Site Authentication Failures



  • Has anyone any experience with sorting out authentication issues with some sites.

    I have two WAN's, they are configured as load sharing i.e. both are tier1, I do not monitor the gateways they are both considered to be always up, I do not have any fail over groups built at all.

    I am experiencing issues with some websites where sometimes you can authenticate, sometimes you can't, sometimes authentication fails once logged in whilst navigating around. I am pretty sure that this is related to the site security seeing a change in my public facing IP address because pFSense is routing the traffic through a different WAN to the one used when I logged in.

    To try and stop this I put the sites IP address into the LAN ruleset and use the advanced settings to tell pFSense which one of the two WAN's to use for that particular address.

    It hasn't worked and still I am encountering login issues with some sites.

    I ave done a bit of searching around here but there doesn't seem to be much related to this topic.


  • Rebel Alliance

    Put the Rule/s for the "problematic" site/s before the Rule that have the "LoadBalance" GW Group configured.

    Rules applies from Top to Bottom.

    If still having problems, please attach a screenshot of your LAN Rules config.



  • That is how they are currently, image attached.

    ![LAN Rules.png](/public/imported_attachments/1/LAN Rules.png)
    ![LAN Rules.png_thumb](/public/imported_attachments/1/LAN Rules.png_thumb)



  • That's the right way to do it, but commonly when you see that, there is more than one IP involved, and at times it may be an IP that changes frequently and repeatedly (primarily for large scale sites). You're likely missing an IP that it's using.

    Note your "block illegal netbios" should use "any" as a destination, doubt you just want to block it to your WAN IP subnet, but rather the entire Internet.



  • Thanks I'll mod the Netbios entry.

    Is there any way to identify the IP's they are using - maybe it's some sort of internal redirect / load balancing their end?

    When I resolve via DNS I can only ever get the one IP. (I use OpenDNS not ISP)

    I suppose I could try using IP subnets instead of single hosts and take it from there.

    Thanks



  • @BenKenobe:

    I am experiencing issues with some websites where sometimes you can authenticate, sometimes you can't, sometimes authentication fails once logged in whilst navigating around. I am pretty sure that this is related to the site security seeing a change in my public facing IP address because pFSense is routing the traffic through a different WAN to the one used when I logged in.

    Check the discussion and proposed solution (configurable src.track timeout) in http://forum.pfsense.org/index.php?topic=43989.0



  • That discussion seems to be exactly the issue I am seeing.

    Further investigation seems to point to sites using cookie based authentication to maintain authentication across pages i.e. php types.

    Despite using sticky states and forcing an IP address to use one or other of the WAN's the error in authentication still exists so it seems to me that there are three possibilities.

    1 : There is an IP change taking place but this seems not to be the case when using a packet analyser (Network Instruments Observer) the foreign IP address is consistent as are the IP packet headers source information.

    2 : pFSense is not honouring the 'targetted' routing in a load balanced pair.

    3 : There is some 'authentication' process that isn't IP sensitive but is somehow affected by pFSense.

    In any case the root cause is clear, pFSense, because when loadbalancing is removed - i.e one of the WAN's is disabled the issue disappears and the sites work perfectly, so the issue IS somehow caused by the load balancing / states / routing within pFSense. I'm sure that the pFSense dev's will deny this of course and use the typical programmer response of 'blame the user'.

    Is there any way to packet capture within pFSense based on the PPPoE session or state? Simply doing it based on a fixed IP will miss IP changes, I want to check the packet routing within pFSense itself.

    To be more specific in my search and where to start looking within the pFSense connection chain I'd need to know a lot more about how the sites authentications work, for obvious reasons the sites owners aren't going to discuss that with me, maybe someone here knows how these types of authentication work.



  • It's highly unlikely there is an IP change mid-session, even with very low TTL DNS records, browsers don't update their internal DNS cache mid-session. What does happen on some sites is www.example.com goes to one IP, but your session also requires connectivity to www2.example.com which has a different IP. From your description, I suspect that's the case.



  • Is there an easy way to verify, I am struggling to find a way to capture a session effectively on the wan, there is so much background chatter going on that it is hard to track, the logs end up huge and finding out if a packet belongs to the session being tested is proving somewhat of a challenge.

    I did set up a capture filter that says between source (i.e browser) and anywhere but this revealed no change in target IP but it doesn't seem possible to sniff both WAN's concurrently into the same 'capture' in pFSense, I could do this on a Windows box by adding 'probes' to the interface (standard feature for Observer), is there a similar mechanism for pFSense?.


Log in to reply