pfSense bugtracker: Issueshttps://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162024-01-29T11:58:34ZpfSense bugtracker
Redmine pfSense - Feature #15211 (New): tcpdump run with BIOS hardware clock set, but no on environment s...https://redmine.pfsense.org/issues/152112024-01-29T11:58:34ZSergei Shablovsky
<p>Brilliant pfSense Stuff!</p>
<p><strong>Please fix</strong> : <br />tcpdump could be run with TZ (Time Zone) set in the whole system environment.</p>
<p><strong>Description and how to replicate</strong> :<br />have wrong timestamp in “ Packet Capture Output” (pcap auto scroll view, the “Diagnostic / Packet Capture” main menu) : exactly 2 hours back shift from system time.</p>
<p>How to fix this?</p>
<p>P.S.<br />pfSense 2.7.2-RELEASE on bare metal server, System time are correct, timestamps in ALL other logs (syslogd) are correct, NTP are correct, no any NTP servers specified in DHCP per interface, and a reboot not help… ;)</p>
<p>Wrong timestamp in Packet Capture Output<br /><a class="external" href="https://forum.netgate.com/topic/185772/wrong-timestamp-in-packet-capture-output">https://forum.netgate.com/topic/185772/wrong-timestamp-in-packet-capture-output</a></p> pfSense - Bug #15063 (Confirmed): vpn_openvpn_server.php: shows last used interface, after changi...https://redmine.pfsense.org/issues/150632023-12-04T19:32:00ZGrischa Zengel
<p>How to reproduce:<br />1. Create openvpn server with interface "WAN" and protocol "UDP on IPv4 only" <br />2. Save config and reopen it<br />3. Change to multihome and save config</p>
<p>Now there is still "WAN" at openVPN overview. It should be "ANY".</p> pfSense - Bug #14479 (New): unbound doing qname-minimisation when enabled in unbound gui.https://redmine.pfsense.org/issues/144792023-06-16T18:46:14ZJohnPoz _
<p>I have not checked 2.7 or 23.05 yet but this came up in a discussion here</p>
<p><a class="external" href="https://forum.netgate.com/post/1110945">https://forum.netgate.com/post/1110945</a></p>
<p>Seems unbound is now doing qname by default.. So if there is no setting in the conf for qname-minimisation it does it. By default this option in 2.6 is not enabled, but since no entry in the .conf file it is being done. With no way to turn it off without placing an entry in the custom box to set it to no.</p>
<p>Logic should be changed to allow for enable/disable qname from the gui. What it defaults doesn't matter really, but with current logic there is no way to actually turn it off.. And gui reads that it is off by default, but it really isn't since unbound defaults to doing it.</p> pfSense - Feature #14177 (New): tcprtt Measures the TCP handshake RTT using the stats(9) statisti...https://redmine.pfsense.org/issues/141772023-03-24T17:54:42ZRyan Whitlock
<p>My coworker thought using 8.8.8.8 for the gateway monitor would suffice for a “is the internet up” monitor. Well, google rate limited us and I spent hours looking for the right approach.</p>
<ul>
<li><a class="external" href="https://redmine.pfsense.org/issues/7671">https://redmine.pfsense.org/issues/7671</a></li>
<li><a class="external" href="https://redmine.pfsense.org/issues/4354">https://redmine.pfsense.org/issues/4354</a></li>
<li><a class="external" href="https://www.reddit.com/r/PFSENSE/comments/xjlsdo/psa_88888844_9202022/">https://www.reddit.com/r/PFSENSE/comments/xjlsdo/psa_88888844_9202022/</a></li>
<li><a class="external" href="https://www.reddit.com/r/networking/comments/6ujvxo/has_l3_dns_4222_become_unreliable_for_anyone_else/">https://www.reddit.com/r/networking/comments/6ujvxo/has_l3_dns_4222_become_unreliable_for_anyone_else/</a></li>
<li><a class="external" href="https://forum.netgate.com/topic/110056/dpinger-multiple-targets-aka-gwmond-2-500">https://forum.netgate.com/topic/110056/dpinger-multiple-targets-aka-gwmond-2-500</a></li>
</ul>
<p>Ultimately, it seems using ICMP for monitoring against public DNS, NTP, etc. servers is the wrong approach for some use-cases. Cisco’s IP SLA has the ability to perform a number of health checks from many protocols, so I set out to find something comparable for FreeBSD. Tcprtt looks like it could be a good solution for internet uptime monitoring that does not rely on ICMP.</p>
<ul>
<li><a class="external" href="https://www.freshports.org/net/tcprtt">https://www.freshports.org/net/tcprtt</a></li>
<li><a class="external" href="https://reviews.freebsd.org/D20656">https://reviews.freebsd.org/D20656</a></li>
</ul>
<p>Does this seem like a viable solution?</p> pfSense - Bug #12547 (Feedback): unsheduled system reboot/crashhttps://redmine.pfsense.org/issues/125472021-11-28T07:19:02ZEvgeny Korostelev
<p>pfSense Community Edition 2.5.2<br />Try navigate to menu "Diagnostics" -> "Routes" <br />Then system crash/reboot, and after boot have text system dump (attached to report)</p> pfSense - Bug #10833 (New): unbound exits on configuration error when link status flaps on LAN in...https://redmine.pfsense.org/issues/108332020-08-13T23:53:30ZJohn Hood
<p>I have pfSense installed at home on a small, old, core2duo-based machine. It does pretty typical home-router duty; the most obvious-to-me unusual parts of the configuration are that the internal IPv4 network is 198.206.215.0/24 instead of an RFC1918 network address, and I have an IPv6 tunnel to Hurricane Electric.</p>
<p>This week, the 11-year-old unmanaged GbE switch attached to the LAN port got flaky, and started to fail in some way that caused it to blink all lights on the front and stop passing traffic. Logs show link status flapping on the LAN interface. On power-cycling the switch, it would start working again. But DNS service was gone, though restartable at Status/Services/unbound. I found this in resolver.log:</p>
<pre>
Aug 13 20:28:22 router unbound: [27434:0] fatal error: Could not read config file: /unbound.conf. Maybe try unbound -dd, it stays on the commandline to see more errors, or unbound-checkconf
</pre>
<p>I wrote a little monitoring script that does 'pgrep unbound' and 'ifconfig em1' every 10 seconds. That seems to show link flapping between normal:</p>
<pre>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
</pre><br />and no link:<br /><pre>
media: Ethernet autoselect
status: no carrier
</pre>
<p>It also showed two copies of dhcpleases running after the link starts flapping.</p>
<p>Edited/excerpted logs and the monitoring script are attached, the switch starts flapping at Aug 13 20:27:57 in the logs, and I power-cycled the switch about 20:28:45. I restarted unbound at 20:30:36.</p>
<p>I tried reproducing the problem by manually plugging/unplugging the patch cable involved, and was not able to reproduce the problem. Alas, I destroyed the switch by plugging the wrong power supply in, so it's no longer helpful either. So I have no repro. I suspect connecting a FreeBSD box and running a little script that did things with 'ifconfig down' and 'ifconfig up' and 'ifconfig mediaopt <blah>' combined with some randomized short delays would eventually knock unbound over.</p>
<p>I haven't investigated the code at all, but it smells like some kind of race condition in the link-configuration scripts to me.</p> pfSense - Bug #9737 (New): traffic-graphs.js shows incorrect units inside the charthttps://redmine.pfsense.org/issues/97372019-09-09T06:35:19ZAlex Kolesnikpfsenseorg3@temp.spb.ru
<p><a class="external" href="https://github.com/pfsense/pfsense/blob/42839d824d51cad3a8a55fccb2dc96368568ce8e/src/usr/local/www/js/traffic-graphs.js#L204">https://github.com/pfsense/pfsense/blob/42839d824d51cad3a8a55fccb2dc96368568ce8e/src/usr/local/www/js/traffic-graphs.js#L204</a></p>
<p>that condition doesn't work (at least) in Chrome - window.size returns a string literal instead of a number.</p> pfSense - Feature #9226 (New): zfs GUI functionality - alertshttps://redmine.pfsense.org/issues/92262018-12-27T03:28:32Zgavin penney
<p><strong>some</strong> way of seeing the status in GUI, and most importantly, <strong>alerts</strong> for degraded<br />it looks like the dashboard already detects and displays zfs filesystem usage. a line that just shows "online" or "degraded" would be awesome. essentially: zpool status -x )</p>
<p>i'm using mailreport + zpoolstatus -v to send myself an email and then my damn mailbox filters to archive the ones with no error. this is horrid, and mailreport can only do daily, not when a failure occurs.<br />geom detects errors but geom remirrors my disks <strong>constantly</strong>, generating hundreds of alerts in the process</p>
<p>as nice as it would be to have attach/detach/scrub, snapshots and boot environments in the GUI, status/alerts are far more important</p>
<p>if i had the vaguest clue how to actually do so, I'd happily try making a package to add a page like for geom, but i dont even know where to start</p>
<p>I have email alerts set up, but I can't figure out a way to actually use the thing to send outputs from custom scripts, which is crippling to trying to make a cron to do monitoring</p> pfSense - Bug #8611 (In Progress): unable to receive IPv6 RA's on SG-1000, default route losthttps://redmine.pfsense.org/issues/86112018-06-30T16:44:03ZAnthony Roberts
expected behavior:
<ul>
<li>IPv6 default route is stable indefinitely</li>
</ul>
actual behavior:
<ul>
<li>IPv6 default route is lost a few minutes after release/renew</li>
<li>WAN interface still has IPv6 address</li>
<li>LAN interface still has /64</li>
<li>pfsense router has no default route, so it is impossible to route IPv6 traffic</li>
</ul>
configuration:
<ul>
<li>residential comcast connection</li>
<li>SG-1000 running 2.4.3-RELEASE-1 (arm)</li>
<li>WAN interface (cpsw0) configured for DHCPv4, DHCPv6-PD</li>
<li>LAN interface (cpsw1) configured to track WAN for PD</li>
</ul>
investigation:
<ul>
<li>attempted to run tcpdump on WAN interface</li>
<li>tcpdump shows RAs received from ISP<br /><pre>
21:04:22.040097 00:01:5c:7a:d0:46 > 33:33:00:00:00:01, ethertype IPv6 (0x86dd), length 198: fe80::201:5cff:fe7a:d046 > ff02::1: ICMP6, router advertisement, length 144
</pre></li>
<li>RA dest IPv6 multicast address appears to be correct, MAC address appears to be correct for IPv6 multicast</li>
<li>when running tcpdump, IPv6 default route is re-added to pfsense routing table</li>
</ul>
hypothesis:
<ul>
<li>tcpdump places cpsw0 interface is promiscuous mode, and when in promiscuous mode, RA's are received</li>
<li>when cpsw0 not in promiscuous mode, RA's are not received</li>
<li>works temporarily on release/renew possibly because IPv4 DHCP client places interface in promiscuous mode temporarily when acquiring lease</li>
</ul>
experiment 1:
<ul>
<li>"ifconfig cpsw0 promisc" </li>
<li>result: IPv6 default route is stable over several days</li>
</ul>
experiment 2:
<ul>
<li>"ifconfig cpsw0 -promisc; tcpdump -pni cpsw0" </li>
<li>-p flag prevents tcpdump from placing interface in promiscuous mode</li>
<li>result: ISP RAs are not seen</li>
</ul>
workaround:
<ul>
<li>use shellcmd pkg to run "ifconfig cpsw0 promisc" on startup</li>
</ul> pfSense - Bug #8419 (New): webgui, when menubar is fixed to the top of the screen, the last items...https://redmine.pfsense.org/issues/84192018-04-02T17:36:14ZPi Ba
<p>webgui, when menubar is fixed to the top of the screen, the last items of long menus cannot be seen/used.</p>
<p>fix: <a class="external" href="https://github.com/pfsense/pfsense/pull/3930">https://github.com/pfsense/pfsense/pull/3930</a></p> pfSense - Feature #8168 (New): strongswan dhcp optionhttps://redmine.pfsense.org/issues/81682017-12-05T15:17:08ZLars Pedersenthacaleb@gmail.com
<p>Would be nice to have the dhcp plugin for strongswan in pfsense. This feature could be useful for a simple way to assign IP's using a dhcp server for IPSec mobile clients.</p>
<p>It needs to be configured as a compile option</p>
<p><a class="external" href="https://wiki.strongswan.org/projects/strongswan/wiki/Dhcpplugin">https://wiki.strongswan.org/projects/strongswan/wiki/Dhcpplugin</a></p>
<p>Afterwards a GUI option in strongswan.conf needs to be created to use a DHCP broadcast or a specific IP address.</p> pfSense - Bug #6026 (New): webinterface, firewall rules, wrapping of columns or visible (horizont...https://redmine.pfsense.org/issues/60262016-03-24T16:39:33ZPi Ba
<p>with some rulesets the 'action buttons' dont show on the screen, so first need to scroll down, then right, then back up again to delete, or move a rules using the anchors.. which isnt convenient when ruleset is several screens long..</p>
<p>Screenshot attached shows this happening on even the widest possible screen/layout..</p>
<p>The screenshot is made of specific testrules, but i first noticed in a production system where it happens to that action buttons are outside the visible area. And horizontal scroll-bar is at the bottom of the ruleset..</p> pfSense - Bug #5791 (Confirmed): tftp-proxy functionality is easilly broken by unrelated ruleshttps://redmine.pfsense.org/issues/57912016-01-21T17:30:55ZTed Lumpfsense.org@tedworld.com
<p>The anchors on which the tftp-proxy depends, are inserted at the end of the filter chain. Any conflicting rule entered in the chain prior to it - currently every rule is prior to it - will effectively disable tftp-proxy on that interface. A conflicting rule is one which matches the traffic which MUST reach tftp-proxy. For example, a final block-all rule which also is used as a block logging mechanism will disable the tftp-proxy, even though it would appear to be unrelated on the surface. Other rules which inadvertently match server responses will do the same thing.</p>
<p>See this post for more background: <a class="external" href="https://forum.pfsense.org/index.php?topic=48891.0">https://forum.pfsense.org/index.php?topic=48891.0</a></p>
<p>I would suggest a change to make the tftp-proxy less brittle in conjunction with user rules. Ultimately it would be great if the tftp-proxy anchor appeared in the list of rules, even if just as a grayed out placeholder, so that other rules could be arranged ahead or behind it, and so that it's presence could be clearly observed.</p>
<p>In it's current state it's impossible to know where it sits in the current order without a technical deep-dive, which leads to so many user problems thanks to it's non-obvious behavior and interactions, thus it would be a vast improvement to be able to visualize it within the same context as the rules which can easily break it. This might be easier than leaving it invisible and trying to devise program logic to deconflict every possible rule permutation. The user could see the anchor and would be responsible for manually deconflicting their rule chain... plus, I like the idea of not having invisible things lurking on my interfaces.</p> pfSense - Bug #5306 (New): textarea fields should have linebreaks sanitized automatically on savehttps://redmine.pfsense.org/issues/53062015-10-14T04:13:34ZKill Bill
<p>To avoid nonsense like this: <a class="external" href="https://github.com/doktornotor/pfsense-packages/blob/patch-2/config/squid3/34/squid.inc#L85">https://github.com/doktornotor/pfsense-packages/blob/patch-2/config/squid3/34/squid.inc#L85</a></p> pfSense - Feature #2593 (New): sync NTPD, SNMP config between HA membershttps://redmine.pfsense.org/issues/25932012-08-14T21:33:52ZAdam Thompsonathompso@athompso.net
<p>Since it's a part of the base system, it seems reasonable to add Services->NTP and Services->SNMP config syncing to the list of things that are sync'able.</p>