pfSense bugtracker: Issueshttps://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162024-03-08T21:41:23ZpfSense bugtracker
Redmine pfSense - Feature #15324 (New): Allow specifying cloudflare host id for dyndnshttps://redmine.pfsense.org/issues/153242024-03-08T21:41:23ZFlole Systems
<p>This can save a HTTP request when updating the entry, and may be used to update multiple entries with the same name but different IPs for round- robin based load-balancing.</p> pfSense - Feature #13948 (New): Allow %any for local_addrs IPsec endpoint settinghttps://redmine.pfsense.org/issues/139482023-02-11T20:46:50ZFlole Systems
<p>Charon allows setting %any as local_addrs, allowing connections to all IPs. We should offer a setting to set this option.</p>
<p>I've manually edited the config for testing and the setting is behaving as intended.</p> pfSense - Bug #13916 (Rejected): Interface config doesn't allow colliding IP addresses even if a ...https://redmine.pfsense.org/issues/139162023-01-29T18:21:04ZFlole Systems
<p>When using wireguard a config where the same IP address is used for multiple interfaces is perfectly valid. Pfsense doesn't allow such a configuration at the moment. Commenting out the check in /usr/local/www/interfaces.php makes it work perfectly fine. I propose adding a check there to see if the interface used is a wireguard interface.</p> pfSense Packages - Bug #13745 (New): pfBlockerNG doesn't resolve aliases in supression alias listhttps://redmine.pfsense.org/issues/137452022-12-11T13:47:52ZFlole Systems
<p>When adding another alias to the pfBlockerNGSuppresion alias it is not resolved. I would expect that at least all other ip-only-aliases are resolved.</p>
<p>I guess what's needed here is to add the following logic to <a class="external" href="https://github.com/pfsense/FreeBSD-ports/blob/f1001288678186b2636f681ba9209bc623def16e/net/pfSense-pkg-pfBlockerNG/files/usr/local/pkg/pfblockerng/pfblockerng.inc#L616">https://github.com/pfsense/FreeBSD-ports/blob/f1001288678186b2636f681ba9209bc623def16e/net/pfSense-pkg-pfBlockerNG/files/usr/local/pkg/pfblockerng/pfblockerng.inc#L616</a></p>
<p>- Iterate through the entries and check each one to verify if it's a valid IPv4 or IPv6 address<br />- If there is an entry that isn't a valid IPv4 or IPv6 address replace it<br />- It should attempt to resolve the alias and replace it while passing a list of already resolved aliases<br />- If an entry/alias can not be resolved it will be replaced with an empty string (so invalid/unusable entries are filtered)<br />- If an entry/alias can be resolved it will be replaced with a list of IP addresses, added to the list of resolved aliases and the same function is called again on the just created list<br />- Aliases that have been previously resolved will be replaced with an empty string<br />- This way it is ensured that every alias is only resolved once and even aliases within aliases are resolved</p> pfSense - Bug #13655 (Resolved): DNS Forwarder (``dnsmasq``) is using an invalid combination of o...https://redmine.pfsense.org/issues/136552022-11-12T10:11:15ZFlole Systems
<p>dnsmasq is always getting the --all-servers option added in <a class="external" href="https://github.com/pfsense/pfsense/blob/29e534800a56f21bd00061fbef7b2357a5962384/src/etc/inc/services.inc#L2636">https://github.com/pfsense/pfsense/blob/29e534800a56f21bd00061fbef7b2357a5962384/src/etc/inc/services.inc#L2636</a>. That causes a weird case when --strict-order is enabled, so --all-servers should be put into an `else` in <a class="external" href="https://github.com/pfsense/pfsense/blob/29e534800a56f21bd00061fbef7b2357a5962384/src/etc/inc/services.inc#L2617">https://github.com/pfsense/pfsense/blob/29e534800a56f21bd00061fbef7b2357a5962384/src/etc/inc/services.inc#L2617</a> or be turned into a separate option.</p>
<p>Currently we tell dnsmasq to query all servers simulteanously but also in strict order, so we give it two contradicting config options. It is weird that dnsmasq allows this, but we shouldn't do it. Effectively the code seems to give --all-servers precedence over --strict-order, so it queries all servers at the same time even though I enabled strict order mode in pfSense, breaking that feature.</p>
<p>The relevant code piece in dnsmasq is in <br /><a class="external" href="https://github.com/imp/dnsmasq/blob/770bce967cfc9967273d0acfb3ea018fb7b17522/src/forward.c#L333">https://github.com/imp/dnsmasq/blob/770bce967cfc9967273d0acfb3ea018fb7b17522/src/forward.c#L333</a></p> pfSense Packages - Bug #13612 (Resolved): Snort building lists is brokenhttps://redmine.pfsense.org/issues/136122022-10-30T20:29:07ZFlole Systems
<p>Somehow in <a class="external" href="https://github.com/pfsense/FreeBSD-ports/blob/5fc6406094c5c78b0d93cfb37ce29267735df16b/security/pfSense-pkg-snort/files/usr/local/pkg/snort/snort.inc#L266">https://github.com/pfsense/FreeBSD-ports/blob/5fc6406094c5c78b0d93cfb37ce29267735df16b/security/pfSense-pkg-snort/files/usr/local/pkg/snort/snort.inc#L266</a> there is a wrong check causing an empty list to be returned most of the time. I believe that check should be inverted, so in case a non-empty list is found that list is returned.</p> pfSense - Bug #13523 (New): Cloudflare DynDNS Updates are slow and cause multiple notification E-...https://redmine.pfsense.org/issues/135232022-09-28T07:33:02ZFlole Systems
<p>I have about 30 DynDNS Domains configured. When those are updated I get 30 E-Mails for those updates with about 10 seconds between them. I suggest using threads to update the entries faster and collect the notifications and send them out in a single E-Mail once all are done. Unfortunately I don't know why those updates are so slow, they shouldn't take 10 seconds in my opinion.</p> pfSense - Bug #13502 (Needs Patch): dhclient sends RENEW-Request through wrong interfacehttps://redmine.pfsense.org/issues/135022022-09-18T18:44:42ZFlole Systems
<p>There are 2 interfaces, WAN and WAN2. Both get an IP from the same DHCP server (1.2.3.4) but each on a different subnet (WAN: 192.168.1.1/24 and WAN2: 192.168.2.1/24). Now when WAN2 renews it's IP it sends a request from 192.168.2.1 to 1.2.3.4, but that request is for some reason sent out through WAN instead of WAN2 (but using WAN2s source MAC address) so it won't get an answer. It seems to be a bug in dhclient as using ping with the source address works fine, even sending out a packet through nc like this works and it exits the firewall (verified with tcpdump).<br /><code class="shell syntaxhl"><span class="nb">echo</span> <span class="s2">"Test"</span> | nc <span class="nt">-u</span> <span class="nt">-s</span> 192.168.2.1 1.2.3.4 67
</code></p> pfSense - Todo #13501 (Resolved): Clean up obsolete code in ``pfSense-dhclient-script``https://redmine.pfsense.org/issues/135012022-09-18T17:45:45ZFlole Systems
<p>In pfsense/src/usr/local/sbin/pfSense-dhclient-script there's this old code that can probably be removed now:</p>
<pre>
# NOTE: use of the below has been disabled because rc.newwanip handles this correctly and this
# unnecessarily killed states in multiple circumstances. Leaving here for now, should be safe
# to remove later. -cmb 20141105
....
</pre>
<p>Appears to be from 2014, so most likely safe to remove now.</p> pfSense - Bug #13493 (Resolved): Several advanced DHCP6 client options do not inform the user whe...https://redmine.pfsense.org/issues/134932022-09-13T16:26:01ZFlole Systems
<p>When entering "F" for example ad id-assoc pd ID in the interfaces Tab and saving it magically disappears without any error. Either an error should be shown or only numeric values should be accepted for that textbox.</p> pfSense - Todo #13492 (Resolved): Start ``rtsold`` immediately after ``dhcp6c`` sends a requesthttps://redmine.pfsense.org/issues/134922022-09-13T16:24:18ZFlole Systems
<p>I suggest to remove the 2 second sleep before the rtsold is started after a request in the "don't wait for RA"-codepath. Some ISPs only send the router advertisement when they send their dhcp request, in that case it might be too late when rtsold is started.</p>
<p>It was added in 718cbc2d3921627e9767e59d539386c843dffcc4 but it's unclear why it was added. I've been running it without the sleep and it's working perfectly fine and that is allowing me to get router information where I previously couldn't.</p> pfSense - Bug #13483 (New): dhcp6c shouldn't be killed and restarted on interface reconfigurationshttps://redmine.pfsense.org/issues/134832022-09-10T18:39:48ZFlole Systems
<p>When changing the configuration of an interface currently dhcp6c is killed and restarted. That comes with all kinds of problems, for example addressess are dropped and need to be re-acquired. Instead dhcp6ctl should be used with the start/stop commands for that interface so others are unaffected.</p> pfSense - Bug #13480 (New): GIFs are not automatically started when parent interface doesn't have...https://redmine.pfsense.org/issues/134802022-09-10T04:48:33ZFlole Systems
<p>If there are GIFs which use IPv6 and at boot the IPv6-DHCP fails those are shown as Down/"Pending" on the Dashboard. Now if the IPv6 address is acquired they stay in that state. Going through the interfaces, clicking save and apply for each GIF causes them to go up/online. I would expect them to go online right away once the IPv6 address is acquired.</p>
<p>I haven't checked if this applies to IPv4 GIFs or IPv* GREs aswell, but that could be possible.</p> pfSense - Bug #13479 (Resolved): Input validation is checking RAM disk sizes when they are inactivehttps://redmine.pfsense.org/issues/134792022-09-10T04:39:38ZFlole Systems
<p>When you disable/don't enable the RAM-Disk feature and then set insane limits it complains:<br /><pre>
Combined size of /tmp and /var RAM disks would exceed available kernel memory.
</pre><br />It should not do that as it's not enabled, so whatever settings are entered there shouldn't matter.</p>
<p>In my case I always had the limits set to 4096 for both and the feature disabled. Now I tried to change something on the page and it started to complain. Also maybe someone wants to disable the RAM-Disk and temporarily run the device with less RAM without changing the limits so they can easily be set back to normal when more RAM is installed again.</p> pfSense Packages - Feature #13474 (New): Don't set ListenPort in wireguardhttps://redmine.pfsense.org/issues/134742022-09-06T19:08:51ZFlole Systems
<p>Currently it is not possible to not set the ListenPort setting for wireguard. I suggest to use the special value 0 as a port and then mentioning that setting it to 0 disables this.</p>