pfSense bugtracker: Issueshttps://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162024-03-28T15:30:27ZpfSense bugtracker
Redmine pfSense Plus - Feature #15368 (New): Bulk import DHCP host reservationshttps://redmine.pfsense.org/issues/153682024-03-28T15:30:27ZChris W
<p>It'd be a huge time saver to import from a CSV or XML file into Kea, or even just pasting into a text field like Firewall > Alias > Bulk Import currently does.</p> pfSense - Feature #15367 (New): pfSense throughput would probably seriously benefit from jumbo fr...https://redmine.pfsense.org/issues/153672024-03-28T14:41:25ZLouis B
<p>pfSense throughput would probably seriously benefit from jumbo frames. Please support that!</p>
<p>I described this in more detail in my thread <sup>Is pfSense handling jumbo frames correct !?</sup></p>
<p>I assume pfSense could greatly benefit from bigger packages. Especially in case of link speeds above 1G. Since even the slightest package delay is strongly limiting the throughput. Assuming that the package delay is <sup>independent</sup> of package size. The overall delay of using jumbo frames for file transfer would probably something like a factor 5. <br />So I did start change my NAS-systems and some network settings top test that. And of course pfSense should support it as well. And there is the problem. In the actual GUI, I can reduce the MTU-size (default 1500), but I cannot raise the size, not above the size of the physical interface.</p>
<p>And see there the problem, there is no way to change the MTU-size of interfaces used in favor of VLAN's or LAGG's</p> pfSense - Bug #15366 (New): Ethernet rules are not blocking the ARP inside the bridgehttps://redmine.pfsense.org/issues/153662024-03-28T09:25:13ZLev Prokofev
<p>Configuration:</p>
<p>1)IX2 and DMZ interfaces are bridged (192.168.168.0/24)<br />2)Filtering enabled on members of the bridge<br /> net.link.bridge.pfil_member=1 <br /> net.link.bridge.pfil_bridge=0<br />3)The ethernet rules are set to not pass the ARP from any to any, of the members of the bridge.<br /><img src="https://redmine.pfsense.org/attachments/download/5988/clipboard-202403281317-ukct1.png" alt="" /><br />Result:</p>
<p>PC1 (192.168.168.12) requested the ARP for PC2 (192.168.168.10) and received the reply, but didn't receive an ARP reply from the gateway, so the rules cut traffic from the interface of pfSense but not inside the bridge broadcast.</p>
<p><img src="https://redmine.pfsense.org/attachments/download/5989/clipboard-202403281323-c06p2.png" alt="" /></p>
<p>tested on</p>
<pre>
23.09.1-RELEASE (amd64)
built on Wed Dec 20 21:27:00 MSK 2023
FreeBSD 14.0-CURRENT
</pre> pfSense - Bug #15362 (New): Config upgrade error with empty gateway interval tags.https://redmine.pfsense.org/issues/153622024-03-26T19:12:31ZSteve Wheeler
<p>Upgrading an old config that has set but empty gateway interval tags throws a php error.<br />For example a config containing:<br /><pre>
<gateway_item>
<interface>wan</interface>
<gateway>1.2.3.4</gateway>
<name>wan_gateway</name>
<weight/>
<interval/>
<descr><![CDATA[gw1]]></descr>
<defaultgw/>
</gateway_item>
</pre></p>
<p>Will hit:<br /><pre>
Fatal error: Uncaught TypeError: Unsupported operand types: string * int in /etc/inc/upgrade_config.inc:4169
Stack trace:
#0 /etc/inc/config.lib.inc(519): upgrade_130_to_131()
#1 /etc/rc.bootup(140): convert_config()
#2 {main}
thrown in /etc/inc/upgrade_config.inc on line 4169
PHP ERROR: Type: 1, File: /etc/inc/upgrade_config.inc, Line: 4169, Message: Uncaught TypeError: Unsupported operand types: string * int in /etc/inc/upgrade_config.inc:4169
Stack trace:
#0 /etc/inc/config.lib.inc(519): upgrade_130_to_131()
#1 /etc/rc.bootup(140): convert_config()
#2 {main}
</pre></p> pfSense Plus - Bug #15361 (New): Error in virtual IP aliases when using IPv6 "network" / "broadca...https://redmine.pfsense.org/issues/153612024-03-25T09:20:00ZMathis Cavalli
<p>There is no network address in IPv6, nor broadcasts like IPv4<br />When adding / editing an IP alias and putting there an address like fd00::/64 it shows the following error : "The network address cannot be used for this VIP" <br />It happened on my pfSense+ box but it seems the CE 2.7.2 is also affected.</p> pfSense Plus - Bug #15303 (New): dpinger service does not always switch from Pending to Onlinehttps://redmine.pfsense.org/issues/153032024-03-02T17:07:07ZKris Phillips
<p>There are several situations where dpinger will not detect a gateway that is available when it should, forcing a restart of the dpinger service to "trigger" it to recheck.</p>
<p>Known situations, but there may be more:</p>
<p>1. Adding a new VTI tunnel as an interface<br />2. A release/renew of an IPv6 gateway (IPv4 gateway will show up, but IPv6 will not until a dpinger restart)<br />3. Adding an OpenVPN client/server as an interface</p>
<p>Related documentation redmine: <a class="external" href="https://redmine.pfsense.org/issues/15230">https://redmine.pfsense.org/issues/15230</a></p> pfSense - Bug #15291 (New): Error on Traffic Shaper 0% Bandwidthhttps://redmine.pfsense.org/issues/152912024-02-26T09:35:21ZPavan K
<p>Link to post on pfSense Forum: <br /><a class="external" href="https://forum.netgate.com/topic/186137/error-on-traffic-shaper-0-bandwidth?_=1708915183963">https://forum.netgate.com/topic/186137/error-on-traffic-shaper-0-bandwidth?_=1708915183963</a></p>
<p>Backstory:<br />recently we migrated from pfSense 2.4.x to 2.7.2 which was a direct update. Everything worked fine etc the traffic shaping feature.</p>
<p>Following is the error:<br />There were error(s) loading the rules: pfctl: the sum of the child<br />bandwidth (1200000000) higher than parent "root_igc4" (1000000000) -<br />The line in question reads [0]: @ 2024-01-31 16:45:05</p>
<p>Following is our configuration:<br />Name → FAIRQ_7<br />Priority→ 7<br />Scheduler Option → Random Early detection in and out<br />Bandwidth → None</p>
<p>Add new Queue(Default)<br />Enable<br />Name → qFAIRQ_2(Default)<br />Priority→ 2<br />Scheduler Option → Default<br />Bandwidth → None</p>
<p>Add new Queue(ACK)<br />Enable<br />Name → qACK_6<br />Priority→ 6<br />Scheduler Option → Random Early detection in and out<br />Bandwidth → None</p>
<p>According to the configuration the Bandwidth on Queue(ACK) should be 0% which was migrated off from 2.4.x but on 2.7.2 it's not letting us save 0% bandwidth for some reason.</p>
<p>And due to this new rules which are created are not taking effect it's only after we disable and enable the Traffic Shaper completely the rule is effective.</p> pfSense - Bug #15116 (New): Kea not working with UEFI HTTPBoot URL configuredhttps://redmine.pfsense.org/issues/151162023-12-26T19:06:26ZJason Montleon
<p>I have configured and successfully use http boot to occasionally boot libvirt vms by checking off `Enable Network Booting` and entering a URL in the `UEFI HTTPBoot URL` field.</p>
<p>Seeing the banner message that ISC DHCP is deprecated I navigated to `System / Advanced / Networking` and switched to Kea DHCP. But when I do this I am no longer able to successfully use UEFI HTTPBoot.</p>
<p>Switching back and forth between ISC DHCP and Kea DHCP is all I need to do to fix and break the functionality again.</p>
<p>Looking at kea-dhcp4.conf there is nothing that stands out to me as obviously wrong, but clients never access the http server I have configured.</p> pfSense Plus - Bug #14894 (New): Password protected console login prompt does not render properly...https://redmine.pfsense.org/issues/148942023-10-18T19:47:24ZJim Pingle
<p>After resolving other console issues with the 4100/6100/8200 in <a class="issue tracker-1 status-3 priority-4 priority-default closed" title="Bug: Serial console output fails to render properly in certain cases on 4100, 6100, and 8200. (Resolved)" href="https://redmine.pfsense.org/issues/13455">#13455</a> a problem remains with the login prompt.</p>
<p>It is not printing a newline before the FreeBSD version string nor is it printing a newline before the password prompt:</p>
<pre>
[...])FreeBSD/amd64 (pfsense.home.arpa) (ttyu0)
login: rootPassword:
Netgate 4100 [...]
</pre>
<p>It should look like this:</p>
<pre>
FreeBSD/amd64 (pfsense.home.arpa) (ttyu0)
login: root
Password:
Netgate 4100 [...]
</pre>
<p>Changing the console type doesn't have any effect, nor does changing various aspects of the TTY (e.g. setting it to <code>xterm</code> or <code>cons25w</code> instead of <code>vt100</code>, or using <code>std</code> instead of <code>3wire</code>).</p> pfSense - Bug #14371 (New): Firewall does not respond to UDP traceroute requests over IPsechttps://redmine.pfsense.org/issues/143712023-05-10T22:08:35ZMarcos M
<p>Tested on <code>23.01</code>.</p>
<p>pfSense itself does not respond to UDP traceroutes when it receives the request over IPsec (both policy/routed tunnels tested, as well as with pf disabled).</p>
<p>In the following example, traceroute is run from a LAN client behind siteA to the LAN interface address of siteB.<br /><pre>
### siteA client
[22.01-DEVELOPMENT][root@sitea-lanhost.lab.arpa]/root: traceroute -n -I 192.168.1.1
traceroute to 192.168.1.1 (192.168.1.1), 64 hops max, 48 byte packets
1 172.19.1.1 0.337 ms 0.106 ms 0.174 ms
2 192.168.1.1 0.684 ms 0.607 ms 0.531 ms
[22.01-DEVELOPMENT][root@sitea-lanhost.lab.arpa]/root: traceroute -n 192.168.1.1
traceroute to 192.168.1.1 (192.168.1.1), 64 hops max, 40 byte packets
1 172.19.1.1 0.283 ms 0.185 ms 0.189 ms
2 * * *
3 * *^C
### siteB firewall
[23.01-RELEASE][root@siteb-fw1.lab.arpa]/root: ifconfig vmx1
vmx1: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
description: LAN
options=4e000bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,RXCSUM_IPV6,TXCSUM_IPV6,NOMAP>
ether 00:50:56:b2:00:fe
inet6 fe80::250:56ff:feb2:fe%vmx1 prefixlen 64 scopeid 0x2
inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
media: Ethernet autoselect
status: active
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
[23.01-RELEASE][root@siteb-fw1.lab.arpa]/root: tcpdump -ni enc0 'host 172.19.1.4'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enc0, link-type ENC (OpenBSD encapsulated IP), capture size 262144 bytes
19:01:30.681093 (authentic,confidential): SPI 0xca57b541: IP 172.19.1.4 > 192.168.1.1: ICMP echo request, id 32776, seq 4, length 28
19:01:30.681173 (authentic,confidential): SPI 0xcaa92d26: IP 192.168.1.1 > 172.19.1.4: ICMP echo reply, id 32776, seq 4, length 28
19:01:30.681567 (authentic,confidential): SPI 0xca57b541: IP 172.19.1.4 > 192.168.1.1: ICMP echo request, id 32776, seq 5, length 28
19:01:30.681586 (authentic,confidential): SPI 0xcaa92d26: IP 192.168.1.1 > 172.19.1.4: ICMP echo reply, id 32776, seq 5, length 28
19:01:30.682120 (authentic,confidential): SPI 0xca57b541: IP 172.19.1.4 > 192.168.1.1: ICMP echo request, id 32776, seq 6, length 28
19:01:30.682142 (authentic,confidential): SPI 0xcaa92d26: IP 192.168.1.1 > 172.19.1.4: ICMP echo reply, id 32776, seq 6, length 28
19:01:34.226850 (authentic,confidential): SPI 0xca57b541: IP 172.19.1.4.32816 > 192.168.1.1.33438: UDP, length 12
19:01:39.310089 (authentic,confidential): SPI 0xca57b541: IP 172.19.1.4.32816 > 192.168.1.1.33439: UDP, length 12
19:01:44.388844 (authentic,confidential): SPI 0xca57b541: IP 172.19.1.4.32816 > 192.168.1.1.33440: UDP, length 12
^C
9 packets captured
242 packets received by filter
0 packets dropped by kernel
</pre></p>
<p>Traceroutes to other clients on the siteB LAN work fine.</p> pfSense Plus - Feature #14297 (New): Add Option for Vendor Class ID in DHCP Clienthttps://redmine.pfsense.org/issues/142972023-04-21T15:07:26ZKris Phillips
<p>Some ISPs require a Vendor Class ID be sent (option 60) when requesting DHCP. This can currently be accomplished in pfSense with vendor-class-identifier manually added to a dhcp config file, but adding this as a field would be helpful.</p> pfSense Packages - Regression #14189 (New): pfBlocker-NG: HA-Sync is not workinghttps://redmine.pfsense.org/issues/141892023-03-27T17:31:50Zname name
<p>I'm not the only one with this problem.</p>
<p>See <a class="external" href="https://forum.netgate.com/topic/179060/pfblockerng-sync-not-working">https://forum.netgate.com/topic/179060/pfblockerng-sync-not-working</a> .</p>
<p>This is causing serious issues, as I made changes to the pfBlockerNG configuration after upgrading to pfSense+ 23.01 and now the firewall rules are synchronized, but not the tables generated by pfBlockerNG, leading to firewall errors on the backup pfSense installation.</p>
<p>Please create a System -> Patches patch to fix this as soon as possible.</p> pfSense Packages - Feature #14032 (New): Neighbor Discovery Proxy (NDproxy)https://redmine.pfsense.org/issues/140322023-02-25T06:51:05ZYuki Hiramatsu
<p>ISPs around the world are making effective use of IPv6.<br />DHCPv6-PD and others are already supported, but pfsense has no documentation on ndproxy.</p>
<p>The ndproxy package exists in FreebSD.<br />We strongly prefer that the ndproxy package be integrated into the pfsense plus package rather than having to manually install it in pfsense plus!</p> pfSense Packages - Bug #13654 (New): Wireguard does not fail back failover WAN setup.https://redmine.pfsense.org/issues/136542022-11-12T06:05:53ZFrode Martin
<p>I have this main WAN connection that is quite unstable. So I set up a 4G router on the OPT port on netgate 1100. This port is configured as a tier 2, and is only used if main WAN connection is down. This works great for ordinary traffic, but not for wireguard. Wireguard fails over to OPT-port OK when WAN connection goes down. But not back when WAN connection is up again. I have to disable and then enable the opt port to manually change interface for wireguard.</p>
<p>Wireguard version is 0.1.6_2.</p> pfSense - Bug #13624 (New): Only one alias in local network of OpenVPN Server works in 2.6.0https://redmine.pfsense.org/issues/136242022-11-02T11:55:36ZFlorian Bat
<p>Issue <a class="issue tracker-2 status-3 priority-4 priority-default closed" title="Feature: Support aliases in OpenVPN local/remote/tunnel network fields (Resolved)" href="https://redmine.pfsense.org/issues/2668">#2668</a> implemented the possibility to have host/network aliases in the OpenVPN local/remote/tunnel network fields.</p>
<p>When using host aliases in the local network field, it seems only the hosts of the very first alias are pushed to the client as local network. all other aliases seem to be ignored.</p>
<p><strong>Example:</strong><br />Let's say I have 3 host alias lists (named alias1, alias2 and alias3) with 2 hosts defined in each alias.</p>
<p>Using this as "local network" in the OpenVPN Server definition only pushes the ips of the <strong>alias1</strong> list.</p>
<pre><code class="html syntaxhl">alias1, alias2, alias3
</code></pre>
<p>This only pushes the hosts of <strong>alias2</strong>:</p>
<pre><code class="html syntaxhl">alias2, alias3, alias1
</code></pre>
<p>And this would push the two hosts of <strong>alias1</strong> plus the <strong>192.168.1.0/24</strong> and <strong>192.168.2.0/24</strong> networks as local networks.</p>
<pre><code class="html syntaxhl">alias1, alias2, 192.168.1.0/24, alias3, 192.168.2.0/24
</code></pre>
<p>I am using<br />2.6.0-RELEASE (amd64)<br />built on Mon Jan 31 19:57:53 UTC 2022<br />FreeBSD 12.3-STABLE</p>