pfSense bugtracker: Issueshttps://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162024-01-30T16:38:39ZpfSense bugtracker
Redmine pfSense - Feature #15217 (New): Log command being run in Diagnostics > Command Prompthttps://redmine.pfsense.org/issues/152172024-01-30T16:38:39ZChris Linstruth
<p>I do not see that the commands being run in Diagnostics > Command Prompt are being logged to the system log.</p>
<p>This would be helpful as would the exit value, user logged in, etc.</p> pfSense - Regression #15170 (Closed): webConfigurator IPv6 resolver syntax changehttps://redmine.pfsense.org/issues/151702024-01-17T14:29:50ZChris Linstruth
<p>It looks like a webconfigurator line like this:</p>
<pre>
resolver 127.0.0.1 ::1 8.8.8.8 valid=300s;
</pre>
<p>Needs to be this instead:</p>
<pre>
resolver 127.0.0.1 [::1] 8.8.8.8 valid=300s;
</pre>
<p>Or nginx errors out:</p>
<pre>
Jan 17 14:13:11 fw-223 php-cgi[20403]: rc.restart_webgui: The command '/usr/local/sbin/nginx -c /var/etc/nginx-webConfigurator.conf' returned exit code '1', the output was 'nginx: [emerg] invalid port in resolver "::1" in /var/etc/nginx-webConfigurator.conf:44'
</pre> pfSense - Bug #15130 (New): Kea will not start with identical MAC address filters on multiple int...https://redmine.pfsense.org/issues/151302024-01-02T17:49:06ZChris Linstruth
<p>Steps to duplicate:</p>
<p>Enter identical MAC address filters on two interfaces. kea will no longer start:</p>
<p>Jan 2 17:45:31 kea-dhcp4 94541 ERROR [kea-dhcp4.dhcp4.0x37f82be12000] DHCP4_INIT_FAIL failed to initialize Kea server: configuration error using file '/usr/local/etc/kea/kea-dhcp4.conf': Can't add class: Client Class: mac_001122 has already been defined (/usr/local/etc/kea/kea-dhcp4.conf:62:13)</p>
<p>Tested on:</p>
<p>24.03-DEVELOPMENT (amd64)<br />built on Wed Dec 27 6:00:00 UTC 2023<br />FreeBSD 15.0-CURRENT</p> pfSense - Bug #14991 (Resolved): Kea does not allow FQDNs for NTP servers but input validation do...https://redmine.pfsense.org/issues/149912023-11-15T22:00:16ZChris Linstruth
<p>It looks like kea does not allow FQDNs for NTP servers.</p>
<p>ntp-servers 42 ipv4-address true false</p>
<p>Apparently ISC DHCPD did. If a user has an FQDN there kea will not start.</p> pfSense - Regression #14974 (Resolved): Incorrect permissions on ``ipsec.auth-user.php``https://redmine.pfsense.org/issues/149742023-11-12T19:00:59ZChris Linstruth
<p>Strongswan cannot execute /etc/inc/ipsec.auth-user.php, breaking Xauth.</p>
<p>Was 0755 in 23.05.1 now 0644 in 23.09</p> pfSense - Feature #14953 (Resolved): Add Kea information to ``status.php``https://redmine.pfsense.org/issues/149532023-11-08T17:53:42ZChris Linstruth
<p>status.php only gathers information, such as the configuration file, for ISC dhcpd. Kea should be incorporated.</p>
<p>See Also: <a class="issue tracker-2 status-3 priority-4 priority-default closed" title="Feature: Introduce Kea DHCP as an alternative DHCP server for IPv4 and IPv6 (Resolved)" href="https://redmine.pfsense.org/issues/6960">#6960</a></p> pfSense - Regression #14719 (Resolved): IPv4+IPv6 outbound NAT rule expands to invalid rule sethttps://redmine.pfsense.org/issues/147192023-08-27T12:35:56ZChris Linstruth
<p>A misconfigured outbound NAT rule that used to load now stops pf from loading the rule set.</p>
<p>First seen on:<br />23.09-DEVELOPMENT (amd64)<br />built on Sat Aug 26 17:37:15 UTC 2023<br />FreeBSD 14.0-ALPHA2</p>
<p>Same configuration was not throwing an error on 23.05.1</p>
<p>There were error(s) loading the rules: /tmp/rules.debug:115: rule expands to no valid combination - The line in question reads [115]: nat on $WAN inet6 from 172.25.232.104/32 port 5060 to any -> 2001:470:e01a:7fff::12ef/128 port 1024:65535<br />@ 2023-08-27 12:11:37</p>
<p>The outbound NAT rule in question is:</p>
<p>Interface: WAN<br />Address Family: IPv4+IPv6<br />Protocol: Any<br />Source: Network or Alias: 172.25.232.104/32 Port 5060<br />Destination: Any<br />Translation: WAN Address</p>
<p>Changing the rule to IPv4 only allows the rule set to load.</p>
<p>The WebGUI does not prohibit changing it back to IPv4+IPv6 and it breaks again.</p>
<p>Doing the same thing on 2.8.0 (Aug 5) does not create the inet6 rule and the ruleset loads.</p>
<p>Similar to <a class="issue tracker-1 status-5 priority-4 priority-default closed" title="Bug: "rule expands to no valid combination" error from port forward automatic rule mixing IPv4 and IPv... (Closed)" href="https://redmine.pfsense.org/issues/11548">#11548</a></p> pfSense Packages - Feature #14588 (Resolved): Add FRR diagnostic status output pluginhttps://redmine.pfsense.org/issues/145882023-07-19T02:26:58ZChris Linstruth
<p>Since FRR is a package and the status output does not generate information for packages, it would be really helpful for remote troubleshooting if the frr package added something like /frr_status.php that does the same thing as status.php but for frr details. frr.conf, bgp and ospf neighbors, zebra routes, etc. All the same stuff that's visible on the FRR status pages.</p>
<p>Thanks.</p> pfSense Packages - Bug #14556 (New): Tailscale dropping routes from FIBhttps://redmine.pfsense.org/issues/145562023-07-07T14:28:17ZChris Linstruth
<p>Installation has several tailscale nodes. The problematic node is a 6100. Some of the other nodes are 2100s.</p>
<p>At some point in the past, it started malfunctioning on one of the nodes whenever specific types of changes are made.</p>
<ul>
<li>Add or remove a node with routed subnets, all routes drop. Can successfully add/remove nodes without routes. This is on the tailscale machine config.</li>
<li>Simply marking a route as active or inactive (tailscale edit route settings) will also trigger it.</li>
</ul>
<p>It occurs occasionally without any changes being made.<br />Bounce the tailscale process on that 6100 node and they return.<br />The routes just drop from the kernel FIB.<br />Only on the one node.</p>
<p>There is essentially nothing logged (DEBUG logging level) regarding the actions of the tailscale routing protocol. Nor is there anything of troubleshooting value on the tailscale cloud site.</p>
<p>All IPv4 tailscale routes drop including host routes. It is probably noteworthy that the IPv6 /48 is still in the table and tailscaled is still running.</p>
<p>Another possibly interesting note is the routes advertised by the 6100 that drops the routes remain advertised into the tailnet and present on the other nodes.</p>
<p>The nodes are still showing as “idle” so tailscale is still “up.”</p>
<p>Attempted to duplicate this by adding a tailnet to 4 pfSense nodes with routes and two devices without routes. It could not be made to misbehave.</p> pfSense Docs - Todo #14492 (Resolved): Feedback on Packages — AWS VPC Wizard — AWS VPC Wizard FAQhttps://redmine.pfsense.org/issues/144922023-06-20T23:01:27ZChris Linstruth
<p><strong>Page:</strong> <a class="external" href="https://docs.netgate.com/pfsense/en/latest/packages/aws-vpc-wizard/faq.html">https://docs.netgate.com/pfsense/en/latest/packages/aws-vpc-wizard/faq.html</a></p>
<p><strong>Feedback:</strong></p>
<p>pfSense doesn't use racoon any more.</p> pfSense - Regression #14283 (Resolved): Nothing is logged through ``syslog`` if the configuration...https://redmine.pfsense.org/issues/142832023-04-17T10:56:25ZChris Linstruth
<p>/var/etc/syslog.d empty. Nothing is being logged to /var/log files.</p>
<p>Possibly related to <a class="issue tracker-2 status-5 priority-4 priority-default closed parent" title="Feature: Upgrade PHP from 7.4 to 8.1 (Closed)" href="https://redmine.pfsense.org/issues/13446">#13446</a> src/etc/inc/syslog.inc#L216</p> pfSense - Todo #14250 (Resolved): Update firewall host and domain fields in the Setup Wizard to m...https://redmine.pfsense.org/issues/142502023-04-08T21:30:56ZChris Linstruth
<p>The setup wizard should give the same warning about using the .local domain as the System > General configuration text does.</p>
<pre>
Do not end the domain name with '.local' as the final part (Top Level Domain, TLD), The 'local' TLD is widely used by mDNS (e.g. Avahi, Bonjour, Rendezvous, Airprint, Airplay) and some Windows systems and networked devices. These will not network correctly if the router uses 'local' as its TLD. Alternative TLDs such as 'local.lan' or 'mylocal' are safe.
</pre>
<p>Also probably a good time to s/TLD),/TLD)./</p> pfSense Packages - Feature #14126 (New): Quality monitoring graph scale adjustmenthttps://redmine.pfsense.org/issues/141262023-03-19T11:25:29ZChris Linstruth
<p>If possible, it would be nice if the scale of the packet loss side of the onitoring graph was not the same as the latency side.</p>
<p>Please see this extreme example where the 100% packet loss is pretty much indistinguishable from 0% because of the horrific latency adjusting "100" down to about nothing.</p>
<p>Thank you.</p>
<p><img src="https://redmine.pfsense.org/attachments/download/4810/Screen%20Shot%202023-03-19%20at%2012.18.09%20PM.png" alt="" /></p> pfSense - Feature #13894 (Resolved): Explicitly enable/disable DHCP Dynamic DNS updates in each s...https://redmine.pfsense.org/issues/138942023-01-23T14:54:16ZChris Linstruth
<p>If DDNS is enabled in a DHCP scope, a DHCP configuration stanza like this is created for the domain specified:</p>
<pre>
zone example.com. {
primary 10.1.1.1;
key "dhcp_update_key";
}
</pre>
<p>This appears to cause ALL scopes serving leases in that domain to subsequently cause DDNS updates even though they are configured on only one scope. This is likely due to the fact that ddns-updates defaults to on:</p>
<pre>
ddns-updates flag;
The ddns-updates parameter controls whether or not the server will attempt to do a DNS update
when a lease is confirmed. Set this to off if the server should not attempt to do updates
within a certain scope. The ddns-updates parameter is on by default. To disable DNS updates
in all scopes, it is preferable to use the ddns-update-style statement, setting the style to none.
</pre>
<p>I propose explicitly setting <code>ddns-updates off|on</code> for every scope based on the status of <code>$dhcpifconf['ddnsupdate']</code> for that scope.</p> pfSense - Bug #13802 (New): Incorrect language in Plus registrationhttps://redmine.pfsense.org/issues/138022022-12-26T06:56:16ZChris Linstruth
<p>The email sent by shopify says this:</p>
<pre>
Hello!
Thank you for migrating your pfSense CE software to pfSense Plus Home. Your order number is: SO22-60264
This email was generated in response to your subscription purchase request on the Netgate store.
Please paste the following activation key into your pfSense firewall on the *System/Registration* page to continue the migration process.
</pre>
<p>The actual CE menu item is <strong>System > Register</strong></p>