pfSense bugtracker: Issueshttps://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162021-01-06T09:29:12ZpfSense bugtracker
Redmine pfSense - Feature #11225 (Rejected): Change Host Alias range when it is made from CIDRhttps://redmine.pfsense.org/issues/112252021-01-06T09:29:12ZConstantine Kormashev
<p>Now if I make an Alias using CIDR like 192.168.1.*2*/30 it makes 4 entries which starts from 1st host in the given range:<br />192.168.1.0<br />192.168.1.1<br />192.168.1.2<br />192.168.1.3</p>
<p>But probably this is different from expected and the better would be to start entries from host defined in range e.g. example above will give us:<br />192.168.1.2<br />192.168.1.3</p>
<p>It might seem not important if we use a short network but if I would like to add 260 hosts from 192.168.0/23 it would be much easy and safer to write 192.168.0.250/23 than using a range 192.168.0.250-192.168.1.255 for this goal.</p> pfSense - Feature #11169 (New): Changing interface index orderhttps://redmine.pfsense.org/issues/111692020-12-17T05:44:26ZConstantine Kormashev
Current configuration operates interface indexes instead of real interfaces, e.g.<br />wan->igb0<br />lan->igb1<br />opt1->igb2<br />opt2->igb3<br />opt3->igb1.10<br />opt4->igb1.20<br />opt5->ovpn1<br />opt6->igb1.30<br />and so on. That makes configuring more smooth and flexible. But in the current implementation if some interfaces were deleted indexes are not rearranged and this might lead to some issues especially in config sync. E.g. in the example above if opt5 is deleted opt6 will not become opt5. Moreover, if a new interface assigned it acquires the lowest free index in the case above opt5. This situation can easily lead to errors in the HA cluster configuration. E.g. 3 interfaces add on primary and 2nd was deleted due to it was added by mistake. E.g. opt1, opt2, opt3 were added, opt2 was deleted, so final it is opt1, opt3. But during configuring secondary final picture is different it is opt1, opt2 because of no mistake. That leads to a config sync issue. And this is totally unclear for people who do not know what really happens under the hood. The only way to fix it on secondary is setup from scratch or manual config editing. Sometimes even setup from scratch becomes tricky. See 1st example, it is not possible to create opt5 without making a fake OpenVPN.<br />It would be good to solve this issue. There are some ways for that:
<ul>
<li>allow rearranging index manually from indexes list</li>
<li>make indexes totally unique and set indexes manually during assigning interface</li>
<li>sync interface settings from primary to secondary with auto assigning IP/mask from the predefined network</li>
</ul>
<p>Also for escaping making fake VPN instances during initial secondary setup, change index enumeration and use increased numbers from 0 for physical interface and decreased from uint32 max for software interfaces like VPN, etc, e.g.<br /> opt1->igb2<br /> opt2->igb3<br /> opt4294967295->ovpn1<br /> opt4294967294->ovpn2</p> pfSense - Feature #10732 (New): Warning banner for secondary HA nodehttps://redmine.pfsense.org/issues/107322020-07-06T05:41:14ZConstantine Kormashev
<p>It would be good if the secondary HA node has a banner with a warning all management actions have to be performed on the primary node only. And user can see this banner after login, as they see default password waring now.</p>
There are a couple of ways to detect a secondary node:
<ul>
<li>hidden flag in the config, see <a class="external" href="https://redmine.pfsense.org/issues/10731">https://redmine.pfsense.org/issues/10731</a></li>
<li>CARP interfaces are in BACKUP state</li>
</ul> pfSense - Feature #10731 (New): XML-sync primary/secondary config flaghttps://redmine.pfsense.org/issues/107312020-07-06T05:38:54ZConstantine Kormashev
<p>To prevent XML-sync misconfiguring on a HA cluster, it would be good to make a config flag that can be used for distinguishing primary and secondary nodes. It might be a hidden flag in the config, which is set to primary if XML-sync is enabled on the node and after propagated to another node as secondary, and vice versa. If the node's flag is secondary, then its XML-sync menu is blocked. This flag can be also used for other purposes. E.g. it might be evidence of init XML-sync was successful and so on.</p>
<p>There is a small issue here, flag on secondary is propagated by primary, that means if we would like to clear secondary role without a primary, then we need something like a Red Force Clear button, which can reset the flag.<br />The other way would be clearing the secondary flag each reboot and keep it unflagged until the 1st XML-sync session, but this is less obvious.</p> pfSense - Feature #10645 (New): Choosing active repo after restoring config but before starting p...https://redmine.pfsense.org/issues/106452020-06-09T11:17:55ZConstantine Kormashev
<p>The current behavior is if a certain repo is set, config contains an entry for this, like <code><pkg_repo_conf_path>/usr/local/share/pfSense/pkg/repos/pfSense-repo-xxx.conf</pkg_repo_conf_path></code> and device has different firmware version from config original, but also has the same repo set. Then, if the config is restored on that device pkgs anyway will be installed from default repo for current firmware version installed on the device. E.g. config from 2.4.5 has a <em>2.4.4-deprecated repo</em> set, the device has 2.4.4-p3, and uses the same <em>2.4.4-deprecated repo</em>. Then after restoring config pkgs will be installed from default <em>2.4.x-stable repo</em>, it looks like the preferred repo was not set anywhere. This might lead to a problem with the wrong pkgs versions.</p>
<p>It would be good if after restoring config, but before auto-installing pkgs, the user can choose that repo has to be used on the device.</p> pfSense - Feature #10290 (New): Firewall Aliases Add button on top of listhttps://redmine.pfsense.org/issues/102902020-02-25T07:08:23ZConstantine Kormashev
<p>It would be good if we one more Add button would add on top of list. If adding new aliases happens often, then Add on top makes that process faster.<br />Probably it would be good adding "top" Add button to all Firewall aliases sections.</p> pfSense - Bug #10281 (Not a Bug): I can unassign interface even if it is used in FRR OSPFhttps://redmine.pfsense.org/issues/102812020-02-22T23:50:35ZConstantine Kormashev
<p>There was IPsec VTI tunnel with assigned interface. The interface was used in FRR OSPF settings as OSPF interface. If I remove interface from assigned it still exists in FRR OSPF settings. No warnings during unassigning, I could only find the issue when tried to disable IPsec VTI entry, I got warning: <code>Cannot disable a Phase 1 with a child Phase 2 while the interface is assigned. Remove the interface assignment before disabling this P2</code>. But there was not assigned interface related to this IPsec entry, interface was deleted, excepting previously assigned interface is still in FRR OSPF settings.<br />The warning is not easy to figure out if you do not know/remember where else related interface was used. I guess we need warning for unassigning interface if one is used in FRR, or delete it from FRR config.</p> pfSense - Bug #10184 (Resolved): Shaper Add Child Scheduler options Codel wrong description linkhttps://redmine.pfsense.org/issues/101842020-01-13T23:28:44ZConstantine Kormashev
<p>In Add Child web-page of Shaper interface Scheduler options checkbox Codel Active Queue leads to page which does not contain any information about Controlled Delay Active Queue Management.</p> pfSense - Bug #9867 (Resolved): Packet Capture IPv6 rejects all packets if CARP type is set in Pr...https://redmine.pfsense.org/issues/98672019-10-31T07:53:14ZConstantine Kormashev
<p>Packet Capture IPv6 rejects all packets if <strong>CARP</strong> type is set in <strong>Protocol</strong> field.<br />It might be an upstream issue.</p>
<pre>
tcpdump -i vmx0 ip6 and carp
tcpdump: expression rejects all packets
</pre> pfSense - Bug #9151 (Not a Bug): Console menu entry (14 SSH) is not updated properly after perfor...https://redmine.pfsense.org/issues/91512018-11-26T05:32:26ZConstantine Kormashev
<p>If SSH is disabled from menu, the menu might entry still show Disable Secure Shell. And vice versa if SSH is enabled from menu, the menu might entry still show Enable Secure Shell.</p>
<pre>
0) Logout (SSH only) 9) pfTop
1) Assign Interfaces 10) Filter Logs
2) Set interface(s) IP address 11) Restart webConfigurator
3) Reset webConfigurator password 12) PHP shell + pfSense tools
4) Reset to factory defaults 13) Update from console
5) Reboot system 14) Enable Secure Shell (sshd)
6) Halt system 15) Restore recent configuration
7) Ping host 16) Restart PHP-FPM
8) Shell
Enter an option: 14
SSHD is currently disabled. Would you like to enable? [y/n]? y
Writing configuration... done.
Enabling SSHD...
Reloading firewall rules. done.
0) Logout (SSH only) 9) pfTop
1) Assign Interfaces 10) Filter Logs
2) Set interface(s) IP address 11) Restart webConfigurator
3) Reset webConfigurator password 12) PHP shell + pfSense tools
4) Reset to factory defaults 13) Update from console
5) Reboot system 14) Enable Secure Shell (sshd)
6) Halt system 15) Restore recent configuration
7) Ping host 16) Restart PHP-FPM
8) Shell
</pre><br />Here it shows Enable Secure Shell instead Disable Secure Shell. But sometimes it works without the issue pfSense - Feature #8908 (Closed): setting default gateway using lower Tier in case gateway group ...https://redmine.pfsense.org/issues/89082018-09-18T00:57:22ZConstantine Kormashev
<p><strong>Current behavior.</strong> I have 3 GW and create GW group from 2 them with different Tiers. E.g. GW3 is marked as <code>(default)</code> and GW1 and GW2 are in GW group so that GW1 is Tier1 and GW2 is Tier2. If I set GW group in <code>Default gateway IPv4</code> then GW marked <code>(default)</code> will be the same as used before, in my example this is still GW3 even if I set GW group as default. My opinion is this behavior is not obvious.</p>
<p><strong>Desirable behavior.</strong> In case setting GW group as default, set GW marked <code>(default)</code> using GW from given GW group, ordered by Tier. In my example it have to be GW1, because GW group set as default and GW1 has lower Tier.</p>
<p><em>Partially related</em> to <a class="external" href="https://redmine.pfsense.org/issues/1411">https://redmine.pfsense.org/issues/1411</a> and <a class="external" href="https://redmine.pfsense.org/issues/8743">https://redmine.pfsense.org/issues/8743</a></p> pfSense - Bug #8880 (Resolved): [PHP7] warning on system_gateways.php and extra item in gateways ...https://redmine.pfsense.org/issues/88802018-09-10T06:24:45ZConstantine Kormashev
<p>244-RC<br /><pre>
FreeBSD pf5100v.lab 11.2-RELEASE-p2 FreeBSD 11.2-RELEASE-p2 #1 d792717682e(factory-RELENG_2_4_4): Thu Sep 6 00:07:43 EDT 2018 root@buildbot3:/crossbuild/244/obj/amd64/as0Ifpf7/crossbuild/244/pfSense/tmp/FreeBSD-src/sys/pfSense amd64
</pre></p>
<p>I got a php warning after deleting gateway group and switching to gateways<br /><pre>
Warning: Illegal string offset 'inactive' in /etc/inc/gwlb.inc on line 601
Warning: Illegal string offset 'monitor' in /etc/inc/gwlb.inc on line 646
Warning: Illegal string offset 'friendlyiface' in /etc/inc/gwlb.inc on line 653
Warning: Illegal string offset 'interface' in /etc/inc/gwlb.inc on line 659
Warning: Cannot assign an empty string to a string offset in /etc/inc/gwlb.inc on line 659
Warning: Illegal string offset 'attribute' in /etc/inc/gwlb.inc on line 672
</pre><br />Also I can see extra object 0</p>
<p><img src="https://redmine.pfsense.org/attachments/download/2569/err.png" alt="" /></p>
<p>There is difference between old and current config:<br /><pre>
--- /conf/backup/config-1536577702.xml 2018-09-10 14:08:31.633812000 +0300
+++ /conf/config.xml 2018-09-10 14:08:31.646044000 +0300
@@ -1947,8 +1947,8 @@
</domainoverrides>
</unbound>
<revision>
- <time>1536577702</time>
- <description><![CDATA[admin@192.168.129.2 (Local Database): System - Gateways: save default gateway]]></description>
+ <time>1536577711</time>
+ <description><![CDATA[admin@192.168.129.2 (Local Database): Gateway Groups: removed gateway group 0]]></description>
<username>admin@192.168.129.2 (Local Database)</username>
</revision>
<cert>
@@ -2261,15 +2261,9 @@
</ppp>
</ppps>
<gateways>
- <gateway_group>
- <name>GWGR</name>
- <item>LAN_DHCP|1|address</item>
- <item>WAN_DHCP|1|address</item>
- <trigger>down</trigger>
- <descr></descr>
- </gateway_group>
<defaultgw4>WAN_DHCP</defaultgw4>
<defaultgw6>-</defaultgw6>
+ <gateway_item></gateway_item>
</gateways>
<dnsupdates>
<dnsupdate>
</pre></p> pfSense - Bug #8842 (Not a Bug): pfSense-pkg-aws-wizard-php72 sticks during installhttps://redmine.pfsense.org/issues/88422018-08-27T08:12:28ZConstantine Kormashev
<p>I tried to install pfSense-pkg-aws-wizard-php72 for 244 factory built on Wed May 30 14:47:02 EDT 2018 FreeBSD 11.2-BETA3 and install just stuck on <code>[10/109] Deinstalling php56-pear-Crypt_CHAP-1.5.0...</code> I waited for hour but it changed nothing.<br />Interesting I can see pkg in installed, but nothing in menu:<br /><pre>
pkg info | grep aws
aws-sdk-php72-3.61.8 PHP interface for Amazon Web Services (AWS)
pfSense-pkg-aws-wizard-php72-0.7_1 PfSense package AWS VPC VPN Connection Wizard
</pre><br />Log and crash are in attachment</p> pfSense - Bug #8728 (Resolved): Can not create VIP after deleting existed onehttps://redmine.pfsense.org/issues/87282018-08-01T05:01:02ZConstantine Kormashev
<p>I deleted VIP and tried to create new one on latest and got the error:</p>
<pre>
Warning: Illegal string offset 'vip' in /usr/local/www/firewall_virtual_ip_edit.php on line 39
Warning: Illegal string offset 'vip' in /usr/local/www/firewall_virtual_ip_edit.php on line 42
Fatal error: Uncaught Error: Cannot create references to/from string offsets in /usr/local/www/firewall_virtual_ip_edit.php:42
Stack trace: #0 {main} thrown in /usr/local/www/firewall_virtual_ip_edit.php on line 42
PHP ERROR: Type: 1, File: /usr/local/www/firewall_virtual_ip_edit.php,Line: 42,
Message: Uncaught Error: Cannot create references to/from string offsets in /usr/local/www/firewall_virtual_ip_edit.php:42 Stack trace: #0 {main} thrown
</pre> pfSense - Bug #8714 (Resolved): error in services_dhcpv6.php after clicking on Save button in cas...https://redmine.pfsense.org/issues/87142018-07-29T01:02:26ZConstantine Kormashev
<p>Error occurs only in case RA was not setup before enabling DHCPv6</p>
<pre>
Warning: Illegal string offset 'lan' in /usr/local/www/services_dhcpv6.php on line 416
Warning: Illegal string offset 'lan' in /usr/local/www/services_dhcpv6.php on line 419
Fatal error: Uncaught Error: Cannot use string offset as an array in /usr/local/www/services_dhcpv6.php:419
Stack trace: #0 {main} thrown in /usr/local/www/services_dhcpv6.php on line 419
PHP ERROR: Type: 1, File: /usr/local/www/services_dhcpv6.php, Line: 419,
Message: Uncaught Error: Cannot use string offset as an array in /usr/local/www/services_dhcpv6.php:419 Stack trace: #0 {main} thrown
</pre>
<p>This is hard to reproduce, if RA was enabled even once on device and disabled after, the issue does not occur.<br />Related <a class="external" href="https://redmine.pfsense.org/issues/8679">https://redmine.pfsense.org/issues/8679</a></p>