pfSense bugtracker: Issueshttps://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162023-05-08T19:10:44ZpfSense bugtracker
Redmine pfSense - Todo #14359 (New): Reorganize Advanced Optionshttps://redmine.pfsense.org/issues/143592023-05-08T19:10:44ZJim Pingle
<p>The placement of several options under the various Advanced options tabs doesn't make much sense in current versions. Some are only at their current locations for historical reasons.</p>
<p>Some things should be moved, such as:</p>
<ul>
<li>Cryptographic and Thermal hardware - Split into two separate sections, no compelling reason to combine them these days.</li>
<li>Schedules - Move from Misc to Firewall & NAT tab since it's about killing states based on rule schedules</li>
<li>Gateway Monitoring - Move from Misc to Firewall & NAT tab since it's mostly about firewall states and rules based on gateway events/status.</li>
<li>Load Balancing - Move from Misc to Firewall & NAT tab since it's a pf gateway behavior option, also rename so it's more clear that it is for Multi-WAN.</li>
<li>Reset All States - Move from Networking Firewall & NAT tab since it's about resetting firewall states</li>
<li>Advanced Options section of Firewall & NAT tab, move to bottom of the page</li>
</ul>
<p>The Firewall & NAT page is getting rather long, however, so it may also be worth considering if that should be split into multiple tabs. For example the gateway bits could go on a Gateways & Multi-WAN tab.</p>
<p>It's all up for debate, but the current layout seems confusing for new users in various ways.</p> pfSense - Todo #13414 (New): IPsec: Phase 1 Delay advanced option does not include scale or type ...https://redmine.pfsense.org/issues/134142022-08-13T18:58:06ZPat Jensen
<p>The description for dead peer detection delay does not include the type of timer, or the scale. This makes it difficult to understand, configure or troubleshoot.</p>
<p>It should match the same design langauge as the Expiration timers listed above it in the Phase 1 configuration.</p>
<p>Setting is currently labeled:<br />Delay between sending peer acknowledgement messages. In IKEv2, a value of 0 sends no additional messages and only standard messages (such as those to rekey) are used to detect dead peers.</p>
<p>Setting should be labeled similarly:<br />Time, in seconds, between sending peer...</p> pfSense - Todo #13159 (New): Decrease distance between img-buttons in webGUI to eliminate mistake...https://redmine.pfsense.org/issues/131592022-05-12T21:15:09ZSergei Shablovsky
<p>Hi, dear pfSense Dev Team!</p>
<p>Please, decrease distance between img-buttons in “Action” column in most webGUI pages to eliminate mistake entry, especially when pfSense remotely accessed from iPad (or any same size tablet) or 15-16-17” notebook that mostly used by SysAdmins nowadays.</p>
<p>Because so easy to tap on wrong image-button, so SysAdmin need constantly making pinch-in/pinch out. Very annoying design mistake...Sorry</p> pfSense Docs - New Content #12805 (New): Add documentation about what triggers a notficationhttps://redmine.pfsense.org/issues/128052022-02-15T17:10:01ZLogan Marchione
<p>I just setup notifications in pfSense and can't find any documentation on the page below to show what sort of actions trigger a notification. <br /><a class="external" href="https://docs.netgate.com/pfsense/en/latest/config/advanced-notifications.html">https://docs.netgate.com/pfsense/en/latest/config/advanced-notifications.html</a></p>
<p>It seems this is a semi-common problem. <br /><a class="external" href="https://www.reddit.com/r/PFSENSE/comments/ar3w9l/pfsense_email_notifications/">https://www.reddit.com/r/PFSENSE/comments/ar3w9l/pfsense_email_notifications/</a> <br /><a class="external" href="https://www.reddit.com/r/PFSENSE/comments/l6lil3/how_to_configure_whatwhen_for_email_notifications/">https://www.reddit.com/r/PFSENSE/comments/l6lil3/how_to_configure_whatwhen_for_email_notifications/</a></p>
<p>Am I missing something, or is this documentation hidden somewhere? Ideally, I'd like a giant list of checkboxes to turn on/off notifications for things, but I'd take just a plaintext list of what will trigger a notification. Right now, I'm searching GitHub to see what triggers <strong>notify_all_remote</strong>.<br /><a class="external" href="https://github.com/pfsense/pfsense/search?q=notify_all_remote">https://github.com/pfsense/pfsense/search?q=notify_all_remote</a></p> pfSense Docs - New Content #12804 (New): Add documentation for Slack notificationshttps://redmine.pfsense.org/issues/128042022-02-15T16:59:18ZLogan Marchione
<p>I saw in the issue below that support for notifications via Slack was added to 2.6.0. <br /><a class="external" href="https://redmine.pfsense.org/issues/12291">https://redmine.pfsense.org/issues/12291</a></p>
<p>However, I don't see matching docs on this page. Can these be added? <br /><a class="external" href="https://docs.netgate.com/pfsense/en/latest/config/advanced-notifications.html">https://docs.netgate.com/pfsense/en/latest/config/advanced-notifications.html</a></p> pfSense Docs - Todo #12457 (New): Add UPS Configuration Recipes for apcupsd and nut UPS Packages ...https://redmine.pfsense.org/issues/124572021-10-14T12:53:43ZKris Phillips
<p>A customer requested that we add some basic "how to" recipes to the pfSense docs for basic operations in the apcupsd and nut UPS packages for common brands of UPS units.</p>
<p>This would include configuration examples for the various brands (with a note that some differences may exist by model), some basic automatic start up and shutdown configuration, etc.</p> pfSense Docs - New Content #12402 (New): Add recipe for configuring Telegram to receive notificat...https://redmine.pfsense.org/issues/124022021-09-24T00:46:30ZViktor Gurov
<p><strong>Page:</strong> <a class="external" href="https://docs.netgate.com/pfsense/en/latest/config/advanced-notifications.html">https://docs.netgate.com/pfsense/en/latest/config/advanced-notifications.html</a></p>
<p><strong>Feedback:</strong></p>
<p>How to configure Telegram notifications:<br />1) Find the bot BotFather<br />2) Add a new bot with the commands: "/newbot", <botname>, <botusername> (must end in 'bot'),<br />save the API Token value<br />see <a class="external" href="https://core.telegram.org/bots#creating-a-new-bot">https://core.telegram.org/bots#creating-a-new-bot</a> and screenshot<br />3) Create a new private chat and add a new bot to it with the "Post messages" privilege<br />4) How to get private chat id:<br />4.1) First way:<br />Just send to the bot your invite link to your private channel<br />and check it with <a class="external" href="https://api.telegram.org/bot&lt;BOT_TOKEN&gt;/getUpdates">https://api.telegram.org/bot&lt;BOT_TOKEN&gt;/getUpdates</a>:<br /><pre>
{"ok":true,"result":[{"update_id":191337144,
"my_chat_member":{"chat":{"id":-1001550670765,"title":"myprivatetest","type":"channel"},"from":
</pre><br />4.2) Second way:<br />- You should convert your channel to public with some @channelName<br />- Send message to this channel through Bot API: <a class="external" href="https://api.telegram.org/bot111:222/sendMessage?chat_id=@channelName&text=123">https://api.telegram.org/bot111:222/sendMessage?chat_id=@channelName&text=123</a><br />- As response you will get info with chat_id of your channel:<br /><pre>
{ "ok" : true, "result" : { "chat" : { "id" : -1001005582487, "title" : "Test Private Channel", "type" : "channel" }, "date" : 1448245538, "message_id" : 7, "text" : "123ds" } }
</pre><br />- Now you can convert Channel back to private (by deleting channel's link) and send message directly to this chat_id "-1001005582487"</p> pfSense - Todo #12025 (New): Add 1:1 Validation to Notify Someone They are 1:1 NAT'ing an Interfa...https://redmine.pfsense.org/issues/120252021-06-10T17:34:03ZKris Phillips
<p>Although it is VERY rarely necessary, we should add a banner to the top of the 1:1 NAT page notifying end users that they have just 1:1 NAT'ed the WAN interface address and this is usually not recommended due to connectivity issues for dpinger, IPSec, etc. that may occur. Often we see users 1:1 NAT their WAN address out of lack of experience/understanding. Additionally, this should be useful if there was a way to verify against an HA member as well or CARP VIP as it can sometimes be easy to forget that your secondary unit is using the 1:1 NAT address you just configured on the primary and pushed it to the secondary (which then causes gateway monitoring to fail on that interface).</p> pfSense - Todo #10199 (New): Improve Spanish translation interfacehttps://redmine.pfsense.org/issues/101992020-01-22T09:20:34ZAluisco Miguel Ricardo MastrapapfSense - Todo #8270 (New): Fix grammatically erroneous repetitionhttps://redmine.pfsense.org/issues/82702018-01-10T16:06:23ZMaxwell Cody
<p>The pfSense web interface has some grammatically incorrect repetition due to, what I suspect to be, a very lackadaisical use of initialisms. You will notice that on at least four different pages, the phrase "IP Protocol" is used to refer to the delineation between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). The grammatical error here is rather simple to notice by simply deconstructing the initialism. By deconstructing the initialism you will see that the deconstructed phrase reads "Internet Protocol Protocol." This is grammatically incorrect.</p>
<p>I've personally come up with two unique and novel solutions to this issue.</p>
<p>1. Change the phrase to read simply "Protocol." <br />2. Change the phrase to read "IP Version." (Deconstructing the initialism here may be preferable)</p>
Pages affected:
<ul>
<li>status_logs_settings.php</li>
<li>diag_testport.php</li>
<li>diag_traceroute.php</li>
<li>diag_ping.php</li>
</ul> pfSense - Feature #7934 (New): format support phone# for international usehttps://redmine.pfsense.org/issues/79342017-10-12T16:10:20ZAdam Thompsonathompso@athompso.net
<p>In the new 2.4.0 release, the Netgate Services and Support dashboard gadget shows the phone# to call. (Good idea, btw!)<br />So that international users know where to call, the phone# should include the country code as "+1".<br />ITU-standard formatting is "+1 (512) 900-2546", but I guess "+1-512-900-2546" would also be recognized by pretty much everyone.<br />You have people in Brazil - check to see which format they would normally expect to see.<br />The important part is the "+" followed by "1", not the punctuation.</p> pfSense Packages - Feature #7608 (New): Captive Portal amount of traffic Account + Free Radius+M...https://redmine.pfsense.org/issues/76082017-05-28T01:47:49Zmohsen abbaspour
<p>limitation on amount of traffic does not work when used CP and Free Radiusand and Mysql to gether </p>
<pre><code>It seams that captive does not count amount of Traffic</code></pre> pfSense - Todo #6727 (New): Missing file apple-touch-icon-precomposed.png ?https://redmine.pfsense.org/issues/67272016-08-18T14:10:11ZAndy Kniveton
<p>I notice this occasionally in my log files after logging in via the web browser :-</p>
<p>Aug 18 19:50:38 pfsense.localdomain nginx: 2016/08/18 19:50:38 [error] 36942#100114: *10595 open() "/usr/local/www/apple-touch-icon-precomposed.png" failed (2: No such file or directory), client: 172.16.1.20, server: , request: "GET /apple-touch-icon-precomposed.png HTTP/1.1", host: "172.16.1.1"</p>
<p>[2.3.2-RELEASE][<a class="email" href="mailto:admin@pfsense.localdomain">admin@pfsense.localdomain</a>]/root: ls /usr/local/www/apple-touch-icon-precomposed.png<br />ls: /usr/local/www/apple-touch-icon-precomposed.png: No such file or directory</p>
<p>[2.3.2-RELEASE][<a class="email" href="mailto:admin@pfsense.localdomain">admin@pfsense.localdomain</a>]/root: ls /usr/local/www/*.png<br />/usr/local/www/apple-touch-icon.png/usr/local/www/logo.png<br />/usr/local/www/logo-black.png /usr/local/www/pfs-mini.png<br />[2.3.2-RELEASE][<a class="email" href="mailto:admin@pfsense.localdomain">admin@pfsense.localdomain</a>]/root:</p>
<p>Maybe its just worth doing a symbolic link in the next pfSense build.</p> pfSense - Todo #6647 (New): Enable Additional Security Headershttps://redmine.pfsense.org/issues/66472016-07-26T20:30:24ZChris Buechlercbuechler@gmail.com
<p>The nginx instance for the web GUI should enable CSP. Just adding the following works:</p>
<pre>
add_header Content-Security-Policy "default-src 'self';";
</pre>
<p>though I suspect that may break some edge case I'm not thinking of. The captive portal nginx instance shouldn't have that set, as people routinely include external resources that would be broken by that.</p>
<p>Adding upgrade-insecure-requests while there wouldn't hurt either.</p> pfSense - Feature #5835 (New): Improve OpenVPN client gateway detection in edge cases where the r...https://redmine.pfsense.org/issues/58352016-02-01T08:37:46ZJim Pingle
<p>There are a few edge cases where OpenVPN does not set the "route_vpn_gateway" or "ifconfig_remote" environment variables so the "up" script cannot determine the gateway.</p>
<p>Currently the script falls back to using the local IP address in this case, which works OK for some things like policy routing when the interface is assigned, but it causes the wrong IP address to be monitored.</p>
The problem scenario requires BOTH of the following to be true:
<ul>
<li>tap mode OR tun+topology subnet is used</li>
<li>Server does not push ANY routes</li>
</ul>
<p>In that case, the only possible way for the client to determine the gateway is by subnet calculation, assuming the gateway is the first IP address in the block. Our code currently falls back to using the client adapter address in this case when the other two variables are unset.</p>
<p>Fixing it would require the ability to do subnet math or similar calculation from a shell script, or perhaps pulling the config off the interface using ifconfig or another similar function.</p>
<p>Since it appears to work fine from a user perspective aside from picking the right monitor IP address, it's pretty minor as far as I can tell so far.</p>