pfSense bugtracker: Issueshttps://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162021-01-06T09:29:12ZpfSense bugtracker
Redmine pfSense - Feature #11225 (Rejected): Change Host Alias range when it is made from CIDRhttps://redmine.pfsense.org/issues/112252021-01-06T09:29:12ZConstantine Kormashev
<p>Now if I make an Alias using CIDR like 192.168.1.*2*/30 it makes 4 entries which starts from 1st host in the given range:<br />192.168.1.0<br />192.168.1.1<br />192.168.1.2<br />192.168.1.3</p>
<p>But probably this is different from expected and the better would be to start entries from host defined in range e.g. example above will give us:<br />192.168.1.2<br />192.168.1.3</p>
<p>It might seem not important if we use a short network but if I would like to add 260 hosts from 192.168.0/23 it would be much easy and safer to write 192.168.0.250/23 than using a range 192.168.0.250-192.168.1.255 for this goal.</p> pfSense - Feature #11169 (New): Changing interface index orderhttps://redmine.pfsense.org/issues/111692020-12-17T05:44:26ZConstantine Kormashev
Current configuration operates interface indexes instead of real interfaces, e.g.<br />wan->igb0<br />lan->igb1<br />opt1->igb2<br />opt2->igb3<br />opt3->igb1.10<br />opt4->igb1.20<br />opt5->ovpn1<br />opt6->igb1.30<br />and so on. That makes configuring more smooth and flexible. But in the current implementation if some interfaces were deleted indexes are not rearranged and this might lead to some issues especially in config sync. E.g. in the example above if opt5 is deleted opt6 will not become opt5. Moreover, if a new interface assigned it acquires the lowest free index in the case above opt5. This situation can easily lead to errors in the HA cluster configuration. E.g. 3 interfaces add on primary and 2nd was deleted due to it was added by mistake. E.g. opt1, opt2, opt3 were added, opt2 was deleted, so final it is opt1, opt3. But during configuring secondary final picture is different it is opt1, opt2 because of no mistake. That leads to a config sync issue. And this is totally unclear for people who do not know what really happens under the hood. The only way to fix it on secondary is setup from scratch or manual config editing. Sometimes even setup from scratch becomes tricky. See 1st example, it is not possible to create opt5 without making a fake OpenVPN.<br />It would be good to solve this issue. There are some ways for that:
<ul>
<li>allow rearranging index manually from indexes list</li>
<li>make indexes totally unique and set indexes manually during assigning interface</li>
<li>sync interface settings from primary to secondary with auto assigning IP/mask from the predefined network</li>
</ul>
<p>Also for escaping making fake VPN instances during initial secondary setup, change index enumeration and use increased numbers from 0 for physical interface and decreased from uint32 max for software interfaces like VPN, etc, e.g.<br /> opt1->igb2<br /> opt2->igb3<br /> opt4294967295->ovpn1<br /> opt4294967294->ovpn2</p> pfSense Packages - Bug #10994 (New): SquidGuard Blacklists Restore Default button does not workhttps://redmine.pfsense.org/issues/109942020-10-20T11:09:49ZConstantine Kormashev
<p>If SquidGuard/Blacklists Blacklist Update field is empty then clicking Restore Default restores nothing and generates an error message:<br /><pre>
Restore default blacklist DB.
Restore error: File /var/db/squidGuard.sample or /usr/local/etc/squidGuard/blacklist.files not found.
</pre><br />It does not matter enabled SquidGuard/Squid or not.<br />Tried on 2.4.5-p1 ARM and Intel</p> pfSense Packages - Bug #10775 (Resolved): pfblockerNG SBL_ADs and hpHosts are not reachable anymorehttps://redmine.pfsense.org/issues/107752020-07-19T05:48:09ZConstantine Kormashev
<p>Following entries of pfblockerNG pkg are not reachable for a long time, we have some tickets and also I can see some forum and reddit topics about this.<br />This is upstream issue, those entries have to be changed or removed from feeds.</p>
<p>SBL_ADs<br /><a class="external" href="https://www.squidblacklist.org/downloads/dg-ads.acl">https://www.squidblacklist.org/downloads/dg-ads.acl</a><br />hpHosts_ATS<br /><a class="external" href="https://hosts-file.net/ad_servers.txt">https://hosts-file.net/ad_servers.txt</a><br />hpHosts_EMD<br /><a class="external" href="https://hosts-file.net/emd.txt">https://hosts-file.net/emd.txt</a><br />hpHosts_EXP<br /><a class="external" href="https://hosts-file.net/exp.txt">https://hosts-file.net/exp.txt</a><br />hpHosts_FSA<br /><a class="external" href="https://hosts-file.net/fsa.txt">https://hosts-file.net/fsa.txt</a><br />hpHosts_GRM<br /><a class="external" href="https://hosts-file.net/grm.txt">https://hosts-file.net/grm.txt</a><br />hpHosts_HFS<br /><a class="external" href="https://hosts-file.net/hfs.txt">https://hosts-file.net/hfs.txt</a><br />hpHosts_HJK<br /><a class="external" href="https://hosts-file.net/hjk.txt">https://hosts-file.net/hjk.txt</a><br />hpHosts_MMT<br /><a class="external" href="https://hosts-file.net/mmt.txt">https://hosts-file.net/mmt.txt</a><br />hpHosts_PHA<br /><a class="external" href="https://hosts-file.net/pha.txt">https://hosts-file.net/pha.txt</a><br />hpHosts_PSH<br /><a class="external" href="https://hosts-file.net/psh.txt">https://hosts-file.net/psh.txt</a><br />hpHosts_PUP<br /><a class="external" href="https://hosts-file.net/pup.txt">https://hosts-file.net/pup.txt</a><br />hpHosts_WRZ<br /><a class="external" href="https://hosts-file.net/wrz.txt">https://hosts-file.net/wrz.txt</a></p> pfSense - Feature #10732 (New): Warning banner for secondary HA nodehttps://redmine.pfsense.org/issues/107322020-07-06T05:41:14ZConstantine Kormashev
<p>It would be good if the secondary HA node has a banner with a warning all management actions have to be performed on the primary node only. And user can see this banner after login, as they see default password waring now.</p>
There are a couple of ways to detect a secondary node:
<ul>
<li>hidden flag in the config, see <a class="external" href="https://redmine.pfsense.org/issues/10731">https://redmine.pfsense.org/issues/10731</a></li>
<li>CARP interfaces are in BACKUP state</li>
</ul> pfSense - Feature #10731 (New): XML-sync primary/secondary config flaghttps://redmine.pfsense.org/issues/107312020-07-06T05:38:54ZConstantine Kormashev
<p>To prevent XML-sync misconfiguring on a HA cluster, it would be good to make a config flag that can be used for distinguishing primary and secondary nodes. It might be a hidden flag in the config, which is set to primary if XML-sync is enabled on the node and after propagated to another node as secondary, and vice versa. If the node's flag is secondary, then its XML-sync menu is blocked. This flag can be also used for other purposes. E.g. it might be evidence of init XML-sync was successful and so on.</p>
<p>There is a small issue here, flag on secondary is propagated by primary, that means if we would like to clear secondary role without a primary, then we need something like a Red Force Clear button, which can reset the flag.<br />The other way would be clearing the secondary flag each reboot and keep it unflagged until the 1st XML-sync session, but this is less obvious.</p> pfSense - Feature #10645 (New): Choosing active repo after restoring config but before starting p...https://redmine.pfsense.org/issues/106452020-06-09T11:17:55ZConstantine Kormashev
<p>The current behavior is if a certain repo is set, config contains an entry for this, like <code><pkg_repo_conf_path>/usr/local/share/pfSense/pkg/repos/pfSense-repo-xxx.conf</pkg_repo_conf_path></code> and device has different firmware version from config original, but also has the same repo set. Then, if the config is restored on that device pkgs anyway will be installed from default repo for current firmware version installed on the device. E.g. config from 2.4.5 has a <em>2.4.4-deprecated repo</em> set, the device has 2.4.4-p3, and uses the same <em>2.4.4-deprecated repo</em>. Then after restoring config pkgs will be installed from default <em>2.4.x-stable repo</em>, it looks like the preferred repo was not set anywhere. This might lead to a problem with the wrong pkgs versions.</p>
<p>It would be good if after restoring config, but before auto-installing pkgs, the user can choose that repo has to be used on the device.</p> pfSense - Feature #10290 (New): Firewall Aliases Add button on top of listhttps://redmine.pfsense.org/issues/102902020-02-25T07:08:23ZConstantine Kormashev
<p>It would be good if we one more Add button would add on top of list. If adding new aliases happens often, then Add on top makes that process faster.<br />Probably it would be good adding "top" Add button to all Firewall aliases sections.</p> pfSense Packages - Feature #9913 (Resolved): Adding note Squid Traffic Managment Settings about f...https://redmine.pfsense.org/issues/99132019-11-19T00:10:07ZConstantine Kormashev
<p>Squid Traffic Managment Settings mostly works with generic HTTP, so that, it may not work without HTTPS Interception if HTTPS is used and also might have problems if JS/TS/etc handling is involved here. But there is not any mention about those limits, so it would be good to add some clarifying note, because HTTPS and JS is widely used nowadays.</p> pfSense - Feature #8908 (Closed): setting default gateway using lower Tier in case gateway group ...https://redmine.pfsense.org/issues/89082018-09-18T00:57:22ZConstantine Kormashev
<p><strong>Current behavior.</strong> I have 3 GW and create GW group from 2 them with different Tiers. E.g. GW3 is marked as <code>(default)</code> and GW1 and GW2 are in GW group so that GW1 is Tier1 and GW2 is Tier2. If I set GW group in <code>Default gateway IPv4</code> then GW marked <code>(default)</code> will be the same as used before, in my example this is still GW3 even if I set GW group as default. My opinion is this behavior is not obvious.</p>
<p><strong>Desirable behavior.</strong> In case setting GW group as default, set GW marked <code>(default)</code> using GW from given GW group, ordered by Tier. In my example it have to be GW1, because GW group set as default and GW1 has lower Tier.</p>
<p><em>Partially related</em> to <a class="external" href="https://redmine.pfsense.org/issues/1411">https://redmine.pfsense.org/issues/1411</a> and <a class="external" href="https://redmine.pfsense.org/issues/8743">https://redmine.pfsense.org/issues/8743</a></p> pfSense Packages - Feature #8727 (Resolved): Clone button in cron pkghttps://redmine.pfsense.org/issues/87272018-08-01T00:12:53ZConstantine Kormashev
<p>It would be very useful if clone feature will appear in Cron pkg.<br />Sometimes tasks are tricky and there is possibility to make a mistake in case creation new one, clone action would be much reliable.</p> pfSense - Bug #8502 (Confirmed): main (top) menu items do not drop down in some cases https://redmine.pfsense.org/issues/85022018-05-09T08:26:31ZConstantine Kormashev
<p>During testing php7 found main (top) menu items do not drop down on final pages of some pkgs, e.g. arpping, mtr. These pkgs do not have a problem themselves, stat page, processing and result page are well, this is only web-gui menu issue.<br />Stephen Beaver confirmed this is not php7 related issue.</p> pfSense - Bug #8464 (New): Wireless USB card does not connect to WiFi automatically after reboot/...https://redmine.pfsense.org/issues/84642018-04-17T03:35:41ZConstantine Kormashev
<p>Wireless USB card on Realtek RTL8192SU chipset in BSS mode does not connect to WiFi until wilreless interface is set to down and after to up state manually. E.g. after device reboot.<br />There is not any problem with forwarding in case device already connected to WiFi, problem happens only after device reboot/halt.<br />Tried with Dlink DWA131 (Realtek RTL8192SU) on 3100 and 2220.<br />During down/up interface there are messages in console:<br /><pre>
rsu0: rsu_join_bss: still scanning! (attempt 0)
rsu0_wlan0: ieee80211_new_state_locked: pending SCAN -> AUTH transition lost
</pre></p> pfSense - Bug #7235 (New): 4860 has not got significant IPsec performance rising with enabled HW ...https://redmine.pfsense.org/issues/72352017-02-08T01:47:07ZConstantine Kormashev
<p>During IPsec performance tests on 4860 I did not observe significant IPsec performance increasing if HW acceleration is enabled.<br />Average rising are: <br /><em>10% for AES128CBC<br />7% for AES128GCM</em><br />In comparison with 2440, 2440 gives:<br /><em>56% for AES128CBC<br />54% for AES128GCM</em><br /><strong>4860 tests:</strong><br /><em>128 GCM 34000pps</em><br /><pre>
kldstat
Id Refs Address Size Name
1 3 0xffffffff80200000 225edc0 kernel
2 1 0xffffffff82611000 3646 ichwd.ko
last pid: 62291; load averages: 4.48, 3.20, 1.62 up 0+00:10:24 06:51:23
55 processes: 2 running, 52 sleeping, 1 waiting
CPU 0: 19.3% user, 0.0% nice, 33.1% system, 27.6% interrupt, 20.1% idle
CPU 1: 0.0% user, 0.0% nice, 0.0% system, 99.2% interrupt, 0.8% idle
CPU 2: 17.3% user, 0.0% nice, 52.0% system, 0.0% interrupt, 30.7% idle
CPU 3: 16.1% user, 0.0% nice, 53.1% system, 0.0% interrupt, 30.7% idle
Mem: 55M Active, 40M Inact, 183M Wired, 38M Buf, 7613M Free
Swap: 8192M Total, 8192M Free
PID USERNAME THR PRI NICE SIZE RES STATE C TIME CPU COMMAND
12 root 45 -72 - 0K 720K WAIT 3 6:24 130.13% intr
77387 root 17 20 0 249M 14632K uwait 2 6:54 106.30% charon
11 root 4 155 ki31 0K 64K RUN 3 20:54 82.03% idle
18291 root 2 20 0 30144K 17988K usem 3 4:44 80.76% ntpd
0 root 32 -8 - 0K 512K - 0 1:30 2.59% kernel
</pre><br /><em>128 GCM 36500pps</em><br /><pre>
kldstat
Id Refs Address Size Name
1 6 0xffffffff80200000 225edc0 kernel
2 1 0xffffffff82611000 7577 aesni.ko
3 1 0xffffffff82619000 3646 ichwd.ko
last pid: 98195; load averages: 4.41, 3.26, 1.77 up 0+00:09:07 07:06:31
55 processes: 4 running, 51 sleeping
CPU 0: 12.2% user, 0.0% nice, 32.2% system, 33.7% interrupt, 22.0% idle
CPU 1: 19.6% user, 0.0% nice, 55.7% system, 0.0% interrupt, 24.7% idle
CPU 2: 17.3% user, 0.0% nice, 57.3% system, 0.0% interrupt, 25.5% idle
CPU 3: 0.0% user, 0.0% nice, 100% system, 0.0% interrupt, 0.0% idle
Mem: 52M Active, 37M Inact, 183M Wired, 30M Buf, 7619M Free
Swap: 8192M Total, 8192M Free
PID USERNAME THR PRI NICE SIZE RES STATE C TIME CPU COMMAND
25406 root 17 92 0 249M 14692K CPU1 1 8:44 106.54% charon
0 root 32 -8 - 0K 512K - 0 0:47 100.00% kernel
16732 root 2 20 0 30144K 17988K kqread 2 6:21 80.57% ntpd
11 root 4 155 ki31 0K 64K RUN 3 9:51 77.98% idle
12 root 45 -72 - 0K 720K RUN 3 9:17 28.37% intr
</pre></p>
<p><em>128 CBC 34000pps</em><br /><pre>
kldstat
Id Refs Address Size Name
1 3 0xffffffff80200000 225edc0 kernel
2 1 0xffffffff82611000 3646 ichwd.ko
last pid: 66419; load averages: 4.54, 2.28, 1.03 up 0+00:08:24 07:23:31
55 processes: 3 running, 51 sleeping, 1 waiting
CPU 0: 18.0% user, 0.0% nice, 33.7% system, 27.1% interrupt, 21.2% idle
CPU 1: 0.8% user, 0.0% nice, 0.0% system, 98.8% interrupt, 0.4% idle
CPU 2: 20.8% user, 0.0% nice, 51.0% system, 0.0% interrupt, 28.2% idle
CPU 3: 20.4% user, 0.0% nice, 43.5% system, 18.0% interrupt, 18.0% idle
Mem: 52M Active, 38M Inact, 182M Wired, 26M Buf, 7621M Free
Swap: 8192M Total, 8192M Free
PID USERNAME THR PRI NICE SIZE RES STATE C TIME CPU COMMAND
25895 root 17 92 0 249M 14296K CPU0 0 3:56 101.76% charon
12 root 45 -72 - 0K 720K WAIT 3 1:27 92.04% intr
11 root 4 155 ki31 0K 64K RUN 3 21:23 78.86% idle
18871 root 2 20 0 30144K 17988K usem 1 2:42 75.49% ntpd
0 root 32 -8 - 0K 512K - 0 3:07 39.26% kernel
</pre></p>
<p><em>128 CBC 36500pps</em><br /><pre>
kldstat
Id Refs Address Size Name
1 6 0xffffffff80200000 225edc0 kernel
2 1 0xffffffff82611000 7577 aesni.ko
3 1 0xffffffff82619000 3646 ichwd.ko
last pid: 97408; load averages: 5.05, 3.99, 2.54 up 0+00:14:56 07:12:20
55 processes: 3 running, 51 sleeping, 1 waiting
CPU 0: 14.9% user, 0.0% nice, 26.7% system, 36.1% interrupt, 22.4% idle
CPU 1: 18.4% user, 0.0% nice, 53.3% system, 0.0% interrupt, 28.2% idle
CPU 2: 14.9% user, 0.0% nice, 59.2% system, 0.0% interrupt, 25.9% idle
CPU 3: 0.0% user, 0.0% nice, 100% system, 0.0% interrupt, 0.0% idle
Mem: 53M Active, 38M Inact, 184M Wired, 36M Buf, 7616M Free
Swap: 8192M Total, 8192M Free
PID USERNAME THR PRI NICE SIZE RES STATE C TIME CPU COMMAND
25406 root 17 92 0 249M 14908K CPU1 1 14:30 103.47% charon
0 root 32 -8 - 0K 512K - 0 4:21 100.00% kernel
16732 root 2 20 0 30144K 17988K usem 1 10:30 85.35% ntpd
11 root 4 155 ki31 0K 64K RUN 3 16:21 79.59% idle
12 root 45 -72 - 0K 720K WAIT 3 12:38 27.78% intr
</pre></p>
<pre>
uname -a
FreeBSD pfSense.localdomain 10.3-RELEASE-p9 FreeBSD 10.3-RELEASE-p9 #1 5fc1b19(RELENG_2_3_2): Tue Sep 27 12:25:49 CDT 2016 root@factory23-amd64-builder:/builder/factory-232/tmp/obj/builder/factory-232/tmp/FreeBSD-src/sys/pfSense amd64
</pre> pfSense - Bug #7234 (Closed): ntpd overload during IPsec session without HW accelerationhttps://redmine.pfsense.org/issues/72342017-02-08T01:24:16ZConstantine Kormashev
<p>During performance test 2440 I noticed quite strange behavior of ntpd. One overloads CPU core during IPsec session if HW acceleration is disabled:<br /><pre>
kldstat
Id Refs Address Size Name
1 1 0xffffffff80200000 225ede0 kernel
</pre><br /><pre>
last pid: 42143; load averages: 3.41, 2.35, 1.15 up 0+00:07:28 09:19:23
54 processes: 2 running, 51 sleeping, 1 waiting
CPU 0: 9.4% user, 0.0% nice, 20.4% system, 65.9% interrupt, 4.3% idle
CPU 1: 18.4% user, 0.0% nice, 53.7% system, 0.0% interrupt, 27.8% idle
Mem: 45M Active, 39M Inact, 140M Wired, 21M Buf, 3676M Free
Swap: 3647M Total, 3647M Free
PID USERNAME THR PRI NICE SIZE RES STATE C TIME CPU COMMAND
16307 root 2 20 0 30144K 17988K usem 1 1:28 *100.00% ntpd*
23986 root 17 21 0 217M 13796K uwait 0 3:15 80.66% charon
11 root 2 155 ki31 0K 32K RUN 1 6:20 12.16% idle
12 root 27 -72 - 0K 432K WAIT 1 2:56 2.49% intr
0 root 20 -8 - 0K 320K - 0 0:22 0.00% kernel
</pre></p>
<p>If HW acceleration is enabled there is not issues with ntpd, one sometimes can load CPU about 3-5% for several seconds:<br /><pre>
kldstat
Id Refs Address Size Name
1 4 0xffffffff80200000 225ede0 kernel
2 1 0xffffffff82611000 7577 aesni.ko
</pre><br /><pre>
last pid: 99164; load averages: 5.32, 2.80, 1.22 up 3+14:47:13 09:04:56
54 processes: 3 running, 50 sleeping, 1 waiting
CPU 0: 4.3% user, 0.0% nice, 15.7% system, 80.0% interrupt, 0.0% idle
CPU 1: 8.2% user, 0.0% nice, 21.6% system, 70.2% interrupt, 0.0% idle
Mem: 11M Active, 75M Inact, 153M Wired, 382M Buf, 3661M Free
Swap: 3647M Total, 3647M Free
PID USERNAME THR PRI NICE SIZE RES STATE C TIME CPU COMMAND
12 root 27 -72 - 0K 432K WAIT 1 51:30 200.00% intr
11 root 2 155 ki31 0K 32K RUN 1 171.4H 2.83% idle
15438 root 2 20 0 30144K 17988K usem 0 7:20 *0.49% ntpd*
53451 root 17 72 0 217M 14684K RUN 0 0:50 0.20% charon
0 root 20 -8 - 0K 320K - 0 8:28 0.00% kernel
</pre></p>
<p>Checked on 2440<br /><pre>
uname -a
FreeBSD pfSense.localdomain 10.3-RELEASE-p5 FreeBSD 10.3-RELEASE-p5 #0 7307492(RELENG_2_3_2): Tue Jul 19 13:29:35 CDT 2016 root@ce23-amd64-builder:/builder/pfsense-232/tmp/obj/builder/pfsense-232/tmp/FreeBSD-src/sys/pfSense amd64
</pre></p>
<p>Checked on 4860. For this device it does not matter is HW acceleration enabled or disabled, picture is same. (I have got strong suspicion there is an issue with HW acceleration on 4860)<br /><pre>
uname -a
FreeBSD pfSense.localdomain 10.3-RELEASE-p9 FreeBSD 10.3-RELEASE-p9 #1 5fc1b19(RELENG_2_3_2): Tue Sep 27 12:25:49 CDT 2016 root@factory23-amd64-builder:/builder/factory-232/tmp/obj/builder/factory-232/tmp/FreeBSD-src/sys/pfSense amd64
</pre></p>