pfSense bugtracker: Issueshttps://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162024-03-11T16:52:27ZpfSense bugtracker
Redmine pfSense - Feature #15331 (New): Client (service) for CloudFlare WARP/WAR+https://redmine.pfsense.org/issues/153312024-03-11T16:52:27ZSergei Shablovsky
<p><strong>On now CloudFlare in fact for a couple of years are fastest and reliable proxy and SDN for most users.</strong><br />(Sometimes magistrale and core borders routing problems that hit Akamai, make a not big touch on CF.)<br />Most of “child problems” as newly and fast growing company HAS GONE AWAY.</p>
<p>And <strong>NUMBER OF POINT OF PERSISTENCE (data centers, servers on colocation) ARE CONSTANTLY GROW!</strong></p>
<p><strong>All this make WARP/WARP+ CloudFlare service more and more wanted not only by most of ordinary users, advanced users, but small and middle private business and government organization.</strong></p>
<p>And as a result, from 2022 more and more ciders try to realize CloudFlare WARP/WARP+ client code for various OSs, especially on which routers/firewalls are based.</p>
<p>Please take a look on <br />thread on pfSense CE<br /><a class="external" href="https://forum.netgate.com/topic/177267/connecting-to-cloudflare-surely-its-possible">https://forum.netgate.com/topic/177267/connecting-to-cloudflare-surely-its-possible</a></p>
<p>thread on CloudFlare</p>
<p><a class="external" href="https://community.cloudflare.com/t/warp-client-for-freebsd-based-firewalls-eg-pfsense-opnsense/426717/1">https://community.cloudflare.com/t/warp-client-for-freebsd-based-firewalls-eg-pfsense-opnsense/426717/1</a></p>
<p>So, the downline of all of this:<br />making CloudFlare WARP/WARP+ client as separate package for pfSense is not so much time and efforts.</p>
<p>If DevTeam make it right now, testing and feedbacks from users within summer (when not so much business workload and negative impact would be minimal) for the next upcoming release (2.7.3-REL) this *adding more value to pfSense” and growing distance from concurrent OPNsense.</p> pfSense - Feature #15221 (New): Make System Tunables table sortablehttps://redmine.pfsense.org/issues/152212024-01-31T19:43:54ZRonald Antonyrcfa+pfsense.org@cubiculum.com
<p>On the System > Advanced page's System Tunables tab, it's really hard to <br />a) find/check values, since they are in no particular order<br />b) compare the settings of two machines, because, again, the values are in no particular order.</p>
<p>Being able to sort them by the Tunable Name is particularly important as it seems the Description of these fields has been changed over the years, so two systems originally set up at different times with different versions of pfSense have different descriptions for the same field, making it even harder to find/compare the values.</p> pfSense - Bug #15015 (New): Static routes not workinghttps://redmine.pfsense.org/issues/150152023-11-20T17:53:07ZSilviu Bajenaru
<p>Hello,</p>
<p>This morning I updated to PFSense 2.7.1 from 2.7.0. Now, I just tried to add a dynamic gateway and a static route. Unfortunately, the static route is not being added to the routing table. I restored the VM backup from this morning, before I updated, added the same gateway and static route and it was added to the routing table, and everything works fine.<br />I've set the priority to Urgent since this is quite bad for a router...?</p>
More info about my setup: I've got three sites, let's call them A, B and C. There is an IPSec tunnel between A and B, and one between B and C. Both tunnels are set with Mode VTI. I've assigned the ipsec interfaces and set the gateways and routes:<br />Site A has a gateway set on the IPSec interface and a route for site C that uses that gateway.<br />Site B has two gateways (one for each IPSec tunnel) and the following routes:
<ul>
<li>route to site A via the IPSec interface - gateway - going to site A</li>
<li>route to site B via the IPSec interface - gateway - going to site B<br />Site C has a gateway set on the IPSec interface and a route for site A that uses that gateway.<br />Site A was updated this morning to PFSense 2.7.1, while Site C is running 2.7.0.<br />Site A DOES NOT have the static routes added to the routing table.<br />Site C does have the static routes added to the routing table.</li>
</ul>
<p>Once I reverted Site A to 2.7.0, I did the same config again and the routes were added to the routing table.</p>
<p>Thank you.</p> pfSense - Feature #14923 (New): Feature request - Backup encryption using a public keyhttps://redmine.pfsense.org/issues/149232023-10-26T20:52:53ZWolfgang Thegreat
<p>This feature request is following a community post at <a class="external" href="https://forum.netgate.com/topic/183662/backup-encryption-using-a-public-key">https://forum.netgate.com/topic/183662/backup-encryption-using-a-public-key</a></p>
<p>Hello,</p>
<p>Currently the manual backup encryption is using a password the user needs to submit to the device, which is not so friendly and somewhat less secure, since browsers are multi-purpose and has plugins/addons that at times discovered as malicious.</p>
<p>So, I thought - why not do this encryption using a public key?<br />It can use the current users mechanism, as a user object can store a public key value, currently for SSH access authentication, but it can also be used to encrypt and sign the backup. One can even create a special user just for the goal of backup.</p>
<p>I guess this method can also be applied to the scheduled backups to the pfSense cloud, the "Auto Config Backup" feature.</p>
<p>This way the risk of password leak/exposure or even folks fear that pfSense will "steal" this password, will be gone.<br />Also, it should be easier for users to verify the authenticity and integrity of the output file and to decrypt it offline when needed, to read the plain text configuration XML file.</p>
<p>Thank you!</p> pfSense - Bug #14906 (New): DHCPv4 server self-assigning address to own DHCP client-enabled inter...https://redmine.pfsense.org/issues/149062023-10-22T15:24:26ZLuca Piccirillo
<p>Assume three NICs: igc0, igc1, igc2<br />Assume a single bridge: bridge0 (OPT2, OPT3)<br />And a VLAN: igc0.1036</p>
<p>Interfaces assignment as follows:<br />WAN -> igc0.1036 -> IPv4 (DHCP): 1.2.3.4/30<br />LAN -> bridge0 -> IPv4 (static): 192.168.1.1/24<br />OPT1 -> igc0 -> IPv4 (static): 192.168.100.2/24<br />OPT2 -> igc1<br />OPT3 -> igc2</p>
<p>DHCP & RA enabled for LAN only.</p>
<p>The problem: switching OPT1 IPv4 settings from static to DHCP makes pfSense to assign itself an address from the LAN pool, also creating a wrong on-link route for its LAN subnet over the igc0 port, which is the underlying IF of WAN.</p>
<p>Of course this is easily noticeable when no other DHCP serve is active on that igc0 port broadcast domain.</p> pfSense - Bug #14891 (New): High CPU usage when interface get down and up due to proces check_rel...https://redmine.pfsense.org/issues/148912023-10-18T10:40:27ZThijs K
<p>Today I noticed that the cpu usage was high on my pfSense appliance (N5105, I226). <br />After looking in top I see that check_reload_status is fully taxing one core. <br />This process seems to be triggered when the wan interface comes down and up. <br />The process keeps running and taxing the CPU until it is manually stopped.</p> pfSense - Feature #14802 (New): Re-enable multiqueue support for virtio NIChttps://redmine.pfsense.org/issues/148022023-09-20T21:08:51ZChristopher de Haas
<p>In current versions of pfSense (2.7.0, 23.05.1) multiqueue support for virtio NIC has vanished. Apparently this was done to support ALTQ. This is a serious new limitation for high throughput virtualized routers. Please re-add support for multiqueue on virtio. If this is driver limitation please at least allow us to choose between ALTQ or multiqueue enabled drivers for vitio like it is for other NIC's in pfsense.</p>
<p>Not sure whether this is a bug or request for a feature to be re-added.</p> pfSense - Bug #14741 (New): PHP error in DNS Forwarder host overrides when the language is set to...https://redmine.pfsense.org/issues/147412023-09-02T10:26:29ZNicolas PISTER
<p>A PHP error occur when a user try to add or modify Host Override in DNS Forwarder module</p>
<pre>
amd64
14.0-CURRENT
FreeBSD 14.0-CURRENT #1 RELENG_2_7_0-n255866-686c8d3c1f0: Wed Jun 28 04:21:19 UTC 2023 root@freebsd:/var/jenkins/workspace/pfSense-CE-snapshots-2_7_0-main/obj/amd64/LwYAddCr/var/jenkins/workspace/pfSense-CE-snapshots-2_7_0-main/sources/FreeBSD-src-REL
Crash report details:
PHP Errors:
[02-Sep-2023 11:55:24 Europe/Paris] PHP Fatal error: Uncaught ValueError: Unknown format specifier "p" in /usr/local/www/classes/Form/Input.class.php:127
Stack trace:
#0 /usr/local/www/classes/Form/Input.class.php(127): sprintf('Nom de domaine ...', '<br />')
#1 /usr/local/www/services_dnsmasq_edit.php(85): Form_Input->setHelp('Domain of the h...', '<br />')
#2 {main}
thrown in /usr/local/www/classes/Form/Input.class.php on line 127
[02-Sep-2023 11:58:37 Europe/Paris] PHP Fatal error: Uncaught ValueError: Unknown format specifier "p" in /usr/local/www/classes/Form/Input.class.php:127
Stack trace:
#0 /usr/local/www/classes/Form/Input.class.php(127): sprintf('Nom de domaine ...', '<br />')
#1 /usr/local/www/services_dnsmasq_edit.php(85): Form_Input->setHelp('Domain of the h...', '<br />')
#2 {main}
thrown in /usr/local/www/classes/Form/Input.class.php on line 127
[02-Sep-2023 11:58:46 Europe/Paris] PHP Fatal error: Uncaught ValueError: Unknown format specifier "p" in /usr/local/www/classes/Form/Input.class.php:127
Stack trace:
#0 /usr/local/www/classes/Form/Input.class.php(127): sprintf('Nom de domaine ...', '<br />')
#1 /usr/local/www/services_dnsmasq_edit.php(85): Form_Input->setHelp('Domain of the h...', '<br />')
#2 {main}
thrown in /usr/local/www/classes/Form/Input.class.php on line 127
</pre>
<p>I think it come from a french translation file because when i use original language, everithing works.</p> pfSense - Bug #14734 (New): Alias FQDN resolving issue results in incomplete tableshttps://redmine.pfsense.org/issues/147342023-08-31T13:59:20ZRobert Gijsen
<p>In CE 2.7.0, there are still issues when FQDN are used in aliasses. Vonsider an alias with 3 entries, 2 static IP's and one FQDN, pointing to one of those IP's as well. When the FQDN changes to the other IP, the IP it had initially is gone from the table.</p>
<p>Steps to reproduce:</p>
Create an alias
<ul>
<li>add 1.1.1.1</li>
<li>add 8.8.8.8</li>
<li>add a (public) dns entry you created, pointing to 1.1.1.1, ie pfsensetest.domain.com</li>
<li>monitor the table-entry for the alias, all will be ok</li>
<li>now change the DNS entry for pfsensetest.domain.com from 1.1.1.1 to 8.8.8.8 and wait for it to be replicated and pfSense to pick it up</li>
<li>in my setups, 1.1.1.1 got deleted from the table. So while 8.8.8.8 is in there 'twice' now, and 1.1.1.1 only once statically, it's not there anymore</li>
<li>killing filterdns and reloading filters repopulates the tables correctly it seems.</li>
</ul>
<p>It looks like when the FQDN is resolved, it overrules the static entry if one with the same value exists, and when the FQDN changes, the static entry is not put back in to the table. I tailed resolver.log while reproducing the issue, but it made no notion at all of resolving the FQDN to another IP. So I don't know what log to add, or which log to enable verbose logging for.</p>
<p>I consider this high priority, as it has high potential of actually functionally breaking an environment.</p> pfSense - Bug #14684 (Confirmed): Allowed IP Address does not control incoming speed in captive p...https://redmine.pfsense.org/issues/146842023-08-13T16:29:38ZNoman Haroon
<p>Hi PF Sense Engineers, I like to report a bug. There is problem in captive portal in latest release 2.7, In captive portal it cannot control speed in Allowed Ip Addresses. <--- This is the problem which need to be fixed.</p>
<p>However captive portal mac based speed limitation but it should also work with Allowed IP Addreses.<br />Therefore as a PF Sense user I am requesting to kindly address this issue<br />I will be highly oblidged.</p> pfSense - Bug #14648 (Confirmed): Values obtained from ``sysctl`` are sometimes unexpectedly empt...https://redmine.pfsense.org/issues/146482023-08-03T11:18:33ZSteve Wheeler
<p>In 23.05.1:<br /><pre>
PHP Errors:
[16-Jul-2023 19:44:14 Etc/UTC] PHP Fatal error: Uncaught TypeError: Unsupported operand types: string / int in /etc/inc/util.inc:2479
Stack trace:
#0 /etc/inc/pfsense-utils.inc(2013): get_memory()
#1 /etc/inc/filter.inc(510): pfsense_default_state_size()
#2 /etc/rc.filter_configure_sync(32): filter_configure_sync()
#3 {main}
thrown in /etc/inc/util.inc on line 2479
[27-Jul-2023 21:20:37 Etc/UTC] PHP Fatal error: Uncaught TypeError: Unsupported operand types: string / int in /etc/inc/util.inc:2479
Stack trace:
#0 /etc/inc/pfsense-utils.inc(2013): get_memory()
#1 /usr/local/www/includes/functions.inc.php(104): pfsense_default_state_size()
#2 /usr/local/www/includes/functions.inc.php(35): get_pfstate()
#3 /usr/local/www/getstats.php(40): get_stats(Array)
#4 {main}
thrown in /etc/inc/util.inc on line 2479
</pre></p>
<p>The system hitting this reports those sysctls correctly;<br /><pre>
[23.05.1-RELEASE][suika@pfSense.pfsense.lan]/home/suika: sysctl hw.physmem
hw.physmem: 8288366592
[23.05.1-RELEASE][suika@pfSense.pfsense.lan]/home/suika: sysctl hw.realmem
hw.realmem: 8589934592
</pre></p> pfSense - Bug #14434 (New): PPPoE WAN interface with VIPs causes continuous interface restartinghttps://redmine.pfsense.org/issues/144342023-05-30T13:55:03ZBert Smith
<p>I have a /28 routable legacy IP block from the ISP, and they assign the first usable address of the /28 block as a /32 to the PPPOE interface, so i have:</p>
<p>Routable block: x.x.x.64/28<br />PPPOE address: x.x.x.65/32<br />LAN address CARP VIP: x.x.x.65/28</p>
<p>This configuration worked fine in 22.05, but is broken in 23.01 and remains broken in 23.05.</p>
<p>The PPPOE connection establishes and calls /etc/rc.newwanip, which then calls find_interface_ip() and get_interface_ip() to determine the address assigned to pppoe0. These functions return NULL, which causes rc.newwanip to restart the pppoe0 interface. This then causes an endless loop. The logs show the correct interface name, but no IP:</p>
<pre>
rc.newwanip: on (IP address: ) (interface: WAND[opt5]) (real interface: pppoe0).
</pre>
<p>Looking through the find_interface_ip() function, i can see it looks for $interface_ip_arr_cache - this array exists, but is empty causing the function to fail and return NULL.</p>
<p>I can see that if $interface_ip_arr_cache does not exist, it should open /var/db/${interface}_ip</p>
<pre>
if (!isset($interface_ip_arr_cache[$interface]) or $flush) {
if (file_exists("/var/db/${interface}_ip")) {
</pre>
<p>The file /var/db/pppoe0_ip is present and contains the correct address.</p>
<p>I'm hoping someone more familiar with the codebase and changes between 22.05/23.01 could give some insight into this otherwise i'll be trying to track it down further.</p> pfSense - Bug #14178 (New): Captive Portal Pass-through MAC Auto Entry registering MAC address fo...https://redmine.pfsense.org/issues/141782023-03-24T20:21:09ZDean Arnold
<p>The Captive Portal "Pass-through MAC Auto Entry" feature is adding an Allowed Client MAC address registration for unauthenticated users, when the Captive Portal is configured for "Pass-through credits per MAC address". The net result is the user is not sent to the portal authentication page when their Pass Through Credits and timeouts expire.</p>
High level Captive Portal Setup:
<ul>
<li>Hard Timeout: 1</li>
<li>Pass-through credits per MAC address: 1</li>
<li>Waiting period to restore pass-through credits. (Hours): 1</li>
<li>Pass-through MAC Auto Entry: Checked/Enabled</li>
<li>Authentication: Use authentication backend -> RADIUS</li>
</ul>
Expected Behavior:
<ul>
<li>When client fist attaches to the guest network they should see no login/portal prompt. They are can use network/internet until their pass-through credits expire. No MAC address is registered as the user not not yet unauthenticated with the backend.</li>
<li>When pass-through credits expire, they are sent to the portal login page, and authenticate with the backend (RADIUS).</li>
<li>On Successful authentication, the client's MAC address is registered as an allowed/Pass.</li>
<li>The client can continue to use the network/internet and will not be prompted again.</li>
</ul>
Actual Behavior:
<ul>
<li>When client fist attaches to the guest network do not see the portal login prompt. They are can use network/internet.</li>
<li>An allowed/Pass MAC address registration is created for the user, even though in the Captive Portal Authentication log they are noted as being unauthenticated.</li>
<li>They see the login/portal prompt.</li>
</ul>
<p>The description & documentation of the "Pass-through MAC Auto Entry" feature states "When enabled, a MAC passthrough entry is automatically added after the user has successfully authenticated". The emphasis being "after the user has successfully authenticated".</p>
<p>Summary: The "Pass-through MAC Auto Entry" should not create an Allowed MAC address registration for unauthenticated users. Being temporally allowed to use the portal with "Pass-through credits per MAC address" is not the same and being authenticated against a backend.</p>
<p>See screenshots showing Unauthenticated client log message, and the Auto added MAC address Pass record.</p>
<p>Note the portal works as expected, shows login/prompt pages and authenticates against RADIUS etc, when "Pass-through MAC Auto Entry" is not used.</p>
<p>This issues occurs on 22.05 & 23.01. I suspect it also affects 2.6 & 2.7.</p> pfSense - Bug #14118 (New): freeRadius "Amount of Time" setting is not accurately tracked for Sto...https://redmine.pfsense.org/issues/141182023-03-16T10:23:39ZDale Harron
<p>Re: tested on 23.01 plus mid Feb release: Correct time accounting error in captiveportal.inc Stop/Start routines for freeRadius. The Stop/Start freeRadius routine at lines 690 thru 693 forces the interval to 60 seconds. freeRadius is expecting a duration interval since the last accounting update and as a result, 60 seconds is subtracted from the “allowed time” setting in the freeRadius GIU in pfSense, which is one of the reasons Stop/Start freeRadius works for tracking “Amount of Time” and Stop/Start doesn’t. The Stop/Start routine at lines 693 thru 696 sends an increment from the start of the session to the current time resulting in the cumulation of time at an exponential rate and premature logout of that freeRadius user. Unfortunately once a minute accounting intervals do not work well with freeRadius and accounting data is dropped with the current code, masking this issue. The duration must be longer (I found that less than 600 seconds was iffy and anything below 120 seconds definitely doesn’t keep accurate accounting for interim, stop/start or stop/start freeradius) and that is particularly true as the system gets loaded down with more users. In order to support more users, I have found we simply have to extend the duration of the “accounting interval”. As freeRadius already has a user settable accounting interval for interim accounting. Lines 718 thru 738 but only uses that interval for the interim setting. For simplicity, I propose using it for both Stop/Start routines as well.<br />As the “reauthenticate every minute” setting in the CaptivePortal GUI will be redundant if the duration is longer than the accounting interval, it makes sense to also incorporate the freeRadius “accounting interval” for that as well.<br />It should be noted that the freeRadius GUI states that the default value for the accounting interval is 600 seconds but it is not, it is much shorter, more like a minute. This should be corrected while implementing this fix.<br />I have also reduced the “pause” duration at line 710 in stopstartfreeradius to support scaling to larger number of connected users. The value of 250000 microseconds or 1/4 of a second is arbitrary but working well during testing. <br />I took the code wrapping the interim interval and “copy/paste” wrapped the Stop/Start and Reauthenticate routines to demonstrate and test this proposed fix. It has worked well during my lab testing. No effort has been made to make this code efficient, it is included here for proof of principle and/or for testing. The fact the interim value applies to all freeRadius accounting, not just interim should be updated in the freeRadius GUI under Settings, freeRadius.<br />Line 684 in captiveportal.inc with modifications encapsulated inside “/*--"- commented sections follows: <br />684 /* do periodic reauthentication? For Radius servers, send accounting updates? <strong>/<br /> if (!$timedout) {<br /> //Radius servers : send accounting<br /> if (isset($cpcfg['radacct_enable']) && $cpentry['authmethod'] === 'radius') {<br /> if (substr($cpcfg['reauthenticateacct'], 0, 9) === "stopstart") {<br /> /</strong> stop and restart accounting <strong>/<br /> if ($cpcfg['reauthenticateacct'] === "stopstartfreeradius") {<br />/</strong>--- Use the actual interval since the last accounting interval update<br /> $rastart_time = 0;<br /> $rastop_time = 60;</p>
<p>*/
<p>$rastart_time = 0;<br /> $rastop_time = $cpentry<sup><a href="#fn10">10</a></sup>;<br /> } else {<br />/* --- Use the actual interval since the last accounting interval update to avoid cumulating time exponentially.<br /> $rastart_time = $cpentry<sup><a href="#fn0">0</a></sup>;<br /> $rastop_time = time();<br />*/<br /> $rastart_time = 0;<br /> $rastop_time = $cpentry<sup><a href="#fn10">10</a></sup>;<br /> }</p>
</p>
<p>/*-----------------------------------------------------------------------------------------------------------*/<br />/*--- Override to use interim update from freeRadius GUI setting for stop/start frequency as well */</p>
<pre><code>$session_time = $pruning_time - $cpentry[0];<br /> if (!empty($cpentry[10]) && $cpentry[10] > 60) {<br /> $interval = $cpentry[10];<br /> } else {<br /> $interval = 0;<br /> }<br /> $past_interval_min = ($session_time > $interval);<br /> if ($interval != 0) {<br /> $within_interval = ($session_time % $interval >= 0 && $session_time % $interval <= 59);<br /> }<br /> if ($interval === 0 || ($interval > 0 && $past_interval_min && $within_interval)) {</code></pre>
<p>/*-----------------------------------------------------------------------------------------------------------*/<br /> captiveportal_send_server_accounting('stop',<br /> $cpentry<sup><a href="#fn1">1</a></sup>, // ruleno<br /> $cpentry<sup><a href="#fn4">4</a></sup>, // username<br /> $cpentry<sup><a href="#fn2">2</a></sup>, // clientip<br /> $cpentry<sup><a href="#fn3">3</a></sup>, // clientmac<br /> $cpentry<sup><a href="#fn5">5</a></sup>, // sessionid<br /> $rastart_time, // start time<br /> $rastop_time, // Stop Time<br /> 10); // NAS Request<br /> /* XXX rewrite to C wrapper pfSense_pf_anchor_zerocnt() <strong>/<br /> captiveportal_anchor_zerocnt($cpentry<sup><a href="#fn2">2</a></sup>, 'auth');<br /> if ($cpcfg['reauthenticateacct'] "stopstartfreeradius") {<br /> /</strong> Need to pause here or the FreeRADIUS server gets confused about packet ordering. <strong>/<br />/</strong> --- 1 sec limits max # simultaneous users sleep(1); <strong>/<br /> usleep(250000);<br /> }<br /> captiveportal_send_server_accounting('start',<br /> $cpentry[1], // ruleno<br /> $cpentry[4], // username<br /> $cpentry[2], // clientip<br /> $cpentry[3], // clientmac<br /> $cpentry[5]); // sessionid<br />/</strong>-----------------------------------------------------------------------------------------------------------*/</p>
<pre><code>}</code></pre>
<p>/*-----------------------------------------------------------------------------------------------------------*/<br /> } else if ($cpcfg['reauthenticateacct'] "interimupdate") {<br /> $session_time = $pruning_time - $cpentry<sup><a href="#fn0">0</a></sup>;<br /> if (!empty($cpentry<sup><a href="#fn10">10</a></sup>) && $cpentry<sup><a href="#fn10">10</a></sup> > 60) {<br /> $interval = $cpentry<sup><a href="#fn10">10</a></sup>;<br /> } else {<br /> $interval = 0;<br /> }<br /> $past_interval_min = ($session_time > $interval);<br /> if ($interval != 0) {<br /> $within_interval = ($session_time % $interval >= 0 && $session_time % $interval <= 59);<br /> }<br /> if ($interval === 0 || ($interval > 0 && $past_interval_min && $within_interval)) {<br /> captiveportal_send_server_accounting('update',<br /> $cpentry<sup><a href="#fn1">1</a></sup>, // ruleno<br /> $cpentry<sup><a href="#fn4">4</a></sup>, // username<br /> $cpentry<sup><a href="#fn2">2</a></sup>, // clientip<br /> $cpentry<sup><a href="#fn3">3</a></sup>, // clientmac<br /> $cpentry<sup><a href="#fn5">5</a></sup>, // sessionid<br /> $cpentry<sup><a href="#fn0">0</a></sup>); // start time<br /> }<br /> }<br /> }</p>
<pre><code>/* check this user again */<br /> if (isset($cpcfg['reauthenticate']) && $cpentry['context'] !== 'voucher') {</code></pre>
<p>/*-----------------------------------------------------------------------------------------------------------*/<br />/*--- Override to use interim update from freeRadius GUI setting as reauthenticate frequency as well */</p>
<pre><code>$session_time = $pruning_time - $cpentry[0];<br /> if (!empty($cpentry[10]) && $cpentry[10] > 60) {<br /> $interval = $cpentry[10];<br /> } else {<br /> $interval = 0;<br /> }<br /> $past_interval_min = ($session_time > $interval);<br /> if ($interval != 0) {<br /> $within_interval = ($session_time % $interval >= 0 && $session_time % $interval <= 59);<br /> }<br /> if ($interval === 0 || ($interval > 0 && $past_interval_min && $within_interval)) {</code></pre>
<p>/*-----------------------------------------------------------------------------------------------------------*/</p>
<pre><code>$auth_result = captiveportal_authenticate_user(<br /> $cpentry[4], // username<br /> base64_decode($cpentry[6]), // password<br /> $cpentry[3], // clientmac<br /> $cpentry[2], // clientip<br /> $cpentry[1], // ruleno<br /> $cpentry['context']); // context<br /> if ($auth_result['result'] === false) {<br /> captiveportal_disconnect($cpentry, 17);<br /> captiveportal_logportalauth($cpentry[4], $cpentry[3], $cpentry[2], "DISCONNECT - REAUTHENTICATION FAILED", $auth_list['reply_message']);<br /> $unsetindexes[] = $cpentry[5];<br /> } else if ($auth_result['result'] === true) {<br /> if ($cpentry['authmethod'] !== $auth_result['auth_method']) {<br /> // if the user got authenticated against another server type: we update the database<br /> if (!empty($cpentry[5])) {<br /> captiveportal_update_entry($cpentry['sessionid'], $auth_result['auth_method'], 'authmethod');<br /> captiveportal_logportalauth($cpentry[4], $cpentry[3], $cpentry[2], "CHANGED AUTHENTICATION SERVER", $auth_list['reply_message']);<br /> }<br /> // User was logged on a RADIUS server, but is now logged in by another server type : we send an accounting Stop<br /> if (isset($config['captiveportal'][$cpzone]['radacct_enable']) && $cpentry['authmethod'] 'radius') {<br /> if ($cpcfg['reauthenticateacct'] = "stopstartfreeradius") {<br /> $rastart_time = 0;<br /> $rastop_time = 60;<br /> } else {<br /> $rastart_time = $cpentry[0];<br /> $rastop_time = time();<br /> }<br /> captiveportal_send_server_accounting('stop',<br /> $cpentry[1], // ruleno<br /> $cpentry[4], // username<br /> $cpentry[2], // clientip<br /> $cpentry[3], // clientmac<br /> $cpentry[5], // sessionid<br /> $rastart_time, // start time<br /> $rastop_time, // Stop Time<br /> 3); // Lost Service<br /> // User was logged on a non-RADIUS Server but is now logged in by a RADIUS server : we send an accounting Start<br /> } else if(isset($config['captiveportal'][$cpzone]['radacct_enable']) && $auth_result['auth_method'] === 'radius') {<br /> captiveportal_send_server_accounting('start',<br /> $cpentry[1], // ruleno<br /> $cpentry[4], // username<br /> $cpentry[2], // clientip<br /> $cpentry[3], // clientmac<br /> $cpentry[5], // sessionid<br /> $cpentry[0]); // start_time<br /> }<br /> }<br /> captiveportal_reapply_attributes($cpentry, $auth_result['attributes']);<br /> }<br />/*-----------------------------------------------------------------------------------------------------------*/</code></pre>
<pre><code>}</code></pre>
<p>/*-----------------------------------------------------------------------------------------------------------*/<br /> }<br /> }</p>
<p>Redmines <a class="issue tracker-2 status-1 priority-4 priority-default" title="Feature: Add ability to properly configure RADIUS captive portal user quotas of 4096MB or more (New)" href="https://redmine.pfsense.org/issues/13843">#13843</a> & <a class="issue tracker-2 status-1 priority-4 priority-default" title="Feature: Make RADIUS Start/Stop accounting immediately log off a user that exceeds quota when reauthentica... (New)" href="https://redmine.pfsense.org/issues/13844">#13844</a> must be fully implemented before this modification can be utilized on accounts with a data quota as overflowed value logouts >4GB will occur if a data quota is set (eg: 100GB = 1.7GB overflow equivalent). In order to complete this testing, I overrode the 32 bit overflow 4 GB data quota limit as follows (line 663 in captiveportal.inc). <a class="issue tracker-2 status-1 priority-4 priority-default" title="Feature: Make RADIUS Start/Stop accounting immediately log off a user that exceeds quota when reauthentica... (New)" href="https://redmine.pfsense.org/issues/13844">#13844</a> requires checking reauthenticate option in the captive portal GUI to force a logout for now. I include the code here to permit these fixes to progress in parallel or for those that need an immediate fix for 23.01.</p>
<p>Line 662 in captiveportal.inc:</p>
<pre><code>/* traffic quota, value retrieved from the radius attribute if the option is enabled <strong>/<br /> if (isset($cpcfg['radiustraffic_quota'])) {<br /> $utrafficquota = (is_numeric($cpentry[11])) ? $cpentry[11] : $trafficquota;<br />/</strong>-----------------------------------------------------------------------------------------------------------*/<br />/* new code <strong>/<br /> $intoverflow = true; //to stop 32 bit overflow premature logout<br />/</strong> new code <strong>/<br />/</strong>-----------------------------------------------------------------------------------------------------------*/<br /> } else {<br /> $utrafficquota = $trafficquota;<br /> }</code></pre>
<pre><code>if (!$timedout && $utrafficquota > 0) {<br /> $volume = getVolume($cpentry[2]);<br /> if (($volume['input_bytes'] + $volume['output_bytes']) > $utrafficquota) {</code></pre>
<p>/* edited code original $timedout = true; <strong>/<br />/</strong>-----------------------------------------------------------------------------------------------------------*/<br /> if ($intoverflow != true) {<br /> $timedout = true;<br />} else {<br /> $timedout = false; //to stop 32 bit overflow premature logout<br /> }<br />/*-----------------------------------------------------------------------------------------------------------*/<br />/* edited code */</p> pfSense - Bug #9295 (New): IPv6 PD does not work with PPPOE (Server & Client)https://redmine.pfsense.org/issues/92952019-01-29T11:51:01ZDirk Steingäßer
<p>Hi,</p>
<p>as encountering DHCPv6 with Prefix delegation does not work together with PPPOE Server vice versa it is not possible to get a prefix with an interface where the IPv4 Uplink is PPPOE.</p>