pfSense » pfSense Packages

Okay, now I've run into it again and discovered the following:

If the firewall has internet connectivity during config restore, it will automatically reinstall all packages.

After the initial reboot due to config restore, I can see that the FreeRadius configuration is present and everything looks fine.

However, after the freeradius package has been reinstalled, the FreeRadius configuration is EMPTY!

I can see that in the Config History.

"Intermediate config write during package install for freeradius3": Removes all of the following xml objects:

<freeradiusinterfaces>
    . . .
<freeradiusclients>
    . . .
<freeradiussettings>
    . . .
<freeradiuseapconf>
    . . .
<freeradius>
    . . .

The next history entry is "Intermediate config write during package removal for cellular":

It adds a new temporary <ca> and <cert> object for FreeRadius.

Aside from the basic config entries in

<installedpackages><package>...
<menu>...
<service>...

it only adds the following FreeRadius configuration back in:

+        <freeradiuseapconf>
+            <config>
+                <ssl_ca_cert>643c0363cface</ssl_ca_cert>
+                <ssl_server_cert>643c0363ea0b1</ssl_server_cert>
+            </config>
+        </freeradiuseapconf>

All packages are up to date on pfSense+-23.01, the FreeRadius configuration is originally from pfSense-CE-2.6.0 and was updated by importing it into a fresh pfSense+-23.01 installation.

So essentially: Package reinstallation of freeradius3 destroys my entire FreeRadius configuration and is consequently inoperable afterwards.

The only solution I've found so far is to ensure that the firewall can't reinstall the packages due to disconnected internet. Then the config restore process does everything right, the FreeRadius configuration is present and works.

Could somebody please look into it?

So after reading through the source code I found something that I thought was strange to even exist:

    /* Remove package settings from config if 'Keep Settings' is disabled */
    if (!config_path_enabled('installedpackages/freeradiussettings/config/0/', 'keep_settings')) {

Checking my configuration file, I found that no

<keep_settings>on</keep_settings>

was present in freeradiussettings -> config.

After adding it manually and restoring that modified configuration file everything was preserved during package reinstall.

The inital bug report is something that might be broken alongside this, but it seems there is a bug somewhere that causes old configurations without keep_settings present to not get it added during upgrade, so that on pfSense+-23.01 the package reinstall wipes the configuration.

Steps taken to reproduce:
1. Install FreeRadius package into a virtual machine of 23.01
2. Configure FreeRadius with an interface and a client
3. Take a backup from Diagnostics > Backup & Restore.
4. Reset the VM to a state before FreeRadius was installed
5. Import the configuration exported in Step 3. VM is connected to the internet
6. PfSense reboots and when I log in to the dashboard again, there's a notification saying packages (only FreeRadius) were installed successfully.

With these steps, I was unable to reproduce the issue. However the exported configuration from the steps above doesn't contain the <freeradiussettings> </freeradiussettings> XML block, thus doesn't contain <keep_settings>on</keep_settings>. It's not exported in the configuration file until you click Save in Services > FreeRadius > Settings. You don't even need to change anything, just go to the page and click the Save button at the bottom, and now FreeRadius settings block is present. And for what it's worth, if changes are made on the Settings page, the XML block is still present after reverting them.

So at least from a default installation of 23.01 (and 22.05), the potential issue is that the XML block isn't present unless that Settings page is touched. This doesn't appear to be a problem in and of itself since I wasn't able to reproduce the exact behavior this bug was opened for, but I don't know if it's unintended or simply inconsequential from a development standpoint.

Is your configuration a product of having upgraded through several previous pfSense versions?

Hi Chris,

thanks for looking into this.

Yes I upgraded from 2.6.0 and the original version was probably something like 2.4.x.

I haven't had time to look into it again, but my current guess is, that something wasn't migrated right between pfSense config versions.

My original bug report was from the same config, but when I first set everything up, I built a new VM with 23.01, i.e. 2.6.0 -> 23.01, so I had a template, then restored the 2.6.0 config in 23.01. During reboot there was no internet connectivity, so the FreeRadius package didn't reinstall, meaning the config sections for FreeRadius were intact.

During my initial test of the HA setup, FreeRadius was verified running correctly with the correct config, I switched between CARP master/slave and found myself with a new certificate for FreeRadius all of a sudden.

The configuration however was still present in pfSense. As described I changed the certificate to something else, then back to the original one, restarted FreeRadius and everything was fine.

So there are two bugs:

1. Initial bug: Configuration in pfSense xml remains unchanged, but the running instance of FreeRadius suddenly has the wrong certificate (and perhaps wrong running configuration) due to HA switchover. For some reason the running config of FreeRadius became a new one, but upon pressing Save in pfSense UI it restarted with the correct config from the pfsense xml.

2. Second bug: Package reinstall of FreeRadius, if the config was migrated and originates from an earlier pfSense version, causes the wipe of the entire FreeRadius configuration and saves an initial (more or less empty) one instead.