pfSense bugtracker: Issueshttps://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162024-03-10T23:09:39ZpfSense bugtracker
Redmine pfSense - Bug #15328 (New): Kea DHCP corrupts existing leases when a new DHCP pool is addedhttps://redmine.pfsense.org/issues/153282024-03-10T23:09:39ZTom Lane
<p>I set up a couple of DHCP pools for VLANs on a new Netgate 4200 (running pfsense+ 23.09.1), which is replacing an EdgeRouter-X that had been serving DHCP to the same clients. That went fine, and I watched several of the existing VLAN clients re-acquire their existing addresses from the new server. Then I added another DHCP pool attached directly to the PORT2LAN interface. That completely confused matters for existing leases: the server actively rejected attempts to renew those leases and gave out addresses of its own choosing. Now I am seeing two different entries in the DHCP Leases status page for the same MAC address, which surely should not happen. Digging in the DHCP log entries, it looks like when the server was restarted because of the pool addition, all the lease reloads failed with complaints like</p>
<p><code>Mar 10 16:09:18 kea-dhcp4 39285 WARN [kea-dhcp4.dhcpsrv.0x401b3c12000] DHCPSRV_LEASE_SANITY_FAIL The lease 10.0.20.41 with subnet-id 2 failed subnet-id checks (the lease should have subnet-id 3).<br /></code><br />10.0.20.41 is still shown (though as "down") in the Leases page, but there's also an entry for that client with its forcibly-assigned new IP address.</p>
<p>This isn't a fatal problem, assuming that the server manages to keep re-issuing these newly-chosen addresses, but it's mildly annoying. I'm not sure if there will be any outright conflicts as the remaining clients try to renew their leases.</p> pfSense Plus - Feature #15280 (New): Boot Environments 2.0https://redmine.pfsense.org/issues/152802024-02-21T19:59:52ZChristian McDonaldcmcdonald@netgate.com
<p>Changes:</p>
<ul>
<li>Configuration History is now a separate page and is no longer part of Backup & Restore.</li>
<li>Configuration History is now aware of Boot Environments. Supports downloading, deleting and restoring across boot environment boundaries.</li>
<li>System updates are now installed in an offline clone of the running system and booted "temporarily" to facilitate automatic fallback to previous working environment.</li>
<li>Boot Verification is performed when booting temporary Boot Environments. System will automatically reboot into prior boot environment upon boot failure.</li>
</ul>
<p><img src="https://redmine.pfsense.org/attachments/download/5936/clipboard-202402211456-bdjnl.png" alt="" /><br /><img src="https://redmine.pfsense.org/attachments/download/5937/clipboard-202402211457-fegcy.png" alt="" /><br /><img src="https://redmine.pfsense.org/attachments/download/5938/clipboard-202402211457-rbjkq.png" alt="" /><br /><img src="https://redmine.pfsense.org/attachments/download/5939/clipboard-202402211457-fcvqv.png" alt="" /><br /><img src="https://redmine.pfsense.org/attachments/download/5940/clipboard-202402211458-ydyne.png" alt="" /></p> pfSense Packages - Feature #15177 (New): Add an option to choose an interface that the Tailscale ...https://redmine.pfsense.org/issues/151772024-01-20T15:30:19ZDanilo Zrenjanin
<p>Currently, it is not possible to specify the interface that the Tailscale service will use to connect to the Login Server. In a situation where there are multiple WANs, and you want to make changes on the primary WAN, doing so will disconnect you from the VPN.</p> pfSense Packages - Bug #15172 (New): Tailscale interface goes down without reasonhttps://redmine.pfsense.org/issues/151722024-01-18T01:47:04ZCarlos Montalvo J.
<p>Tailscale on pfSense 2.7.2-RELEASE (tailscale package v0.1.4 [tailscale-1.54.0])</p>
<p>On a VM (Proxmox v8.x (lastest with OpenVSwitch)) VMXNET interfaces.<br />Service Watchdog should restart the VPN, but it doesn't... (Does not look at the interface status)<br /><img src="https://redmine.pfsense.org/attachments/download/5855/clipboard-202401172043-aqnjt.png" title="Kernel logs" alt="Kernel logs" /><br /><img src="https://redmine.pfsense.org/attachments/download/5857/clipboard-202401172044-hk5yq.png" title="Service watchdog config" alt="Service watchdog config" /></p> pfSense Packages - Bug #15100 (New): Tailscale IPv6 Exit Node uses first LAN interface when WAN i...https://redmine.pfsense.org/issues/151002023-12-17T03:04:21ZKris Phillips
<p>When Tailscale on pfSense Plus is being used as an exit node for IPv6 connectivity and the WAN interface is set to "Only request an IPv6 prefix, do not request an IPv6 address", it will use the first sequential LAN interface's IPv6 address for outbound connectivity instead. We should probably add an option to Tailscale to select which interface for WAN connectivity is used for the NAT address for IPv4 and IPv6 for outbound connectivity, because this resulted in my internal, secure work VLAN address being used when I had routing policies in Tailscale to only allow access to my home VLAN instead (due to the fact that the work VLAN was the first sequential LAN). Not being able to choose the interface that is used for NAT on the exit node could lead to certain situations where access to resources that shouldn't be is possible under certain circumstances.</p> pfSense - Bug #15098 (New): Wireguard crashes on boot if PPPoE is the default gatewayhttps://redmine.pfsense.org/issues/150982023-12-15T20:06:02ZOskar Stroka
<p>This only seems to happen after a fresh boot, and only if any PPPoE connection is the default gateway. <br />Even the service watchdog can't bring wireguard back up. <br />The workaround is to go to "Status" - "Interfaces", disconnect the PPPoE line and enable it again. <br />After that wireguard will start without a problem.<br />I've only noticed this issue after moving to newer / better hardware.</p> pfSense - Bug #15084 (New): Upgrading an EFI system installed to ZFS mirror does not upgrade EFI ...https://redmine.pfsense.org/issues/150842023-12-11T16:56:18ZJim Pingle
<p>When an EFI system installed to a ZFS mirror is upgraded, the EFI loader is only updated on the first disk of the mirror (<code>/dev/gpt/efiboot0</code>).</p>
<p>If the system has EFI filesystems on the additional disks, they are not touched during upgrade.</p>
<p>Can be worked around by manually mounting the additional EFI partitions and copying the files.</p>
<p>For example, to update the loader on the second disk:</p>
<pre><code class="shell syntaxhl"><span class="c"># mount -t msdosfs /dev/gpt/efiboot1 /mnt/</span>
<span class="c"># cp -R /boot/efi/ /mnt</span>
<span class="c"># umount /mnt</span>
</code></pre>
<p>Note that systems may or may not actually have a proper EFI filesystem on the additional disks. See <a class="issue tracker-1 status-1 priority-5 priority-high4" title="Bug: Installing to ZFS mirror does not format or populate EFI partition on additional disks (New)" href="https://redmine.pfsense.org/issues/15083">#15083</a></p>
<p>Marked as Plus 24.03/CE 2.8.0 but if it can be fixed in the pfSense-boot package the fix could be picked back to 23.09.1/2.7.2.</p> pfSense - Bug #15082 (New): Upgrade fails due to unmounted EFI filesystemhttps://redmine.pfsense.org/issues/150822023-12-11T14:10:15ZJim Pingle
<p>This may be related to <a class="issue tracker-1 status-1 priority-4 priority-default" title="Bug: Upgrade fails due to undersized EFI filesystem (New)" href="https://redmine.pfsense.org/issues/15081">#15081</a> but it's not definite.</p>
<p>Some upgrades have failed in pfSense-boot if the EFI partition is not manually mounted first.</p>
<p>There are several reports of this where simply manually mounting the EFI partition before starting the upgrade allows it to complete. See <a class="external" href="https://www.reddit.com/r/PFSENSE/comments/18d887u/netgate_releases_pfsense_plus_software_version/kcjcktm/">https://www.reddit.com/r/PFSENSE/comments/18d887u/netgate_releases_pfsense_plus_software_version/kcjcktm/</a> for example.</p>
<p>Marked as Plus 24.03/CE 2.8.0 but if it can be fixed in the pfSense-boot package the fix could be picked back to 23.09.1/2.7.2.</p> pfSense - Bug #15081 (New): Upgrade fails due to undersized EFI filesystemhttps://redmine.pfsense.org/issues/150812023-12-11T14:01:54ZJim Pingle
<p>Some installations as recent as Plus 22.01 / CE 2.6.0 have EFI partitions that were created and/or populated by the old EFIFAT image method. This means that while the EFI <em>partition</em> is 200M, the EFI <em>filesystem</em> is only around 700KB. As a result, these installations are unable to upgrade to recent versions successfully as the loader cannot be updated.</p>
<p>This can be worked around by reformatting the EFI partition directly and copying the appropriate files back into place, as described in this forum post: <a class="external" href="https://forum.netgate.com/post/1140955">https://forum.netgate.com/post/1140955</a></p>
<pre><code class="shell syntaxhl"><span class="c"># mkdir -p /boot/efi</span>
<span class="c"># mount_msdosfs /dev/msdosfs/EFISYS /boot/efi</span>
<span class="c"># mkdir -p /tmp/efitmp</span>
<span class="c"># cp -Rp /boot/efi/* /tmp/efitmp</span>
<span class="c"># umount /boot/efi</span>
<span class="c"># newfs_msdos -F 32 -c 1 -L EFISYS /dev/msdosfs/EFISYS</span>
<span class="c"># mount_msdosfs /dev/msdosfs/EFISYS /boot/efi</span>
<span class="c"># cp -Rp /tmp/efitmp/* /boot/efi/</span>
</code></pre>
<p>There are some potential complications there. For example, the EFI filesystem may not be labeled that way, it could be <code>/dev/gpt/EFISYS</code> or it may have no label at all.</p>
<p>Marked as Plus 24.03/CE 2.8.0 but if it can be fixed in the pfSense-boot package the fix could be picked back to 23.09.1/2.7.2.</p> pfSense Plus - Feature #15022 (New): Package install/reinstall feature request.https://redmine.pfsense.org/issues/150222023-11-22T01:23:31ZJonathan Lee
<p>Hello fellow Redmine community members. I have noticed time and time again I have the ability to scroll during package installs to see the what package dependencies are installing and to check version numbers but I can't get it to stay still for longer than a split second before it auto scrolls back to the bottom. Can we make this stay where users are when the scroll and remove the auto scroll function?</p>
<p>We currently have no way to see the dependency information after it scrolls past because auto scroll takes us back to the bottom again.</p>
<p>See attached photo, I wanted to check what dependency versions were installed, Everytime you scroll it defaults to bottom again.</p> pfSense - Bug #14983 (New): Upgrade can fail when unexpected EFI partitions are present.https://redmine.pfsense.org/issues/149832023-11-14T15:49:22ZSteve Wheeler
<p>pfSense-upgrade can fail when the pfSense-boot post install script tries to update the bot loader if the first EFI partition is not on the boot drive.</p>
<p>For example if the main boot drive is not installed as UEFI and the installation media is still present. The script tries and fails to update the wrong drive aborting the upgrade:</p>
<pre>
Number of packages to be reinstalled: 1
[1/1] Reinstalling pfSense-boot-23.09...
[1/1] Extracting pfSense-boot-23.09: .......... done
mount_msdosfs: /dev/msdosfs/EFISYS: Read-only file system
pkg-static: POST-INSTALL script failed
failed.
__RC=1 __REBOOT_AFTER=10
</pre> pfSense Packages - Feature #14863 (New): WireGuard suppport for aliaseshttps://redmine.pfsense.org/issues/148632023-10-11T07:53:52ZBob Dig
<p>Allow to use aliases in "Allowed IPs" in the WireGuard Peer config. That would match with the general ability to use aliases for static routes in pfSense, see <a class="external" href="https://forum.netgate.com/topic/183339/feature-request-support-for-aliases">https://forum.netgate.com/topic/183339/feature-request-support-for-aliases</a>.</p> pfSense - Bug #14613 (New): Incorrect wireguard control panel status managementhttps://redmine.pfsense.org/issues/146132023-07-26T14:59:29Zhao zhang
<p><img src="https://redmine.pfsense.org/attachments/download/5201/clipboard-202307262256-rlh8k.png" alt="" /><br />Wireguard can still be clicked on to start while in the boot state and is unresponsive when clicked on, making wireguard uncontrollable.<br />pfsense2.7<br />pfSense-pkg-WireGuard 0.2.0_2</p> pfSense - Todo #10199 (New): Improve Spanish translation interfacehttps://redmine.pfsense.org/issues/101992020-01-22T09:20:34ZAluisco Miguel Ricardo MastrapapfSense - Feature #9293 (New): Provide WebUI message (banner) prior to loginhttps://redmine.pfsense.org/issues/92932019-01-29T06:18:56ZRyan Haraschak
<p>While trying to deploy in govt environments, they have security guidelines (STIGs) we're required to follow. Some, as trivial as they seem, include displaying banners before logging in. I've been able to modify the html\php to meet this requirement, however, as expected, the changes are lost after an update.</p>
<p>Would it be possible to add a text entry field on the general settings page that provides a persistent webui login banner?</p>
<p>Here's an example from the <a href="https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2018-03-01/finding/V-38593" class="external">DoD RHEL STIGs</a>:</p>
<pre>
You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
</pre>