Some of my first 2.0-B impressions



  • Recently after a quick in-virtual look onto 2.0-B2011.01.13 I've decided that it's ready for my tasks.  I've set it up then tuned it a bit then upgraded via firmware upgr. to 2.0-B2011.01.31 and started more detailed configuration.

    My HW is an old PC with a Celer-666, 128Mb (112 avail), 20Gb HD and 3 cheap Realtec NICs. My net is enough simple: 2 Class C private LANs and pppoe WAN via dumb modem-bridge.

    And I've found some things that looks a bit strange and/or unlogical for me:

    1. Min mem reqs and annoying "notification" in a WebUI

    While even v.01.13 (not only v1.2.3) was sweet and silent v.01.31 starts complain about "Not enough mem! Unusual results blah-blah-blah" and repeats it after every reboot even after acknowleged previously.

    What's fun is that (according a WebUI statuspage) max mem usage under max load never rises over 62% ;D

    Is there a way to get rid of this annoying message?

    2. On a v1.2.3 I've had a PPTP server with a client addresses in the same range (subset of) as LAN:

    LAN net 192.168.11.254/24, pfSense LAN iface 192.168.11.254 and PPTP server addr 192.168.11.253 with a client addresses started from something like (I don't remeber) 192.168.11.242 (i.e. bcast addr the same as in a main LAN).

    So I've been able to connect via pptp and to work exacltly like I'm inside of my LAN (browse Win shares etc. etc.). Now on v.01.31 I can't create PPTP server in the same net – everything with 192.168.11.x denied with an "err: server on the remote net" (or something like) message allowing me to choose only absolutely different net, like 192.168.111.x.

    What's fun is that while "VPN/PPTP" UI so smart restrictive then a "Services/PPPoE Server" allows me to kill pfSense with no dubt – it allows a creation of PPPoE(in) server on the PPPoE(out) WAN iface :) and then (after an "Apply changes" press) of course goes into kernel panic (well, it fires up a DDB -- but there's no real difference) ;D

    Is there a way to get the same PPTP assignments like before in a v.1.2.3?

    upd

    3. BIG security flaw in a User Accounts management

    After instal I've created an account for myself and disabled built-in admin – but still able to log in via ssh with root:pfsense creds! :o

    Welcome, damn, everybody!

    upd

    4. WebUI referer check seems a bit… well, see below

    While the "Alternate Hostnames" field on the "System: Advanced: Admin Access" page contains only one "myhost.dyndns.org" entry I'm able to log in to WebUI from Inet accesing by dyndns hostname and from may LAN too both by ip and local hostname. At the same time I can't log in by IP from my PPTP incoming connection, ending with a "possible dns rebinding" warning.

    What's fun is that both LAN and PPTP-in ifaces lives here on the same my own pfSense machine ;D

    5. to b continued ;)


  • Netgate Administrator

    Less than 128MB of ram hasn't been supported in a long time.
    http://forum.pfsense.org/index.php/topic,1712.0.html

    Steve


  • Rebel Alliance Developer Netgate

    1. Add more RAM  ;D

    2. The client subnet isn't really a subnet, just a block of IPs to supply to clients. Use a /28 or /29 of IPs high up inside your LAN and it'll work.

    3. I had thought the admin account couldn't be disabled in that way. If it bothers you, change the password to something extremely long and random and then disable it. You shouldn't be exposing your SSH service to the world anyhow. If you do, switch it to key-only auth, and it's still a non-issue.

    4. You should always be able to access it by IP, I haven't seen that happen before unless you were using a hostname. Even a port forward with NAT doesn't lock you out, just generates a warning. The referer check can always be disabled, too, but I'd have to see if that can be reproduced at all first.



  • stephenw10, pls reread 1st post. The problem is not with "unsupported" or "unworkable" but with "notifications"

    @jimp:

    1. Add more RAM  ;D

    Why?! :o Can U give me any logical reason for it except of "to get rid of this annoying msgs only"?!

    As I've said – It. Works. Fine. And "if it works -- let it work". And preferably without a trash like a MS Win Genuine popups :)

    @jimp:

    1. The client subnet isn't really a subnet, just a block of IPs to supply to clients. Use a /28 or /29 of IPs high up inside your LAN and it'll work.

    Pls explain more clear where shall (and can) I use this masks on a "VPN: VPN PPTP" page? (now on a current v.02.02)

    What I do wrong?

    @jimp:

    1. If it bothers you, change the password to something extremely long and random and then disable it. You shouldn't be exposing your SSH service to the world anyhow. If you do, switch it to key-only auth, and it's still a non-issue.

    AFAIK all ssh-targeted worms aimed on bruteforce attacks and not on software code runtime bugs like a Win-targeted (am I missed something?) so IMHO 1) "change the password to something extremely long and random" and 2) change a listening port and 3) use Denyhosts is enough. Well, it's just a talks…

    Here is a three quotes -- one from the "System: User Manager / Users" page (edited yesterday and resaved recently just to b sure that this "Disabled" are still here) and two another from a ssh opened right now:

    Username 	Full name 	Disabled 	Groups 	
    admin
    	System Administrator  	* 	admins
    

    login as: root
    Using keyboard-interactive authentication.
    Password:
    *** Welcome to pfSense 2.0-BETA5

    login as: admin
    Using keyboard-interactive authentication.
    Password:
    *** Welcome to pfSense 2.0-BETA5
    ```
    WTF?
    
    @jimp:
    
    > 4) …
    
    Qicktested and seems it fixed in v.02.02

  • Rebel Alliance Developer Netgate

    1. It may run now, but it may be swapping some RAM, too. It's just a really low amount of RAM is this day and age to put in a router you expect to do much of anything with. The error was put there as a warning. If you feel you can ignore the warning, continue to ignore it.

    2. Don't type the /28 in the boxes. I was thinking of a different page. Set the # of clients to 16 (or less), and just make sure that the server IP isn't inside that range. In your example, your server address is only 4 higher than the address pool start - so unless you only have three clients, it's inside the pool. Don't do that.

    3. Actually disabling root would have other unintended consequences, so it wouldn't be safe to just kill it. Don't expose your SSH port to the world and none of those are an issue. Just use the admin account and use a sensible password there. Exposing your ssh port to the outside world is your issue, not the strength of your root password.



  • @myself:

    some things that looks a bit strange and/or unlogical

    1. "really low amount" != "really needed" aka "minimal _require_ments" :)

    I've pointed a numbers of mem loads in a startpost. And I fogot to mention that 1.2.3 had a Squid too :) And that before Squid install it worked on 64Mb :) And without swapping (I know a magic word "top") too, like a 2-B works now on 112 (not 128!).

    So this "128" looks spinned out of thin air like in a Rebol-3-alpha anouncement: "At least 1 MB of disk space and 10 MB of main memory. (We just had to say that.)" ;)

    Of course I'll continue to ignore this warning but in this case I'll miss something new if it happens :(

    2. > Don't type the /28… the # of clients... address pool... server IP isn't inside...

    Thank You for the tips.

    And let me sum up: this (and a pppoe-srv too) page(s) extremely unclear from a user point of view:

    • Dropdown with "# of clients" -- is it mystical connected with a classless netmask or not?
    • Text "No. PPTP users [] Hint: 10 is TEN pptp clients_" – how this "10" or even "10+2" can b associated with a common net/mask terms?

    3. [see my self-quote on top] This "tiny details" (like an existence of invisible "root" or that usermanager controls a webui only or anything else) should be clearly mentioned somewhere right on the "User Manager" page. And anyway "disable" should disable (or be named different) isn't it?

    Also if a passworded ssh so bad and horrible and a key-only ssh so inevitable – all this should b done right "from a box".


Log in to reply