pfSense bugtracker: Issueshttps://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162012-04-02T14:23:11ZpfSense bugtracker
Redmine pfSense - Bug #2335 (New): IGMPProxy and CARP Results in System Instability Upon Reboot https://redmine.pfsense.org/issues/23352012-04-02T14:23:11ZJ Ptheprez@theprezonline.com
<p>This scenario was replicated on 3 PCs with various network cards on 2.01.</p>
<p>Enabling a CARP interface on a box with IGMPProxy running and receiving multicast traffic results in the box becoming unstable upon reboot. Once rebooted, the interfaces will come up briefly and eventually cease to pass traffic/assign IPs via DHCP. If rebooted a subsequent time, the same scenario repeats itself.</p>
<p>Repeated by:</p>
<p>Using 3 different machines, 2 i386 and 1 ia64 with various branded NICs.</p>
<p>Public IP passed to WAN<br />192.168.0.0/24 on LAN<br />UDP traffic permitted on WAN via Rule: UDP * * 224.0.0.0/4 * * NONE<br />On LAN - Default allow rule was edited, advanced options selected to allow IP with options - enable Multicast</p>
<p>CARP:</p>
<p>Firewall -> Virtual IP<br />Type = CARP<br />Interface = WAN<br />IP Address = Public /32<br />Virtual IP Password = whatever<br />VHID 1<br />Save</p>
<p>SSH int PFSense router to ping the upstream router using:<br />ping -c1 -S <CARP IP> <UPSTREAM IP></p>
<p>So that the upstream 2Wire router detects the new virtual MAC address.</p>
<p>Reboot computer</p>
<p>About 5 minutes into working it will freeze and cease to pass traffic.</p> pfSense - Bug #2308 (New): HFSC WebUI doesn't check for "Bandwidth" settinghttps://redmine.pfsense.org/issues/23082012-03-23T13:11:08ZOliver Loch
<p>Hi,</p>
<p>I configured pfSense todo some QoS. To get everything "firsthand" I used the HFSC module.</p>
<p>When configuring a HFSC queue you can add values for the "Service Curve" as shown in the attached screenshot.</p>
<p>If you add the realtime settings m1,d,m2 or just m2, and don't put anything inside the "Bandwidth"-field above, you can save and reload those settings.</p>
<p>After the reload you get error messages that say something like this:</p>
<p>php: : New alert found: There were error(s) loading the rules: pfctl: the sum of the child bandwidth higher than parent "root_em1" pfctl: linkshare sc exceeds parent's sc /tmp/rules.debug:47: errors in queue definition pfctl: the sum of the child bandwidth higher than parent "root_bridge1" pfctl: linkshare sc exceeds parent's sc /tmp/rules.debug:59: errors in queue definition pfctl: the sum of the child bandwidth higher than parent "root_bridge1" pfctl: linkshare sc exceeds parent's sc /tmp/rules.debug:60: errors in queue definition pfctl: Syntax error in config file: pf rules not loaded The line in question reads [ the sum of the child bandwidth higher than parent "root_em1" pfctl]:</p>
<p>This comes from the fact, that the empty "Bandwidth"-field results in a pf rule like this:</p>
<pre><code>queue wweb on em1 qlimit 500 hfsc ( realtime (10%, 10000, 5%) )</code></pre>
<p>which doesn't hold the "bandwidth"-statement and results in an error like:</p>
<p>[2.0.1-RELEASE][<a class="email" href="mailto:root@pfSense.localdomain">root@pfSense.localdomain</a>]/tmp(4): pfctl -nf rules.debug<br />pfctl: the sum of the child bandwidth higher than parent "root_em1" <br />pfctl: linkshare sc exceeds parent's sc<br />rules.debug:47: errors in queue definition<br />pfctl: the sum of the child bandwidth higher than parent "root_bridge1" <br />pfctl: linkshare sc exceeds parent's sc<br />rules.debug:59: errors in queue definition<br />pfctl: the sum of the child bandwidth higher than parent "root_bridge1" <br />pfctl: linkshare sc exceeds parent's sc<br />rules.debug:60: errors in queue definition<br />[2.0.1-RELEASE][<a class="email" href="mailto:root@pfSense.localdomain">root@pfSense.localdomain</a>]/tmp(5):</p>
<p>That's because the system assumes "100%" bandwidth if the option is omitted.</p>
<p>The errors on line 59 and line 60 are from those lines:</p>
<p>59: queue lweb on bridge1 qlimit 500 hfsc ( realtime (10%, 10000, 6%) )<br />60: queue lmail on bridge1 qlimit 500 hfsc ( realtime 5% )</p>
<p>Same shit, different pile ...</p>
<p>It would be nice to ask the user what todo, or to just set "m2" as the "Bandwidth" of the queue as one can use "m2" alone for realtime settings without a peak.</p> pfSense - Bug #2234 (Confirmed): Status: Traffic Graph - only shows interface's subnethttps://redmine.pfsense.org/issues/22342012-02-24T13:39:22ZAnonymous
<p>The Traffic Graph in Status menu does not show the aliased IP subnet addresses in the right panel list. <br />It shows only the WAN/LAN interfaces IP subnets.</p> pfSense - Bug #2138 (New): RRD Wireless graph broken in BSS modehttps://redmine.pfsense.org/issues/21382012-01-23T17:19:08ZChristian Borchertccb056@gmail.com
<p><a class="external" href="http://forum.pfsense.org/index.php/topic,45194.0.html">http://forum.pfsense.org/index.php/topic,45194.0.html</a></p>
<p>I am using pfSense 2.0.1 amd64 with an Atheros card (D-Link DWA-556) in Infrastructure (BSS) mode.<br />The "Wireless" RRD graphs show no data and the numerical results are all "nan" <br />However, the Traffic, Packets, Quality, Queues, and QueueDrops graphs for OPT1 (wifi card) all show valid data.</p>
<p><img src="http://db.tt/rqTVwplz" alt="" /><br /><img src="http://db.tt/EqDJ7zve" alt="" /></p> pfSense - Bug #2042 (Confirmed): NAT reflection doesn't apply to self-initiated traffic https://redmine.pfsense.org/issues/20422011-12-09T06:38:37ZAnonymous
<p>Squid can't access hosts inside a DMZ with DMZ hosts accessible only via 1:1 NAT.</p>
<p>My config:<br />- 4 interfaces: WAN (bge1), LAN (bge0), DMZ (em0), GUEST (em1)<br />- DMZ subnet is private ips, using 1:1 NAT and IP Alias with reflection redirects to map incoming traffic from the other interfaces and from the internet onto my public webservers</p>
rules from the rules.debug:
<ol>
<li>Reflection redirects and NAT for 1:1 mappings<br />rdr on { bge0 em0 em1 } from any to aaa.bbb.ccc.ddd -> 192.168.ccc.ddd bitmask<br />no nat on em0 from em0 to 192.168.ccc.ddd<br />nat on em0 from 192.168.ccc.ddd/27 to 192.168.ccc.ddd -> em0 port 1024:65535</li>
</ol>
<p>I suppose adding the loopback interface (lo0?) to the "rdr on" rule would fix this issue.</p>
<p>A slightly longer version of this text can be found on the forum here: <a class="external" href="http://forum.pfsense.org/index.php/topic,43613.0.html">http://forum.pfsense.org/index.php/topic,43613.0.html</a></p>
<p>Best regards,<br />-Jan</p> pfSense - Bug #1890 (New): No gettext support in console scriptshttps://redmine.pfsense.org/issues/18902011-09-20T07:05:24ZNecmettin Begiternecmettin.begiter@gmail.com
<p>We have been working on translating pfsense to Turkish and when we wanted to translate console scripts, we noticed that those scripts do not have gettext in them. Especially .sh scripts. For a more complete translation, we need gettext() applied to them, too.</p> pfSense - Bug #1849 (New): Traffic shaper - By Queue view needs to show/use friendly inerface nameshttps://redmine.pfsense.org/issues/18492011-09-07T03:37:19ZErmal Luçieri@pfsense.org
<p>Traffic shaper - By Queue view needs to use friendly inerface names to allow easy configuration and presentation.<br />Also need to be shown the root queues as well in this view which are a byproduct of fixing a previous ticket that hides the root/interface queues.</p> pfSense - Bug #1848 (Confirmed): Limiters after policy routing has taken place do not behave corr...https://redmine.pfsense.org/issues/18482011-09-07T02:57:53ZErmal Luçieri@pfsense.org
<p>If there are 2 WANs and the primary one fails and there are limiters configured in floating rules(after policy routing has taken place) there will be issues induced because the way limiters(dummynet) works.<br />Basically the policy routing decision will be forgotten by the path packet takes through dummynet.</p>
<p>The obvious fix is remember the policy routing decision even through this path and that will solve the problem.</p> pfSense - Bug #1819 (New): DNS Resolver Not Registering DHCP Server Specified Domain Namehttps://redmine.pfsense.org/issues/18192011-08-29T15:37:36ZNOYB NOYBJunkYardMail1@Frontier.com
<p>DHCP Server specified Domain Name not being registered in DNS Forwarder.</p>
<p>Hosts are resolvable by System General specified domain name instead.</p>
<p>Is this expected mode of opperation? Seem like they should be registered with the domain name they are being assigned.</p>
<p>2.0-RC3 (i386) <br />built on Sun Aug 28 15:02:45 EDT 2011</p> pfSense - Bug #1813 (Confirmed): Static routes on WAN interfaces overridden by route-to for firew...https://redmine.pfsense.org/issues/18132011-08-22T17:50:28ZChris Buechlercbuechler@gmail.com
<p>the 'pass out' rules such as:</p>
<p>pass out route-to ( em1 9.2.2.1 ) from 9.2.3.17 to !9.2.2.0/21 keep state allow-opts label "let out anything from firewall host itself"</p>
<p>Break connectivity from the firewall itself to any networks reachable via a static route on a WAN for traffic initiated from the firewall itself.</p>
<p>For example if you add a static route in the above scenario pointing 1.0.0.0/24 to 9.2.3.20, traffic initiated from the firewall to that destination will go to 9.2.2.1, not 9.2.3.20.</p> pfSense - Bug #1738 (New): Restore fails when username in backup is not matchinghttps://redmine.pfsense.org/issues/17382011-08-03T01:00:10ZLouis-David Perronldperron@ldasolutions.ca
<p>It's not likely that it will happen to anyone, but the consequences are quite time consuming.</p>
<p>When on the default configuration of today's snapshot, if I import a backup that is using something else as "admin" for web user, then it's almost impossible to properly restore the backup.</p>
<p>After the config upload, my browser gets redirected to interfaces_assign.php, but it mentions:<br />No page assigned to this user! Click here to logout.</p>
<p>If I click logout and then I login into the new user, I get to the install package screen, even if the interfaces are still in the same state as before the restore.</p> pfSense - Bug #1675 (New): Captive portal logout problems with pop-up blockers.https://redmine.pfsense.org/issues/16752011-07-12T17:13:32ZErmal Luçieri@pfsense.org
<p>Need to change the Captive portal pop-up page to use techniques to bypass pop-up blockers.</p> pfSense - Bug #1667 (New): L2TP server does not respond properly from a CARP VIPhttps://redmine.pfsense.org/issues/16672011-07-11T09:37:05ZJim Pingle
<p>If you setup an L2TP server and try to connect to a CARP VIP on the same interface, it does not work. The server responds from the interface IP rather than the CARP VIP.</p>
<p>The PPTP server does not suffer the same limitation (though it is TCP, not UDP.)</p>
<p>Can be worked around by adding a port forward on the CARP VIP to the WAN IP for udp/1701.</p> pfSense Packages - Bug #1620 (New): Can't use transparent proxy when using bridge.https://redmine.pfsense.org/issues/16202011-06-25T03:14:59ZMarcello Silva Coutinho
<p>Can't foward any package To localhost while using bridge and setting ip address only on new bridge interface.</p>
<p>Same setup without bridge works fine.</p>
<p>I've tested with rdr rule and with squid transparent proxy rule.<br />Also with bridge system tunable settings on and off.</p>
<p>Please consider testing intead of rejecting. I've spend i lot of hours trying To setup it.</p> pfSense - Bug #1186 (Confirmed): When in pure routing mode the rrd graphs are blankhttps://redmine.pfsense.org/issues/11862011-01-12T03:32:32ZErmal Luçieri@pfsense.org
<p>When the filtering is disabled the graphs have no data to graph since we switched to pf counters.<br />Probably should have both option and check if filtering is enabled or not.</p>