pfSense bugtracker: Issueshttps://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162024-02-17T17:56:44ZpfSense bugtracker
Redmine pfSense Docs - Todo #15267 (Rejected): Feedback on Releases — 2.7.2 New Features and Changeshttps://redmine.pfsense.org/issues/152672024-02-17T17:56:44ZSteve Y
<p><strong>Page:</strong> <a class="external" href="https://docs.netgate.com/pfsense/en/latest/releases/2-7-2.html">https://docs.netgate.com/pfsense/en/latest/releases/2-7-2.html</a></p>
<p><strong>Feedback:</strong><br />I suggest the 2.7.2 release notes reference Kea is still preview/alpha and refer to <a class="external" href="https://docs.netgate.com/pfsense/en/latest/releases/2-7-1.html#kea-dhcp-server-feature-preview-now-available">https://docs.netgate.com/pfsense/en/latest/releases/2-7-1.html#kea-dhcp-server-feature-preview-now-available</a>. From forum interaction I suspect some people see the note is "removed" and assume the missing features are present. Or just read the latest and don't see the note at all.</p> pfSense Packages - Regression #15159 (Confirmed): XMLRPC Replication Target required even if not ...https://redmine.pfsense.org/issues/151592024-01-12T23:40:15ZSteve Y
<p>On page Firewall/pfBlockerNG/Sync if "Sync to configured system backup server" is selected, "XMLRPC Replication Targets" > "Target IP/Hostname" is still a required field.</p> pfSense Packages - Regression #15158 (Confirmed): XMLRPC Timeout won't save if over 150https://redmine.pfsense.org/issues/151582024-01-12T23:37:02ZSteve Y
<p>Firewall/pfBlockerNG/Sync has option "XMLRPC Timeout":</p>
<pre><code class="html syntaxhl"><span class="nt"><input</span> <span class="na">class=</span><span class="s">"form-control"</span> <span class="na">name=</span><span class="s">"varsynctimeout"</span> <span class="na">id=</span><span class="s">"varsynctimeout"</span> <span class="na">type=</span><span class="s">"number"</span> <span class="na">value=</span><span class="s">"150"</span> <span class="na">min=</span><span class="s">"0"</span> <span class="na">max=</span><span class="s">"5000"</span> <span class="na">step=</span><span class="s">"50"</span> <span class="na">placeholder=</span><span class="s">"Enter timeout in seconds"</span><span class="nt">></span>
</code></pre>
<p>If one sets the spinner a number higher than 150 the value is saved at 150. Ergo no value over 150 is allowed.</p> pfSense Packages - Bug #15120 (Not a Bug): Suricata upgrade/install adds default rulesetshttps://redmine.pfsense.org/issues/151202023-12-27T20:12:39ZSteve Y
<p>We had traditionally disabled stream-events.rules because of false positives. I have noticed a couple times lately it's been enabled. I found that my backup just before (made as I start) an upgrade from 23.05.1 to 23.09.1 does not have it but the one I made just after the upgrade it does, around 20 minutes later. From the forum it seems others have run into this as well. I am not sure when it started. I pulled up a few client routers on 23.05.1 and it is enabled on them so likely predates 23.05.</p>
<p>before:<br /><code><rulesets><br />GPLv2_community.rules||app-layer-events.rules||decoder-events.rules||emerging-activex.rules||dhcp-events.rules||dnp3-events.rules||emerging-attack_response.rules||dns-events.rules||emerging-botcc.portgrouped.rules||files.rules||emerging-botcc.rules||http-events.rules||emerging-chat.rules||http2-events.rules||ipsec-events.rules||kerberos-events.rules||modbus-events.rules||emerging-current_events.rules||mqtt-events.rules||nfs-events.rules||ntp-events.rules||emerging-dos.rules||smb-events.rules||smtp-events.rules||ssh-events.rules||emerging-exploit.rules||tls-events.rules||emerging-games.rules||emerging-inappropriate.rules||emerging-malware.rules||emerging-misc.rules||emerging-mobile_malware.rules||emerging-p2p.rules||emerging-scada.rules||emerging-scan.rules||emerging-shellcode.rules||emerging-user_agents.rules||emerging-web_client.rules||emerging-web_server.rules||emerging-worm.rules<br /></rulesets></code></p>
<p>after:<br /><code><rulesets><br />GPLv2_community.rules||app-layer-events.rules||decoder-events.rules||emerging-activex.rules||dhcp-events.rules||dnp3-events.rules||emerging-attack_response.rules||dns-events.rules||emerging-botcc.portgrouped.rules||files.rules||emerging-botcc.rules||http-events.rules||emerging-chat.rules||http2-events.rules||ipsec-events.rules||kerberos-events.rules||modbus-events.rules||emerging-current_events.rules||mqtt-events.rules||nfs-events.rules||ntp-events.rules||emerging-dos.rules||smb-events.rules||smtp-events.rules||ssh-events.rules||emerging-exploit.rules||tls-events.rules||emerging-games.rules||emerging-inappropriate.rules||emerging-malware.rules||emerging-misc.rules||emerging-mobile_malware.rules||emerging-p2p.rules||emerging-scada.rules||emerging-scan.rules||emerging-shellcode.rules||emerging-user_agents.rules||emerging-web_client.rules||emerging-web_server.rules||emerging-worm.rules||ftp-events.rules||quic-events.rules||rfb-events.rules||stream-events.rules<br /></rulesets></code><br />(the last four have been added)</p>
<p>My process for upgrading is simply:</p>
<pre><code>uninstall Suricata (and pfBlocker etc.)<br /> upgrade pfSense<br /> install Suricata</code></pre>
<p>"Send notifications when new rule categories appear" is checked on this particular router but we haven't received any emails about that.</p>
<p>forum thread: <a class="external" href="https://forum.netgate.com/topic/185055/suricata-upgrade-install-adds-default-rulesets">https://forum.netgate.com/topic/185055/suricata-upgrade-install-adds-default-rulesets</a><br />mentioned: <a class="external" href="https://forum.netgate.com/topic/185037/upgrade-to-2-7-2-from-2-7-0-failed-install-no-space-left-on-device/7">https://forum.netgate.com/topic/185037/upgrade-to-2-7-2-from-2-7-0-failed-install-no-space-left-on-device/7</a></p> pfSense Docs - Todo #15095 (Closed): Feedback on Installing and Upgrading — Upgrade Guide — Upgra...https://redmine.pfsense.org/issues/150952023-12-14T17:27:29ZSteve Y
<p><strong>Page:</strong> <a class="external" href="https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide-ha.html">https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide-ha.html</a></p>
<p><strong>Feedback:</strong><br />I believe this is incorrect now?<br />"If the interfaces do not line up on both nodes then the states will not properly sync, for example if WAN is ix0 on one node and igb0 on the other."</p>
<p>it could just link to:<br /><a class="external" href="https://docs.netgate.com/pfsense/en/latest/highavailability/pfsync.html#pfsync-and-physical-interfaces">https://docs.netgate.com/pfsense/en/latest/highavailability/pfsync.html#pfsync-and-physical-interfaces</a><br />?</p> pfSense Docs - Todo #15014 (Rejected): Feedback on Configuration — Advanced Configuration Options...https://redmine.pfsense.org/issues/150142023-11-20T17:50:09ZSteve Y
<p><strong>Page:</strong> <a class="external" href="https://docs.netgate.com/pfsense/en/latest/config/advanced-firewall-nat.html">https://docs.netgate.com/pfsense/en/latest/config/advanced-firewall-nat.html</a></p>
<p><strong>Feedback:</strong></p>
<p>re: "By default this is 400,000 entries"</p>
<p>Per Marcos in <a class="external" href="https://redmine.pfsense.org/issues/11566#change-71003">https://redmine.pfsense.org/issues/11566#change-71003</a> "We don't set a defined value by default - it's whatever the OS reports (which has its own defaults)."</p> pfSense Packages - Bug #14596 (Duplicate): FreeRADIUS falsely shows its default is to save data d...https://redmine.pfsense.org/issues/145962023-07-21T03:24:18ZSteve Y
<p>forum thread: <a class="external" href="https://forum.netgate.com/topic/181594/restore-missing-freeradius-config">https://forum.netgate.com/topic/181594/restore-missing-freeradius-config</a></p>
<p>A new install of FreeRADIUS shows the "Save settings after deletion" checked by default. However <pre><code class="xml syntaxhl"><span class="nt"><keep_settings></span>on<span class="nt"></keep_settings></span></code></pre> is not in the config.xml file, thus the package removes all settings upon reinstall, such as after a restore:</p>
<p>Jul 20 21:53:24 php 38236 //etc/rc.packages: Configuration Change: (system): Overwrote previous installation of freeradius3.<br />Jul 20 21:53:23 php 38236 //etc/rc.packages: Configuration Change: (system): Intermediate config write during package install for freeradius3.<br />Jul 20 21:53:23 php 38236 //etc/rc.packages: Beginning package installation for freeradius3 .<br />Jul 20 21:53:23 check_reload_status 329 Syncing firewall<br />Jul 20 21:53:23 php 36496 /etc/rc.packages: Configuration Change: (system): [freeRADIUS] Package uninstalled.<br />Jul 20 21:53:22 php 36496 /etc/rc.packages: [freeRADIUS] Removing all FreeRADIUS settings <b>since 'Keep Settings/Data' is disabled</b>...<br />Jul 20 21:53:22 check_reload_status 329 Syncing firewall<br />Jul 20 21:53:22 php 36496 /etc/rc.packages: Configuration Change: (system): Intermediate config write during package removal for freeradius3.<br />Jul 20 21:53:22 php 36496 /etc/rc.packages: The command '/usr/local/etc/rc.d/radiusd.sh stop' returned exit code '1', the output was 'radiusd not running?'</p>
<p>In fact the entire <freeradiussettings> tag is missing from the config.xml file:</p>
<pre><code class="xml syntaxhl"> <span class="nt"><freeradiussettings></span>
<span class="nt"><config></span>
<span class="nt"><varsettingsmaxrequests></span>1024<span class="nt"></varsettingsmaxrequests></span>
<span class="nt"><varsettingsmaxrequesttime></span>30<span class="nt"></varsettingsmaxrequesttime></span>
<span class="nt"><varsettingscleanupdelay></span>5<span class="nt"></varsettingscleanupdelay></span>
<span class="nt"><varsettingsallowcoredumps></span>no<span class="nt"></varsettingsallowcoredumps></span>
<span class="nt"><varsettingsregularexpressions></span>yes<span class="nt"></varsettingsregularexpressions></span>
<span class="nt"><varsettingsextendedexpressions></span>yes<span class="nt"></varsettingsextendedexpressions></span>
<span class="nt"><keep_settings></span>on<span class="nt"></keep_settings></span>
<span class="nt"><varsettingslogdir></span>syslog<span class="nt"></varsettingslogdir></span>
<span class="nt"><varsettingsauth></span>yes<span class="nt"></varsettingsauth></span>
<span class="nt"><varsettingsauthbadpass></span>no<span class="nt"></varsettingsauthbadpass></span>
<span class="nt"><varsettingsauthbadpassmessage></varsettingsauthbadpassmessage></span>
<span class="nt"><varsettingsauthgoodpass></span>no<span class="nt"></varsettingsauthgoodpass></span>
<span class="nt"><varsettingsauthgoodpassmessage></varsettingsauthgoodpassmessage></span>
<span class="nt"><varsettingsstrippednames></span>no<span class="nt"></varsettingsstrippednames></span>
<span class="nt"><varsettingshostnamelookups></span>no<span class="nt"></varsettingshostnamelookups></span>
<span class="nt"><varsettingsmaxattributes></span>200<span class="nt"></varsettingsmaxattributes></span>
<span class="nt"><varsettingsrejectdelay></span>1<span class="nt"></varsettingsrejectdelay></span>
<span class="nt"><varsettingsstartservers></span>5<span class="nt"></varsettingsstartservers></span>
<span class="nt"><varsettingsmaxservers></span>32<span class="nt"></varsettingsmaxservers></span>
<span class="nt"><varsettingsminspareservers></span>3<span class="nt"></varsettingsminspareservers></span>
<span class="nt"><varsettingsmaxspareservers></span>10<span class="nt"></varsettingsmaxspareservers></span>
<span class="nt"><varsettingsmaxqueuesize></span>65536<span class="nt"></varsettingsmaxqueuesize></span>
<span class="nt"><varsettingsmaxrequestsperserver></span>0<span class="nt"></varsettingsmaxrequestsperserver></span>
<span class="nt"><varsettingsmotpenable></varsettingsmotpenable></span>
<span class="nt"><varsettingsmotptimespan></varsettingsmotptimespan></span>
<span class="nt"><varsettingsmotppasswordattempts></varsettingsmotppasswordattempts></span>
<span class="nt"><varsettingsmotpchecksumtype></span>md5<span class="nt"></varsettingsmotpchecksumtype></span>
<span class="nt"><varsettingsmotptokenlength></varsettingsmotptokenlength></span>
<span class="nt"><varsettingsenablemacauth></varsettingsenablemacauth></span>
<span class="nt"><varsettingsenableacctunique></varsettingsenableacctunique></span>
<span class="nt"></config></span>
<span class="nt"></freeradiussettings></span>
</code></pre>
<p>It seems like the package defaults that show in the GUI are not reflected in the code, at least for the keep_settings setting. Thus anyone who has <em>not actually saved the settings page</em> will have all their FreeRADIUS settings removed upon package upgrade, config restore, pfSense upgrade, etc.</p>
<p>This missing section can be added next to the <freeradiuseapconf> tag and the config file restored again. To recover, also copy <freeradiuseapconf>, <freeradius>, <freeradiusclients>, and <freeradiusinterfaces> from a valid backup and restore it.</p> pfSense - Bug #14591 (New): Restoring with different interfaces (partially?) applies changes befo...https://redmine.pfsense.org/issues/145912023-07-19T17:26:01ZSteve Y
<p>Initial forum topic: <a class="external" href="https://forum.netgate.com/topic/181356/restore-issues-apply-changes-button-missing-save-does-not-reboot/">https://forum.netgate.com/topic/181356/restore-issues-apply-changes-button-missing-save-does-not-reboot/</a></p>
<p>I had observed that when restoring to a router with a lower number of interfaces, there are a handful of unexpected (to me) results:</p>
<ul>
<li>the Apply Changes button does not appear until after one deletes or adds and interface</li>
</ul>
<ul>
<li>if the restore uses a different IP range for LAN, Save partially applies the new IPs and connection to the router is lost ("The console shows the interfaces from the restored config in the menu...but ifconfig shows the old IPs from before the restore.")</li>
</ul>
<ul>
<li>If it is expected that Save should be clicked before Apply, the text at the top of the page should say to do that. :)</li>
</ul>
<p>Entered as Plus since that's what I used though I doubt it's Plus-specific. Mine were on 23.05 and 23.05.1. Replicated on a 4860, 6100, and 2100.</p> pfSense Docs - Todo #14564 (Closed): Feedback on Releases — 22.05/22.05.1 New Features and Change...https://redmine.pfsense.org/issues/145642023-07-10T15:43:59ZSteve Y
<p><strong>Page:</strong> <a class="external" href="https://docs.netgate.com/pfsense/en/latest/releases/22-05.html">https://docs.netgate.com/pfsense/en/latest/releases/22-05.html</a></p>
<p><strong>Feedback:</strong><br />Per <a class="external" href="https://forum.netgate.com/post/1114903">https://forum.netgate.com/post/1114903</a> 22.05.1 was also preinstalled on, and required for, recent hardware models of the 2100.</p> pfSense - Feature #14546 (New): Package description should identify SSD/HDD requirementhttps://redmine.pfsense.org/issues/145462023-07-05T16:47:30ZSteve Y
<p>Netgate has a list of which packages have an SSD requirement or recommendation at <a class="external" href="https://www.netgate.com/supported-pfsense-plus-packages">https://www.netgate.com/supported-pfsense-plus-packages</a> but many do not know that page exists until long after they have installed NtopNG or another high I/O package, which creates a lifetime write issue on eMMC storage. (and hence, a disgruntled customer)</p>
<p>I suggest adding either a two word text description note ("SSD recommended") or checkbox column to indicate if an SSD is recommended or required for the package. Either can link the above page if desired. (and/or, the page can be linked on the available packages page?)</p>
<p>As a bonus, this may generate more "Max" model sales, in addition to said happier customer.</p> pfSense Packages - Bug #14220 (Duplicate): pfBlockerNG does not sync to HA secondaryhttps://redmine.pfsense.org/issues/142202023-03-31T17:27:42ZSteve Y
<p>After making changes they are not replicated to the secondary. E.g. on /pfblockerng/pfblockerng_ip.php check "kill states" and save. My sync is set "Sync to configured system backup server" and config sync is enabled and working.</p>
<p>my install is pfBlockerNG 3.2.0_3 on pfSense 23.01, on a 4860.</p>
<p>forum: <a class="external" href="https://forum.netgate.com/topic/179060/pfblockerng-sync-not-working">https://forum.netgate.com/topic/179060/pfblockerng-sync-not-working</a></p> pfSense Docs - Todo #14082 (Closed): Feedback on Network Address Translation — Port Forwardshttps://redmine.pfsense.org/issues/140822023-03-08T09:05:57ZSteve Y
<p><strong>Page:</strong> <a class="external" href="https://docs.netgate.com/pfsense/en/latest/nat/port-forwards.html#adding-port-forwards">https://docs.netgate.com/pfsense/en/latest/nat/port-forwards.html#adding-port-forwards</a></p>
<p><strong>Feedback:</strong><br />The bullet list starts:</p>
<p>"To add a port forward entry:</p>
<pre><code>Navigate to"</code></pre>
<p>...and has no more text on that line. Presumably should be "Navigate to Firewall > NAT" or "...Firewall > NAT > Port Forward"</p> pfSense - Regression #14078 (Confirmed): Traffic graph shows half actual throughput when switchi...https://redmine.pfsense.org/issues/140782023-03-06T10:08:44ZSteve Y
<p>When switching back to the traffic graph page, the graph restarts as designed but the data shown is now half actual.</p>
<p>Using a new window or a different browser for the download works as expected because the original graph is still showing in the foreground of the original browser window.</p>
<p>To reproduce:</p>
<ul>
<li>open the traffic graph page</li>
<li>open another tab in the <em>same</em> browser to start a download</li>
<li>switch back to the traffic graph tab, speed is half</li>
<li>(Shift+) reload the page in the browser, and it doubles to the expected speed</li>
</ul>
<p>and</p>
<ul>
<li>open the traffic graph page</li>
<li>open <em>another browser or new browser window</em> to start a download, leaving the traffic page open</li>
<li>in the traffic graph window, speed remains as expected</li>
</ul>
<p>It's more obvious if one opens a remote and local traffic graph at the same time, only the one will show the lower speed.</p>
<p>Reproduced on 2.6 and 23.01, with and without traffic shaping, per thread : <a class="external" href="https://forum.netgate.com/topic/178542/traffic-graph-shows-half-actual-throughput-in-some-scenarios">https://forum.netgate.com/topic/178542/traffic-graph-shows-half-actual-throughput-in-some-scenarios</a></p> pfSense - Feature #14008 (New): Change upgrade/reboot countdown timer to a general "busy" indicatorhttps://redmine.pfsense.org/issues/140082023-02-21T21:33:05ZSteve Y
<p>Newcomers to pfSense may assume the 2 minute timer suggests that is how long the upgrade is expected to take. Since upgrades nowadays often take 10-20 minutes, especially on slower storage, they may easily assume something has gone wrong, reboot, and end up with a half-upgraded device.</p>
<p>Suggestion: have the timer start at 15 minutes but still check in the background. If the upgrade finishes "early," great. If not then at least the admin will wait 15 minutes and have a better chance of success. Bonus points: use 15 minutes on eMMC, less on SSD.</p>
<p>ref: <a class="external" href="https://forum.netgate.com/topic/178131/xg7100-upgrade-fails/8">https://forum.netgate.com/topic/178131/xg7100-upgrade-fails/8</a></p> pfSense - Feature #14001 (Rejected): Always disable DNSSEC if forwarding enabled in Resolverhttps://redmine.pfsense.org/issues/140012023-02-21T09:38:56ZSteve Y
<p>This is both a feature request and a regression. In just a few days I've experienced an issue and seen multiple forum posts where, after upgrading to 23.01, DNS has recurring failures, and disabling the "Enable DNSSEC" option fixes it. It was working without issue in 22.05 and earlier versions.</p>
<p>I suggest always disabling DNSSEC when forwarding is enabled in Resolver.</p>
<p>In my case I happened to notice some domains including linkedin.com were suddenly failing to resolve, a couple hours after upgrading. I did try re-enabling DNSSEC but was unable to immediately duplicate the problem, though I didn't wait any amount of time. With DNSSEC off I haven't had any more issues in several days.</p>
<p>A few of the recent forum threads:<br /><a class="external" href="https://forum.netgate.com/topic/178042/23-01-upgrade-unbound-issue">https://forum.netgate.com/topic/178042/23-01-upgrade-unbound-issue</a><br /><a class="external" href="https://forum.netgate.com/topic/177217/pfblocker-blocking-all-dns/">https://forum.netgate.com/topic/177217/pfblocker-blocking-all-dns/</a><br /><a class="external" href="https://forum.netgate.com/topic/178050/solved-intermittent-dns-problem-23-01/15">https://forum.netgate.com/topic/178050/solved-intermittent-dns-problem-23-01/15</a></p>
<p>There are multiple recommendations to turn it off dating back years including:<br /><a class="external" href="https://forum.netgate.com/topic/120105/enable-dnssec-support-and-opendns/3">https://forum.netgate.com/topic/120105/enable-dnssec-support-and-opendns/3</a><br /><a class="external" href="https://docs.netgate.com/pfsense/en/latest/troubleshooting/dns.html#check-dns-service">https://docs.netgate.com/pfsense/en/latest/troubleshooting/dns.html#check-dns-service</a><br /><a class="external" href="https://support.quad9.net/hc/en-us/articles/4433380601229-Setup-pfSense-and-DNS-over-TLS">https://support.quad9.net/hc/en-us/articles/4433380601229-Setup-pfSense-and-DNS-over-TLS</a> ("enabling DNSSEC at the forwarder level can cause false DNSSEC failures")</p>