pfSense bugtracker: Issueshttps://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162024-01-24T23:57:32ZpfSense bugtracker
Redmine pfSense Plus - Feature #15186 (New): Test DNS over TLShttps://redmine.pfsense.org/issues/151862024-01-24T23:57:32ZJeff Kuehl
<p>The ability to readily confirm TLS DNS would be established once saved.</p> pfSense Packages - Feature #14890 (New): dtlspipe packagehttps://redmine.pfsense.org/issues/148902023-10-17T13:24:33Zyon Liuinfo@ipv6china.com
<p>This is a DTSL tool that has been tested and used. It can add DTLS support to almost all UDP. It is especially suitable for applications that are sensitive to network delays.<br />I have asked the author to add support for various systems. If you need help, we can contact the author.</p>
<p><a class="external" href="https://github.com/Snawoot/dtlspipe">https://github.com/Snawoot/dtlspipe</a></p> pfSense Packages - Feature #14787 (New): Feature request - Freeradius post-auth custom optionshttps://redmine.pfsense.org/issues/147872023-09-16T14:34:03ZMarcelo Cury
<p>I would like to check if it is possible to add a custom options field for post-auth in Freeradius package.<br />This would open so many possibilities; <a class="external" href="https://freeradius.org/radiusd/man/unlang.html">https://freeradius.org/radiusd/man/unlang.html</a></p>
I'm currently using unlang policies with freeradius package in Ubuntu, and with it I'm able to allow users to connect or not, based on their AD group.
<ul>
<li>If the user is member of the AD <strong>wifi_users</strong> group, ok to connect to wifi enterprise.</li>
<li>If the user is member of the AD <strong>openvpn</strong> group, ok to can connect to openvpn.</li>
<li>If the user is member of the AD <strong>pfsense_admins</strong> group, they can manage pfsense.</li>
<li>If the user is member of the AD <strong>pfsense_monitors</strong> group, they can access some options in pfsense GUI.</li>
</ul>
<p>and so on...</p>
<p>Granularity like this would be very welcome to the pfsense's freeradius package.</p>
<p>Policies would be included after Post-Auth-Type Challenge as per below example in a file inside <strong>sites-enabled</strong> folder.</p>
<p>Example:<br /><pre>
...
# Filter access challenges.
#
Post-Auth-Type Challenge {
# remove_reply_message_if_eap
# attr_filter.access_challenge.post-auth
}
#start pfsense GUI
if (LDAP-Group == "pfsense_admins" && NAS-Identifier == "webConfigurator-pfsense.home.arpa") {
update {
reply:Class := "pfsense_admins"
}
noop
}
elsif (LDAP-Group == "pfsense_monitors" && NAS-Identifier == "webConfigurator-pfsense.home.arpa") {
update {
reply:Class := "pfsense_monitors"
}
noop
}
else {
reject
}
}
...
</pre></p>
<p>I would also like to suggest an option to create new sites in <strong>sites-enabled/</strong> folder, to speed up things using a file for each NAS client, very welcome for larger deployments.</p> pfSense Packages - Bug #14200 (New): WireGuard reply-to without NAThttps://redmine.pfsense.org/issues/142002023-03-29T10:02:59ZCarrnell Tech
<p>I have discovered that the WireGuard package requires the interface to have the gateway set for the reply-to rules to function as expected. However, this also creates an undesired auto NAT rules that need to be manually disabled in order to use the reply-to rules effectively.</p>
<p>I have posted all the detail and the road for my discovery on the forums and a great amount of detail along with it:<br /><a class="external" href="https://forum.netgate.com/topic/178908/wan-to-wireguard-to-lan-reply-to-bug">https://forum.netgate.com/topic/178908/wan-to-wireguard-to-lan-reply-to-bug</a></p>
My hope is that one of the following fix ideas could be implemented:
<ul>
<li>Could add verbiage on the interface or package GUI to indicate that these steps are required for true reply-to packets to function.</li>
<li>Add some sort of check box to prevent the auto added NAT rules for WireGuard interfaces, or, a check box that adds reply-to rules without the need for gateway to be filled.</li>
<li>Or, if possible, change the WireGuard package in such a way that it treats the WireGuard interface with reply-to rules with or without the gateway being set in the interface.</li>
</ul>
<p>To give you more of an idea of why I had more trouble with this particular part than anything previous is that I was migrating away from OpenVPN to WireGuard. Where OpenVPN functioned as desired without the gateway being set, I did not think to read the interface documentation mostly because the verbiage only mentions the need for it being set for internet access type scenarios, of which, I overlooked thinking it was unnecessary. On my testing environment, it was not until I started changing what I thought were unnecessary checkbox and dropdowns that I discovered the gateway was needed, I then started to read the documentation for it, which lead me to my final conclusion.</p>
<p>Appreciate your time!<br />Thank you!</p> pfSense Packages - Bug #14146 (New): Small Typo in 'Advanced Outbound firewall rule settings' war...https://redmine.pfsense.org/issues/141462023-03-22T07:36:44ZJon Brown
<p>When creating an IPv4 outbound permit rule (Firewall --> pfBlockerNG --> Ip --> IPv4) and you leave the <b>Custom Protocol</b> on any you get the following error:</p>
<pre>
Settings: Protocol setting cannot be set to 'Default' with Advanced Outbound firewall rule settings.
</pre>
<p><img src="https://redmine.pfsense.org/attachments/download/4819/pfblocker-with-any-error-message.jpg" alt="" /></p>
<p>There is a typo where it is saying it cannot be left on 'Default', there is not default protocol. This should read as follows:</p>
<pre>
Settings: Protocol setting cannot be set to 'Any' with Advanced Outbound firewall rule settings.
</pre>
<p>I have swapped <strong>default</strong> for <strong>any</strong></p> pfSense Plus - Feature #14133 (New): Exporting and Importing - Change Layouthttps://redmine.pfsense.org/issues/141332023-03-20T03:47:01ZSteven Cedrone
<p>Please change Backup & Restore to allow for choosing only what areas you want to import/export without having to do it one area at a time.</p>
<p>The drop down-style boxes for "Backup Area" and "Restore Area" should allow you to hold CTRL and choose multiple areas at a time. Or change the drop-down boxes to scrolling boxes similar to other Areas of PfSense when you select Multiple WAN or LAN connections in PfBlocker for example.</p>
<p>This would be quite handy for exporting partial settings for new setup-up's without having to do it area by area.</p> pfSense Plus - Regression #14080 (New): Installer fails to install to a geom mirrorhttps://redmine.pfsense.org/issues/140802023-03-07T18:12:14ZSteve Wheeler
<p>The 23.01 installer fails to create the expected mount points when trying to reinstall UFS to an existing gmirror.</p>
<p>It also cannot create the expected partitions using 'auto' to a new geom mirror.</p> pfSense Packages - Feature #13403 (New): Option to suppress graphing for individual thermal zoneshttps://redmine.pfsense.org/issues/134032022-08-11T04:35:52Zodo maitre
<p>As in many systems the thermal_tz1 and thermal_tz0 are invariant (not really present) it would be nice if they could be permanently disabled in the monitor graph - it is better for the graph and more aesthetically.</p> pfSense Packages - Feature #13402 (New): Monitor graph thermal sensors F option vs just Chttps://redmine.pfsense.org/issues/134022022-08-10T15:34:17ZJohnPoz _
<p>So the thermal widget allows showing temps in F, but if you look at the monitor graph it is only in C.</p>
<p>Allow for thermal monitor graph to show either C or F temps.</p> pfSense Plus - Feature #12832 (New): 6100 configurable Blinking Blue LED https://redmine.pfsense.org/issues/128322022-02-19T11:56:10Zshawn butts
<p>The blinking blue like for "normal operation status" feels like an "everything is ok ALARM!!!!"</p>
<p>I'd like to see an option to either make it solid blue for "normal" or disable the LED altogether.</p> pfSense Plus - Bug #12759 (New): Proprietary packages link to non-existant or non-public github p...https://redmine.pfsense.org/issues/127592022-02-05T19:22:11ZKris Phillips
<p>When clicking on the version number to view the code for packages like openvpn-import and aws-wizard, these link to a non-existant Github page (or one that is private). We should probably add a way to just remove these links on proprietary packages for pfSense Plus.</p>
<p>For example, aws-wizard links to <a class="external" href="https://github.com/pfsense/FreeBSD-ports/commits/devel/net/pfSense-pkg-aws-wizard">https://github.com/pfsense/FreeBSD-ports/commits/devel/net/pfSense-pkg-aws-wizard</a> which is an invalid path.</p> pfSense Packages - Feature #11931 (New): Add support for validating a domain's ownership via Goog...https://redmine.pfsense.org/issues/119312021-05-17T08:09:13ZAlex Cazacu
<p>Add support for validating a domain's ownership via Google Cloud Cloud DNS.</p>
<p>Support for Google Cloud Cloud DNS is already implemented in the <a href="https://github.com/acmesh-official/acme.sh" class="external">acme-official/acme-sh</a>. See <a href="https://github.com/acmesh-official/acme.sh/blob/master/dnsapi/dns_gcloud.sh" class="external">dns_gcloud.sh</a>.</p>
The associated script <a href="https://github.com/acmesh-official/acme.sh/blob/master/dnsapi/dns_gcloud.sh" class="external">documentation</a> omits to mention that authenticating and configuring <code>gcloud</code> can be performed in a non-interactive way by:
<ol>
<li>Creating a Google Cloud service account key: <a href="https://cloud.google.com/iam/docs/creating-managing-service-account-keys#creating_service_account_keys" class="external">documentation</a>.</li>
<li>Authenticating <code>gcloud</code> with the created service account key: <a href="https://cloud.google.com/sdk/docs/authorizing#authorizing_with_a_service_account" class="external">documentation</a>.</li>
<li>Configuring <code>gcloud</code>: via <code>gcloud config set</code> - <a href="https://cloud.google.com/sdk/docs/properties#setting_properties;" class="external">documentation</a> via environment variables: <a href="https://cloud.google.com/sdk/docs/properties#setting_properties_via_environment_variables" class="external">documentation</a>.</li>
</ol> pfSense Packages - Bug #11650 (New): FRR configuration broken on restore of manually edited FRR c...https://redmine.pfsense.org/issues/116502021-03-10T06:51:58ZAndrew Green
<p>SG-3100<br />21.02-RELEASE-p1 (arm)<br />built on Mon Feb 22 09:38:52 EST 2021</p>
<p>FRR package version 1.1.0_8</p>
<p>I could not find any instructions to remove all of a package's configuration so I did this:</p>
<p>- Made a config backup<br />- Edited the config xml and remove the FRR config references but left the package sections in place with empty <config></config> sections inside.<br />- Restored the config<br />- Router rebooted and reinstalled packages<br />- Went to reconfigure FRR and it broke sometimes when saving the settings.<br />- I managed to make the error go away after adding and deleting a prefix list.<br />- Here is the PHP error:<br /><pre>
arm
12.2-STABLE
FreeBSD 12.2-STABLE 0e42b7d7eac(HEAD) pfSense-SG-3100
Crash report details:
PHP Errors:
[09-Mar-2021 21:46:49 America/St_Johns] PHP Fatal error: Uncaught Error: Only variables can be passed by reference in /usr/local/pkg/frr/inc/frr_zebra.inc:295
Stack trace:
#0 /usr/local/pkg/frr/inc/frr_zebra.inc(758): frr_zebra_generate_prefixlists(true, false)
#1 /usr/local/pkg/frr.inc(683): frr_generate_config_zebra()
#2 /usr/local/www/pkg_edit.php(245) : eval()'d code(1): frr_generate_config()
#3 /usr/local/www/pkg_edit.php(245): eval()
#4 {main}
thrown in /usr/local/pkg/frr/inc/frr_zebra.inc on line 295
[09-Mar-2021 21:47:15 America/St_Johns] PHP Fatal error: Uncaught Error: Only variables can be passed by reference in /usr/local/pkg/frr/inc/frr_zebra.inc:295
Stack trace:
#0 /usr/local/pkg/frr/inc/frr_zebra.inc(758): frr_zebra_generate_prefixlists(true, false)
#1 /usr/local/pkg/frr.inc(683): frr_generate_config_zebra()
#2 /usr/local/www/pkg_edit.php(245) : eval()'d code(1): frr_generate_config()
#3 /usr/local/www/pkg_edit.php(245): eval()
#4 {main}
thrown in /usr/local/pkg/frr/inc/frr_zebra.inc on line 295
[09-Mar-2021 21:47:30 America/St_Johns] PHP Fatal error: Uncaught Error: Only variables can be passed by reference in /usr/local/pkg/frr/inc/frr_zebra.inc:295
Stack trace:
#0 /usr/local/pkg/frr/inc/frr_zebra.inc(758): frr_zebra_generate_prefixlists(true, false)
#1 /usr/local/pkg/frr.inc(683): frr_generate_config_zebra()
#2 /usr/local/www/pkg_edit.php(245) : eval()'d code(1): frr_generate_config()
#3 /usr/local/www/pkg_edit.php(245): eval()
#4 {main}
thrown in /usr/local/pkg/frr/inc/frr_zebra.inc on line 295
[09-Mar-2021 21:47:36 America/St_Johns] PHP Fatal error: Uncaught Error: Only variables can be passed by reference in /usr/local/pkg/frr/inc/frr_zebra.inc:295
Stack trace:
#0 /usr/local/pkg/frr/inc/frr_zebra.inc(758): frr_zebra_generate_prefixlists(true, false)
#1 /usr/local/pkg/frr.inc(683): frr_generate_config_zebra()
#2 /usr/local/www/pkg_edit.php(245) : eval()'d code(1): frr_generate_config()
#3 /usr/local/www/pkg_edit.php(245): eval()
#4 {main}
thrown in /usr/local/pkg/frr/inc/frr_zebra.inc on line 295
[09-Mar-2021 21:49:51 America/St_Johns] PHP Fatal error: Uncaught Error: Only variables can be passed by reference in /usr/local/pkg/frr/inc/frr_zebra.inc:262
Stack trace:
#0 /usr/local/pkg/frr/inc/frr_zebra.inc(764): frr_zebra_generate_aspaths()
#1 /usr/local/pkg/frr.inc(683): frr_generate_config_zebra()
#2 /usr/local/www/pkg_edit.php(245) : eval()'d code(1): frr_generate_config()
#3 /usr/local/www/pkg_edit.php(245): eval()
#4 {main}
thrown in /usr/local/pkg/frr/inc/frr_zebra.inc on line 262
[09-Mar-2021 21:49:55 America/St_Johns] PHP Fatal error: Uncaught Error: Only variables can be passed by reference in /usr/local/pkg/frr/inc/frr_zebra.inc:262
Stack trace:
#0 /usr/local/pkg/frr/inc/frr_zebra.inc(764): frr_zebra_generate_aspaths()
#1 /usr/local/pkg/frr.inc(683): frr_generate_config_zebra()
#2 /usr/local/www/pkg_edit.php(245) : eval()'d code(1): frr_generate_config()
#3 /usr/local/www/pkg_edit.php(245): eval()
#4 {main}
thrown in /usr/local/pkg/frr/inc/frr_zebra.inc on line 262
[09-Mar-2021 21:50:03 America/St_Johns] PHP Fatal error: Uncaught Error: Only variables can be passed by reference in /usr/local/pkg/frr/inc/frr_zebra.inc:262
Stack trace:
#0 /usr/local/pkg/frr/inc/frr_zebra.inc(764): frr_zebra_generate_aspaths()
#1 /usr/local/pkg/frr.inc(683): frr_generate_config_zebra()
#2 /usr/local/www/pkg.php(140) : eval()'d code(1): frr_generate_config()
#3 /usr/local/www/pkg.php(140): eval()
#4 {main}
thrown in /usr/local/pkg/frr/inc/frr_zebra.inc on line 262
No FreeBSD crash data found.
</pre></p> pfSense Packages - Bug #11493 (New): After upgrade zabbix proxy wont starthttps://redmine.pfsense.org/issues/114932021-02-21T05:31:00ZPim Janssen
<p>Due to database changes between zabbix-proxy versions. The proxy database needs to be removed after upgrading else the proxy service won't start.</p>
<p>Workaround <br />manual remove database /var/db/zabbix-proxy/proxy.db</p> pfSense Packages - Bug #11490 (New): Service Watchdog - Impacts Reboots and Package Updateshttps://redmine.pfsense.org/issues/114902021-02-21T01:11:28ZA S
<p>All - wasn't quite sure which to attribute this to as its a package, but is impacting standard operation.</p>
Synopsis:
<ul>
<li>When upgrading a package where the upgrade must stop the service, the Service Watchdog is restarting the service before the upgrade of the package completes. Appears to completely stall some updates where the update process takes some time to run with the service stopped.</li>
<li>Upon reboot, while reviewing syslog - the Service Watchdog is starting services <b>before</b> pfSense [itself] normally starts a given service. Suspect that this could cause services to start in an abnormal order and potentially create dependency issues.</li>
</ul>
<p>Noticed this upon trying to assess a recent issue and watching syslog information where virtually every process upon reboot was started <strong>first</strong> by the Service Watchdog and when the system starting of that same process occurred - the system initiated startup failed.</p>