pfSense bugtracker: Issueshttps://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162021-01-06T09:29:12ZpfSense bugtracker
Redmine pfSense - Feature #11225 (Rejected): Change Host Alias range when it is made from CIDRhttps://redmine.pfsense.org/issues/112252021-01-06T09:29:12ZConstantine Kormashev
<p>Now if I make an Alias using CIDR like 192.168.1.*2*/30 it makes 4 entries which starts from 1st host in the given range:<br />192.168.1.0<br />192.168.1.1<br />192.168.1.2<br />192.168.1.3</p>
<p>But probably this is different from expected and the better would be to start entries from host defined in range e.g. example above will give us:<br />192.168.1.2<br />192.168.1.3</p>
<p>It might seem not important if we use a short network but if I would like to add 260 hosts from 192.168.0/23 it would be much easy and safer to write 192.168.0.250/23 than using a range 192.168.0.250-192.168.1.255 for this goal.</p> pfSense - Feature #11169 (New): Changing interface index orderhttps://redmine.pfsense.org/issues/111692020-12-17T05:44:26ZConstantine Kormashev
Current configuration operates interface indexes instead of real interfaces, e.g.<br />wan->igb0<br />lan->igb1<br />opt1->igb2<br />opt2->igb3<br />opt3->igb1.10<br />opt4->igb1.20<br />opt5->ovpn1<br />opt6->igb1.30<br />and so on. That makes configuring more smooth and flexible. But in the current implementation if some interfaces were deleted indexes are not rearranged and this might lead to some issues especially in config sync. E.g. in the example above if opt5 is deleted opt6 will not become opt5. Moreover, if a new interface assigned it acquires the lowest free index in the case above opt5. This situation can easily lead to errors in the HA cluster configuration. E.g. 3 interfaces add on primary and 2nd was deleted due to it was added by mistake. E.g. opt1, opt2, opt3 were added, opt2 was deleted, so final it is opt1, opt3. But during configuring secondary final picture is different it is opt1, opt2 because of no mistake. That leads to a config sync issue. And this is totally unclear for people who do not know what really happens under the hood. The only way to fix it on secondary is setup from scratch or manual config editing. Sometimes even setup from scratch becomes tricky. See 1st example, it is not possible to create opt5 without making a fake OpenVPN.<br />It would be good to solve this issue. There are some ways for that:
<ul>
<li>allow rearranging index manually from indexes list</li>
<li>make indexes totally unique and set indexes manually during assigning interface</li>
<li>sync interface settings from primary to secondary with auto assigning IP/mask from the predefined network</li>
</ul>
<p>Also for escaping making fake VPN instances during initial secondary setup, change index enumeration and use increased numbers from 0 for physical interface and decreased from uint32 max for software interfaces like VPN, etc, e.g.<br /> opt1->igb2<br /> opt2->igb3<br /> opt4294967295->ovpn1<br /> opt4294967294->ovpn2</p> pfSense Packages - Bug #10994 (New): SquidGuard Blacklists Restore Default button does not workhttps://redmine.pfsense.org/issues/109942020-10-20T11:09:49ZConstantine Kormashev
<p>If SquidGuard/Blacklists Blacklist Update field is empty then clicking Restore Default restores nothing and generates an error message:<br /><pre>
Restore default blacklist DB.
Restore error: File /var/db/squidGuard.sample or /usr/local/etc/squidGuard/blacklist.files not found.
</pre><br />It does not matter enabled SquidGuard/Squid or not.<br />Tried on 2.4.5-p1 ARM and Intel</p> pfSense Packages - Bug #10775 (Resolved): pfblockerNG SBL_ADs and hpHosts are not reachable anymorehttps://redmine.pfsense.org/issues/107752020-07-19T05:48:09ZConstantine Kormashev
<p>Following entries of pfblockerNG pkg are not reachable for a long time, we have some tickets and also I can see some forum and reddit topics about this.<br />This is upstream issue, those entries have to be changed or removed from feeds.</p>
<p>SBL_ADs<br /><a class="external" href="https://www.squidblacklist.org/downloads/dg-ads.acl">https://www.squidblacklist.org/downloads/dg-ads.acl</a><br />hpHosts_ATS<br /><a class="external" href="https://hosts-file.net/ad_servers.txt">https://hosts-file.net/ad_servers.txt</a><br />hpHosts_EMD<br /><a class="external" href="https://hosts-file.net/emd.txt">https://hosts-file.net/emd.txt</a><br />hpHosts_EXP<br /><a class="external" href="https://hosts-file.net/exp.txt">https://hosts-file.net/exp.txt</a><br />hpHosts_FSA<br /><a class="external" href="https://hosts-file.net/fsa.txt">https://hosts-file.net/fsa.txt</a><br />hpHosts_GRM<br /><a class="external" href="https://hosts-file.net/grm.txt">https://hosts-file.net/grm.txt</a><br />hpHosts_HFS<br /><a class="external" href="https://hosts-file.net/hfs.txt">https://hosts-file.net/hfs.txt</a><br />hpHosts_HJK<br /><a class="external" href="https://hosts-file.net/hjk.txt">https://hosts-file.net/hjk.txt</a><br />hpHosts_MMT<br /><a class="external" href="https://hosts-file.net/mmt.txt">https://hosts-file.net/mmt.txt</a><br />hpHosts_PHA<br /><a class="external" href="https://hosts-file.net/pha.txt">https://hosts-file.net/pha.txt</a><br />hpHosts_PSH<br /><a class="external" href="https://hosts-file.net/psh.txt">https://hosts-file.net/psh.txt</a><br />hpHosts_PUP<br /><a class="external" href="https://hosts-file.net/pup.txt">https://hosts-file.net/pup.txt</a><br />hpHosts_WRZ<br /><a class="external" href="https://hosts-file.net/wrz.txt">https://hosts-file.net/wrz.txt</a></p> pfSense - Feature #10732 (New): Warning banner for secondary HA nodehttps://redmine.pfsense.org/issues/107322020-07-06T05:41:14ZConstantine Kormashev
<p>It would be good if the secondary HA node has a banner with a warning all management actions have to be performed on the primary node only. And user can see this banner after login, as they see default password waring now.</p>
There are a couple of ways to detect a secondary node:
<ul>
<li>hidden flag in the config, see <a class="external" href="https://redmine.pfsense.org/issues/10731">https://redmine.pfsense.org/issues/10731</a></li>
<li>CARP interfaces are in BACKUP state</li>
</ul> pfSense - Feature #10731 (New): XML-sync primary/secondary config flaghttps://redmine.pfsense.org/issues/107312020-07-06T05:38:54ZConstantine Kormashev
<p>To prevent XML-sync misconfiguring on a HA cluster, it would be good to make a config flag that can be used for distinguishing primary and secondary nodes. It might be a hidden flag in the config, which is set to primary if XML-sync is enabled on the node and after propagated to another node as secondary, and vice versa. If the node's flag is secondary, then its XML-sync menu is blocked. This flag can be also used for other purposes. E.g. it might be evidence of init XML-sync was successful and so on.</p>
<p>There is a small issue here, flag on secondary is propagated by primary, that means if we would like to clear secondary role without a primary, then we need something like a Red Force Clear button, which can reset the flag.<br />The other way would be clearing the secondary flag each reboot and keep it unflagged until the 1st XML-sync session, but this is less obvious.</p> pfSense - Feature #10645 (New): Choosing active repo after restoring config but before starting p...https://redmine.pfsense.org/issues/106452020-06-09T11:17:55ZConstantine Kormashev
<p>The current behavior is if a certain repo is set, config contains an entry for this, like <code><pkg_repo_conf_path>/usr/local/share/pfSense/pkg/repos/pfSense-repo-xxx.conf</pkg_repo_conf_path></code> and device has different firmware version from config original, but also has the same repo set. Then, if the config is restored on that device pkgs anyway will be installed from default repo for current firmware version installed on the device. E.g. config from 2.4.5 has a <em>2.4.4-deprecated repo</em> set, the device has 2.4.4-p3, and uses the same <em>2.4.4-deprecated repo</em>. Then after restoring config pkgs will be installed from default <em>2.4.x-stable repo</em>, it looks like the preferred repo was not set anywhere. This might lead to a problem with the wrong pkgs versions.</p>
<p>It would be good if after restoring config, but before auto-installing pkgs, the user can choose that repo has to be used on the device.</p> pfSense Packages - Bug #10503 (New): Flapping any GW in multi-WAN influences restating all IPsec ...https://redmine.pfsense.org/issues/105032020-04-28T08:24:55ZConstantine Kormashev
<p>There are 2 nodes with a multi-WAN setup: 2 WANs, 2 Gateways. The are 2 IPsec VTI tunnel every working through its own Gateway.<br />There is a FRR BGP setup with sessions via IPsec VTI tunnels. But both sessions sends and receives updates using loopback interfaces and static routes via IPsec VTI.</p>
<pre>
+->loopback1-->IPsec VTI1-->WANGW1--v v--WANGW3<--IPsec VTI3<--loopback3<-+
Node1 | +->the internet<-+ | Node2
+->loopback2-->IPsec VTY2-->WANGW2--^ ^--WANGW4<--IPsec VTI4<--loopback4<-+
</pre>
<p>FRR recursively finds Next-Hop for BGP routes via static routes via IPsec. So Node1 can reach routes that are behind Node2 via Node2 loopbacks (loopback3 and loopback4) and vice versa, Node2 can reach Node1 routes via loopback1 and loopback2.<br />If one of Gateway flapping, even if it is not default Gateway, it seems leading to remove static routes for all IPsec tunnel, due event /rc.newipsecdns and ipsec_reload_package_hook() which executes<br /><pre>
`function frr_ipsec_reload() {
require_once('interfaces.inc');
$vti_ifs = array_keys(interface_ipsec_vti_list_all());
foreach ($vti_ifs as $vif) {
mwexec('/usr/local/bin/frrctl cycleinterface ' . escapeshellarg($vif));
}
}`
</pre><br />The interesting thing here is that, existing BGP routes and BGP table entries are not removed from FRR routing table and BGP table, probably because BGP large session timeout. But at the same time these BGP routes are removed from system routing table. And the more interesting, is that, even if static routes via IPsec returned to system routing table and FRR routing table, these BGP routes are not exported back to system routing table by FRR.<br />On system it looks like:</p>
<p>Static routes through IPsec in FRR table<br /><pre>
K>* 25.0.0.1/32 [0/0] via 66.0.0.1, 1d01h00m
K>* 26.0.0.1/32 [0/0] via 66.0.1.1, 1d01h00m
</pre></p>
<p>BGP routes in FRR table<br /><pre>
B> 10.16.0.0/16 [20/0] via 25.0.0.1 (recursive), 2d05h00m
* via 66.0.0.1, 2d05h00m
</pre></p>
<p>FRR BGP entries<br /><pre>
* 10.16.0.0/16 25.0.0.1 0 50 65501 i
*> 26.0.0.1 0 150 100 65501 i
</pre></p>
<p>System route table has static routes through IPsec<br /><pre>
25.0.0.1/32 66.0.0.1 UGS 3750 1400 ipsec3000
26.0.0.1/32 66.0.1.1 UGS 3752 1400 ipsec1000
</pre></p>
<p>But there are not BGP routes even if they, as we can see, exist in FRR routing table and BGP table. Pay attention on routes uptime. BGP session uptime is the same as BGP routes uptime.</p> pfSense Docs - Correction #10371 (Resolved): Update flow control tuning doc for chelsio https://redmine.pfsense.org/issues/103712020-03-24T02:39:08ZConstantine Kormashev
<p>It would be good to add into Flow Contol section of <a class="external" href="https://docs.netgate.com/pfsense/en/latest/hardware/tuning-and-troubleshooting-network-cards.html">https://docs.netgate.com/pfsense/en/latest/hardware/tuning-and-troubleshooting-network-cards.html</a> info about chelsio NICs, due one is often used with pfsense:<br /><code>cxl.0.pause_settings=0</code> disabling flow control<br /><code>cxl.0.pause_settings=3</code> return to default settings</p> pfSense - Feature #10290 (New): Firewall Aliases Add button on top of listhttps://redmine.pfsense.org/issues/102902020-02-25T07:08:23ZConstantine Kormashev
<p>It would be good if we one more Add button would add on top of list. If adding new aliases happens often, then Add on top makes that process faster.<br />Probably it would be good adding "top" Add button to all Firewall aliases sections.</p> pfSense - Bug #10281 (Not a Bug): I can unassign interface even if it is used in FRR OSPFhttps://redmine.pfsense.org/issues/102812020-02-22T23:50:35ZConstantine Kormashev
<p>There was IPsec VTI tunnel with assigned interface. The interface was used in FRR OSPF settings as OSPF interface. If I remove interface from assigned it still exists in FRR OSPF settings. No warnings during unassigning, I could only find the issue when tried to disable IPsec VTI entry, I got warning: <code>Cannot disable a Phase 1 with a child Phase 2 while the interface is assigned. Remove the interface assignment before disabling this P2</code>. But there was not assigned interface related to this IPsec entry, interface was deleted, excepting previously assigned interface is still in FRR OSPF settings.<br />The warning is not easy to figure out if you do not know/remember where else related interface was used. I guess we need warning for unassigning interface if one is used in FRR, or delete it from FRR config.</p> pfSense - Bug #10184 (Resolved): Shaper Add Child Scheduler options Codel wrong description linkhttps://redmine.pfsense.org/issues/101842020-01-13T23:28:44ZConstantine Kormashev
<p>In Add Child web-page of Shaper interface Scheduler options checkbox Codel Active Queue leads to page which does not contain any information about Controlled Delay Active Queue Management.</p> pfSense Packages - Feature #9913 (Resolved): Adding note Squid Traffic Managment Settings about f...https://redmine.pfsense.org/issues/99132019-11-19T00:10:07ZConstantine Kormashev
<p>Squid Traffic Managment Settings mostly works with generic HTTP, so that, it may not work without HTTPS Interception if HTTPS is used and also might have problems if JS/TS/etc handling is involved here. But there is not any mention about those limits, so it would be good to add some clarifying note, because HTTPS and JS is widely used nowadays.</p> pfSense - Bug #9867 (Resolved): Packet Capture IPv6 rejects all packets if CARP type is set in Pr...https://redmine.pfsense.org/issues/98672019-10-31T07:53:14ZConstantine Kormashev
<p>Packet Capture IPv6 rejects all packets if <strong>CARP</strong> type is set in <strong>Protocol</strong> field.<br />It might be an upstream issue.</p>
<pre>
tcpdump -i vmx0 ip6 and carp
tcpdump: expression rejects all packets
</pre> pfSense - Bug #9151 (Not a Bug): Console menu entry (14 SSH) is not updated properly after perfor...https://redmine.pfsense.org/issues/91512018-11-26T05:32:26ZConstantine Kormashev
<p>If SSH is disabled from menu, the menu might entry still show Disable Secure Shell. And vice versa if SSH is enabled from menu, the menu might entry still show Enable Secure Shell.</p>
<pre>
0) Logout (SSH only) 9) pfTop
1) Assign Interfaces 10) Filter Logs
2) Set interface(s) IP address 11) Restart webConfigurator
3) Reset webConfigurator password 12) PHP shell + pfSense tools
4) Reset to factory defaults 13) Update from console
5) Reboot system 14) Enable Secure Shell (sshd)
6) Halt system 15) Restore recent configuration
7) Ping host 16) Restart PHP-FPM
8) Shell
Enter an option: 14
SSHD is currently disabled. Would you like to enable? [y/n]? y
Writing configuration... done.
Enabling SSHD...
Reloading firewall rules. done.
0) Logout (SSH only) 9) pfTop
1) Assign Interfaces 10) Filter Logs
2) Set interface(s) IP address 11) Restart webConfigurator
3) Reset webConfigurator password 12) PHP shell + pfSense tools
4) Reset to factory defaults 13) Update from console
5) Reboot system 14) Enable Secure Shell (sshd)
6) Halt system 15) Restore recent configuration
7) Ping host 16) Restart PHP-FPM
8) Shell
</pre><br />Here it shows Enable Secure Shell instead Disable Secure Shell. But sometimes it works without the issue