Project

General

Profile

Feature #12982

Updated by Marcos M almost 2 years ago

It seems when there are too many entries (per user) in the Radreply table (using MySQL) of FreeRadius package, pfsense (or maybe is FreeRadius) will start ignoring the rules.    It seems the max entries per user (for Cisco AVPair Rule) is around 70.    Pfsense will start ignoring any rules (per user) above 70 or so. 

 Just to clarify the issue a bit more, for example, in the radreply table, if I have these entries (total of 100 entries) for the user ATMMSOpenVPN, 
 <pre> 
 

 ATMMSOpenVPN Cisco-AVPair += ip:inacl#1=permit any host 10.7.0.30 host 10.100.0.120 
 ATMMSOpenVPN Cisco-AVPair += ip:inacl#2=permit any host 10.7.0.30 host 10.100.10.57 
 ATMMSOpenVPN Cisco-AVPair += ip:inacl#3=permit any host 10.7.0.30 host 10.100.55.22 
 ... 
 ATMMSOpenVPN Cisco-AVPair += ip:inacl#100=permit any host 10.7.0.30 host 10.100.0.53 
 </pre> 
 

 1. In entry @#1@ #1 it is allowing 10.7.0.30 to access 10.100.0.120 
 2. In entry @#100@ #100 it is allowing 10.7.0.30 host to access 10.100.0.53 

 Both 10.100.0.120 and 10.100.0.53 are pingable. But when the user ATMMSOpenVPN login to OpenVPN, he will ONLY be able to ping 10.100.0.120, NOT 10.100.0.53, because 10.100.0.53 is rule #100 (which is above 70) 

 BUT, if I switch these 2 IP around where now @#1@ #1 is 10.100.0.53 and #100 is 10.100.0.120 (in the MySQL database), now he will be able tto ping 10.100.0.53 BUT NOT 10.100.0.120 anymore. So almost seems like pfsense only loading the first 70 or so rules and render the rest of the entries (beyind 70 rows) to be "useless". 

Back