pfSense bugtracker: Issueshttps://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162024-03-18T14:31:12ZpfSense bugtracker
Redmine pfSense - Feature #15348 (New): Block out PSK when viewing Phase 1 IPsec configurationhttps://redmine.pfsense.org/issues/153482024-03-18T14:31:12ZMike Moore
<p>When filling out a PSK in the phase 1 proposal section, the PSK really should be entered in obfuscated with the option in the WebUI to show the password.<br />Entering a password in clear text so anyone shoulder surfing can see it is a security issue.</p> pfSense - Bug #15347 (New): OpenVPN Multiple WAN Asymmetric Routinghttps://redmine.pfsense.org/issues/153472024-03-16T22:12:32ZTimo M
<p>Using OpenVPN in multi-wan / failover environment (a OpenVPN interface has been created and is used by the OpenVPN server). WAN1 is Tier 1 and WAN2 is Tier 2. To be able to access OpenVPN server through both WAN1 and WAN2, I used the port forward method to bind the OpenVPN server to localhost and forward traffic from both WAN1 and WAN2 to it as described in the documentation:</p>
<p><a class="external" href="https://docs.netgate.com/pfsense/en/latest/multiwan/openvpn.html#bind-to-localhost-and-setup-port-forwards">https://docs.netgate.com/pfsense/en/latest/multiwan/openvpn.html#bind-to-localhost-and-setup-port-forwards</a></p>
<p>FreeRADIUS is used as the authentication backend for OpenVPN (to be able to use 2FA). When connecting through WAN2 (which is on Tier 2) traffic appears to exit back out WAN1 after the RADIUS authentication completes leading to asymmetric routing. I see the following in the logs from FreeRADIUS:</p>
<p><code>(0) Login OK: [user_id] (from client pfsenseclient port 1194 cli *WAN1_IP* :1194)</code></p>
<p>I can confirm that the connection to the OpenVPN server was indeed made through WAN2 by looking firewall states / traffic. Is this a bug, or is thus configuration (OpenVPN server with FreeRADIUS authentication) not supported (e.g. the <code>reply-to</code> functionality does not work properly)? Thanks in advance.</p> pfSense - Bug #15343 (New): DHCP host names for Windows 10/11 hosts have "." at the endhttps://redmine.pfsense.org/issues/153432024-03-15T16:50:34ZDaryl Morse
<p>Since changing to Kea DHCP, DHCP host names for Windows 10 and Windows 11 hosts are being created with a "." at the end.</p>
<p>This does not happen for types of hosts.</p>
<p>This does not affect DHCPv6.</p> pfSense - Bug #15341 (New): PHP errors in ``xmlrpc.php`` during configuration synchronization con...https://redmine.pfsense.org/issues/153412024-03-15T15:35:41ZChristopher Cope
<pre>
[15-Mar-2024 09:50:55 America/Chicago] PHP Fatal error: Uncaught TypeError: Cannot access offset of type string on string in /usr/local/www/xmlrpc.php:718
Stack trace:
#0 /usr/local/www/xmlrpc.php(638): pfsense_xmlrpc_server->filter_configure(false, false)
#1 /usr/local/share/pear/XML/RPC2/Server/CallHandler/Instance.php(141): pfsense_xmlrpc_server->restore_config_section(Array, 900)
#2 /usr/local/share/pear/XML/RPC2/Backend/Php/Server.php(135): XML_RPC2_Server_Callhandler_Instance->__call('pfsense.restore...', Array)
#3 /usr/local/share/pear/XML/RPC2/Backend/Php/Server.php(99): XML_RPC2_Backend_Php_Server->getResponse()
#4 /usr/local/www/xmlrpc.php(987): XML_RPC2_Backend_Php_Server->handleCall()
</pre>
<p>The error is being hit on<br /><pre>
23.09.1-RELEASE (amd64)
built on Wed Dec 20 13:27:00 EST 2023
FreeBSD 14.0-CURRENT
</pre></p>
<p>This seems to a similar issue to <a class="external" href="https://redmine.pfsense.org/issues/14034">https://redmine.pfsense.org/issues/14034</a> but this has to do with OpenVPN tags. I'll get a merge request together this week.</p> pfSense - Feature #15331 (New): Client (service) for CloudFlare WARP/WAR+https://redmine.pfsense.org/issues/153312024-03-11T16:52:27ZSergei Shablovsky
<p><strong>On now CloudFlare in fact for a couple of years are fastest and reliable proxy and SDN for most users.</strong><br />(Sometimes magistrale and core borders routing problems that hit Akamai, make a not big touch on CF.)<br />Most of “child problems” as newly and fast growing company HAS GONE AWAY.</p>
<p>And <strong>NUMBER OF POINT OF PERSISTENCE (data centers, servers on colocation) ARE CONSTANTLY GROW!</strong></p>
<p><strong>All this make WARP/WARP+ CloudFlare service more and more wanted not only by most of ordinary users, advanced users, but small and middle private business and government organization.</strong></p>
<p>And as a result, from 2022 more and more ciders try to realize CloudFlare WARP/WARP+ client code for various OSs, especially on which routers/firewalls are based.</p>
<p>Please take a look on <br />thread on pfSense CE<br /><a class="external" href="https://forum.netgate.com/topic/177267/connecting-to-cloudflare-surely-its-possible">https://forum.netgate.com/topic/177267/connecting-to-cloudflare-surely-its-possible</a></p>
<p>thread on CloudFlare</p>
<p><a class="external" href="https://community.cloudflare.com/t/warp-client-for-freebsd-based-firewalls-eg-pfsense-opnsense/426717/1">https://community.cloudflare.com/t/warp-client-for-freebsd-based-firewalls-eg-pfsense-opnsense/426717/1</a></p>
<p>So, the downline of all of this:<br />making CloudFlare WARP/WARP+ client as separate package for pfSense is not so much time and efforts.</p>
<p>If DevTeam make it right now, testing and feedbacks from users within summer (when not so much business workload and negative impact would be minimal) for the next upcoming release (2.7.3-REL) this *adding more value to pfSense” and growing distance from concurrent OPNsense.</p> pfSense - Bug #15328 (New): Kea DHCP corrupts existing leases when a new DHCP pool is addedhttps://redmine.pfsense.org/issues/153282024-03-10T23:09:39ZTom Lane
<p>I set up a couple of DHCP pools for VLANs on a new Netgate 4200 (running pfsense+ 23.09.1), which is replacing an EdgeRouter-X that had been serving DHCP to the same clients. That went fine, and I watched several of the existing VLAN clients re-acquire their existing addresses from the new server. Then I added another DHCP pool attached directly to the PORT2LAN interface. That completely confused matters for existing leases: the server actively rejected attempts to renew those leases and gave out addresses of its own choosing. Now I am seeing two different entries in the DHCP Leases status page for the same MAC address, which surely should not happen. Digging in the DHCP log entries, it looks like when the server was restarted because of the pool addition, all the lease reloads failed with complaints like</p>
<p><code>Mar 10 16:09:18 kea-dhcp4 39285 WARN [kea-dhcp4.dhcpsrv.0x401b3c12000] DHCPSRV_LEASE_SANITY_FAIL The lease 10.0.20.41 with subnet-id 2 failed subnet-id checks (the lease should have subnet-id 3).<br /></code><br />10.0.20.41 is still shown (though as "down") in the Leases page, but there's also an entry for that client with its forcibly-assigned new IP address.</p>
<p>This isn't a fatal problem, assuming that the server manages to keep re-issuing these newly-chosen addresses, but it's mildly annoying. I'm not sure if there will be any outright conflicts as the remaining clients try to renew their leases.</p> pfSense - Feature #15326 (New): Use alias to define 1:1 NAT mappinghttps://redmine.pfsense.org/issues/153262024-03-10T01:52:20ZTom Lane
<p>I made some single-entry host aliases, which I find I can use in most firewall rules, but not in creating 1:1 NAT mappings (as either external or internal address). It'd be nice if that could work.</p>
<p>Previous discussion: <a class="external" href="https://forum.netgate.com/topic/186618/using-firewall-aliases-outside-of-firewall-rules?_=1710034514306">https://forum.netgate.com/topic/186618/using-firewall-aliases-outside-of-firewall-rules?_=1710034514306</a></p> pfSense - Feature #15324 (New): Allow specifying cloudflare host id for dyndnshttps://redmine.pfsense.org/issues/153242024-03-08T21:41:23ZFlole Systems
<p>This can save a HTTP request when updating the entry, and may be used to update multiple entries with the same name but different IPs for round- robin based load-balancing.</p> pfSense - Feature #15323 (New): Display server description when WOL is sent using mac url or powe...https://redmine.pfsense.org/issues/153232024-03-08T21:31:57ZPhil Wardt
<p>When we use the send WOL to all devices link, the description of servers is properly printed<br />However, when we send WOL to a single server clicking on mac url or power-on button, the description is not printed</p>
<p>Fix this and properly display the description when sending WOL to a single server using both links</p> pfSense - Feature #15321 (New): KEA DHCP custom options https://redmine.pfsense.org/issues/153212024-03-08T20:45:14ZAlhusein Zawi
<p>adding customs options to KEA DHCP</p> pfSense - Feature #15314 (New): Filtering in socketshttps://redmine.pfsense.org/issues/153142024-03-05T23:20:40ZSergei Shablovsky
<p>Brilliant pfSense DevTeam!</p>
<p>Filtering in sockets - would be <strong>VERY USABLE when determining state and functionality of FreeBSD system services AND additional packages</strong> when resolving issues in pfSense functionality.</p>
<p>The WebGUI view similar to <strong>“Advanced Log Filter”</strong> in <strong>Status</strong> / <strong>System Logs</strong></p> pfSense - Feature #15308 (New): DHCPv6 deny option for static client mappingshttps://redmine.pfsense.org/issues/153082024-03-04T15:49:26ZSaku Seppälä
<p>DHCPv4 has a mac deny list, could similar functionality be developed for DHCPv6 using static client mappings and DHCP Unique Identifier (DUID).</p>
<p>Kea DHCPv6 manual has even a chapter "Host Reservations as Basic Access Control" <br /><a class="external" href="https://downloads.isc.org/isc/kea/2.5.6/doc/html/arm/dhcp6-srv.html#host-reservations-as-basic-access-control">https://downloads.isc.org/isc/kea/2.5.6/doc/html/arm/dhcp6-srv.html#host-reservations-as-basic-access-control</a></p>
<p>My motivation for this is that my ISP provides static IPv4 address, but not IPv6. I would like restrict certain clients only to IPv4, so they would able to access certain web resources that have been made available only through the static IPv4 address NAT. I'm sure that there are also other valid reasons to disable IPv6 for certain clients.</p> pfSense - Feature #15293 (New): Set LEVEL OF IMPORTANCE for Pushover notificationshttps://redmine.pfsense.org/issues/152932024-02-27T14:50:59ZSergei Shablovsky
<p>Brilliant pfSense Dev Team!</p>
<p>Pushover service (like an all notifications services nowadays) HAS SEVERAL NOTIFICATION PRIORITY LEVELS: from low to critical.</p>
<p>So, FROM PFSENSE USER VIEW would be logically right to receive notifications with different levels, for example:</p>
<p>Suricata / Snort rules SUCSESSFULY UPDATE - that’s normal, but error in rules update - may be Hi/Critical (as User it set in settings).</p>
<p>Error with uploading pfSense’s configs by ACB on Netgate’s servers - are Hi/Critical, but successfully complete uploading operation - not need much attention, so Low priority.</p>
<p>So, the making Pushover integration where ALL NOTIFICATIONS DROPPED IN ONE STREAM WITH ONE LEVEL (like now are) - REALLY UNUSABLE, because after 1-2-3 day Your Pushover app would be filled with a ton of messages. And this make this integration unusable and out of sense.</p>
<p>Also from developer point of view I understand that because a lot of extra pfSense packages are made by community or independent maintainer, would be near impossible to changing the package logic. <br />And also make this huge work and after that found that Pushover services died/acquisited by someone else and will work need to be done again - also not good.</p>
<p>So the better way to work with Pushover (and any other integration service later in coming years) would be:</p>
<p><strong>make cronjob that parsing system logs and certain package logs, and if found words “error” (for example), -> sending to notification services (Pushover in our case) notification WITH APPROPRIATE LEVEL (HI/CRITICAL).</strong></p>
<p>In this case:<br />- THE LEVEL OF EVENT = LEVEL OF NOTIFICATION;<br />- pfSense not hard depending on certain notifications service and future changes or adding other notifications services are possible and easy;</p>
<p>Sound reasonable, yet?</p> pfSense - Bug #15291 (New): Error on Traffic Shaper 0% Bandwidthhttps://redmine.pfsense.org/issues/152912024-02-26T09:35:21ZPavan K
<p>Link to post on pfSense Forum: <br /><a class="external" href="https://forum.netgate.com/topic/186137/error-on-traffic-shaper-0-bandwidth?_=1708915183963">https://forum.netgate.com/topic/186137/error-on-traffic-shaper-0-bandwidth?_=1708915183963</a></p>
<p>Backstory:<br />recently we migrated from pfSense 2.4.x to 2.7.2 which was a direct update. Everything worked fine etc the traffic shaping feature.</p>
<p>Following is the error:<br />There were error(s) loading the rules: pfctl: the sum of the child<br />bandwidth (1200000000) higher than parent "root_igc4" (1000000000) -<br />The line in question reads [0]: @ 2024-01-31 16:45:05</p>
<p>Following is our configuration:<br />Name → FAIRQ_7<br />Priority→ 7<br />Scheduler Option → Random Early detection in and out<br />Bandwidth → None</p>
<p>Add new Queue(Default)<br />Enable<br />Name → qFAIRQ_2(Default)<br />Priority→ 2<br />Scheduler Option → Default<br />Bandwidth → None</p>
<p>Add new Queue(ACK)<br />Enable<br />Name → qACK_6<br />Priority→ 6<br />Scheduler Option → Random Early detection in and out<br />Bandwidth → None</p>
<p>According to the configuration the Bandwidth on Queue(ACK) should be 0% which was migrated off from 2.4.x but on 2.7.2 it's not letting us save 0% bandwidth for some reason.</p>
<p>And due to this new rules which are created are not taking effect it's only after we disable and enable the Traffic Shaper completely the rule is effective.</p> pfSense - Bug #15287 (New): hw.ix.unsupported_sfp=1 parameter for ix driver not workinghttps://redmine.pfsense.org/issues/152872024-02-23T09:29:33ZEric Chaubert
<p>When using ix driver with an Intel 82599ES chipset the driver seem not to support anymore the hw.ix.unsupported_sfp=1 even if configured in the loader.conf files.</p>
<p>On top of that when enumerating the pic numbers if the drivers fails on one interface it uses the same interface id for the next one. This creates a physical to logical binding of the psi slots that changes between boot sequences weather there is an initialisation error on one pci device which is not the expected behaviour,</p>
<p>Reading through the various message boards it looks like a regression as it was reported to work on previous releases.</p>
<p>Drivers, configs, logs and trace information attached to this bug report as files.</p>
<p>Firmware versin: dev.ix.0.fw_version: eTrack 0x800004e1 PHY FW V65535</p>