSense Plus device that is running CP.

Try running on the pfSense you can access: sockstat -l4
See if it's actually listening on port 8008.

johnpoz

@stephenw10 well from his mac address he posted its the same machine.

Like to see what is listening on the captive portal port.. When I disable my test captive portals it stops listening on the 8000 ports.. But maybe something didn't get killed and its still listening, and somehow that machine keeps going back to there because of cache, etc.

but something is odd because my test captive portals don't show the pfsense+ logo. they just show pfsense

This other machine maybe at one time connected to a captive portal, or just normal gui where they had changed the port to 8008 vs 443, or some other port.. For example my pfsense uses 8443 because I set that.

The one that is working without the + looks to just be on https (443) but guess it didn't trust the cert is why it shows not secure. And the one that shows + is connecting to port 8008, which yeah would assume is captive portal..

I would look to see what is listening with on 8008, you can track down the command that was used via ps -awx once you know the pid(s) there are prob a few being shown for what is listening on 8008.

stephenw10

Yeah the MAC address being the same is odd...