pfSense bugtracker: Issueshttps://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162024-02-21T03:23:33ZpfSense bugtracker
Redmine pfSense - Feature #15276 (New): Support JSON content for URL type firewall aliaseshttps://redmine.pfsense.org/issues/152762024-02-21T03:23:33ZSergei Shablovsky
<p>Brilliant pfSense DevTeam!</p>
<p>WHERE<br />In Firewall / Aliases, URLs tab(selector)</p>
<p>CASE<br />JSON need to be allowed in “URL (IPs)” type of firewall aliases, the same as XML and TXT are allowed.</p>
<p>ARGUMENT<br />Nowadays most SaaS and services present their data on JSON and XML more frequently than PLAIN TXT file answer on certain URL.<br />(For example external monitoring services.)</p>
<p>And logically wrong if pfSense user able to entering the XML and PLAIN TXT source in URL (IPs), but no JSON. (And only URL Table (IPs) allow the JSON).</p>
<p>I understand that from the beginning of pfSense’s life exist only 2 types of URL-sources:<br />- small lists<br />- big lists <br />and to eliminate time and resources to keep IPs, the parameter/ability of refresh of big lists was made in WebGUI.</p>
<p>But FROM USERS PERSPECTIVE all 3(JSON, XML and PLAIN TXT) source are the same - certain amount of data, and frustrating when possible to add XML and PLAIN TXT in URL (IPs), but JSON - only in another type, only in URL Table (IPs).</p>
<p>Thank You!</p> pfSense - Feature #15209 (New): Option to specify custom user home directory pathshttps://redmine.pfsense.org/issues/152092024-01-28T17:21:29ZRonald Antonyrcfa+pfsense.org@cubiculum.com
<p>There are plenty of reasons not to have a home directory in /home/username</p>
<p>There should be the option of specifying an alternative home directory</p>
<p>I can fix that from the shell, but that means changes will not be saved as part of the configuration, and things will break with backup/restore, which is VERY BAD.</p>
<p>This is particularly of concern with users with the <code>User - System: Copy files to home directory (chrooted scp)</code> privileges, as they are likely set up to access specific locations to make/retrieve backups, or facilitate the ACME challenge.</p> pfSense Plus - Feature #15186 (New): Test DNS over TLShttps://redmine.pfsense.org/issues/151862024-01-24T23:57:32ZJeff Kuehl
<p>The ability to readily confirm TLS DNS would be established once saved.</p> pfSense - Feature #15068 (New): Show if an alias is currently in usehttps://redmine.pfsense.org/issues/150682023-12-05T22:36:42ZMarcelo Cury
<p>I would like to check if it is possible to include in a future release the ability to see if an alias is being used in a Firewall rule when checking the aliases page.<br />Perhaps also show the Track ID ? I think this would be a very nice feature to have.</p>
<p>As I see it, it would help a lot to track things, avoid exclusions of aliases that are in use and help to clean up.</p>
<p>Thanks.</p> pfSense - Feature #14907 (New): DNS Resolution on Diagnostics > States Summaryhttps://redmine.pfsense.org/issues/149072023-10-22T17:24:02ZWolfgang Thegreat
<p>Hello,</p>
<p>In version 2.7.0, the page of Diagnostics > States Summary shows numeric IPs, which are sometimes hard to understand / remember their meaning, so I ask to have a checkbox at this page to add their matching name next to the numeric IP value - either, as first option, their local pfSense alias name and if non exists, then do a reverse DNS lookup to find their DNS name.</p>
<p>Thank you.</p> pfSense Packages - Feature #14890 (New): dtlspipe packagehttps://redmine.pfsense.org/issues/148902023-10-17T13:24:33Zyon Liuinfo@ipv6china.com
<p>This is a DTSL tool that has been tested and used. It can add DTLS support to almost all UDP. It is especially suitable for applications that are sensitive to network delays.<br />I have asked the author to add support for various systems. If you need help, we can contact the author.</p>
<p><a class="external" href="https://github.com/Snawoot/dtlspipe">https://github.com/Snawoot/dtlspipe</a></p> pfSense - Feature #14886 (New): Visual improvement to the Gateway widget: display the icon in a c...https://redmine.pfsense.org/issues/148862023-10-16T19:25:35ZPatrik Stahlman
<p>A small tweak to the Gateway widget to display the icon in a color reflecting the status.</p>
<p>Rationale: <br />In my four column setup the status text is not always visible so I can't quickly determine the gateway status without shifting/scrolling the widget to the right. With this change I can see the status in the icon color.</p>
<p>Change:<br />1. move the code that determines the background color before the output of the icon. No change to the code, just a move.<br />2. add the background color to the icon formatting</p> pfSense - Feature #14860 (New): Column consistancy between DHCP Static mapping and ARPhttps://redmine.pfsense.org/issues/148602023-10-10T20:05:01ZJohn Weithman
<p>Just a suggestion that the column IP and MAC be swapped in the table for Diagnostics / ARP. This would be consistant in showing MAC, IP, Hostname (at least these 3 columns) in the same.</p>
<p>I was copy/pasting from both tables to do some comparison and noticed the difference and thought it would be better.</p> pfSense Packages - Feature #14787 (New): Feature request - Freeradius post-auth custom optionshttps://redmine.pfsense.org/issues/147872023-09-16T14:34:03ZMarcelo Cury
<p>I would like to check if it is possible to add a custom options field for post-auth in Freeradius package.<br />This would open so many possibilities; <a class="external" href="https://freeradius.org/radiusd/man/unlang.html">https://freeradius.org/radiusd/man/unlang.html</a></p>
I'm currently using unlang policies with freeradius package in Ubuntu, and with it I'm able to allow users to connect or not, based on their AD group.
<ul>
<li>If the user is member of the AD <strong>wifi_users</strong> group, ok to connect to wifi enterprise.</li>
<li>If the user is member of the AD <strong>openvpn</strong> group, ok to can connect to openvpn.</li>
<li>If the user is member of the AD <strong>pfsense_admins</strong> group, they can manage pfsense.</li>
<li>If the user is member of the AD <strong>pfsense_monitors</strong> group, they can access some options in pfsense GUI.</li>
</ul>
<p>and so on...</p>
<p>Granularity like this would be very welcome to the pfsense's freeradius package.</p>
<p>Policies would be included after Post-Auth-Type Challenge as per below example in a file inside <strong>sites-enabled</strong> folder.</p>
<p>Example:<br /><pre>
...
# Filter access challenges.
#
Post-Auth-Type Challenge {
# remove_reply_message_if_eap
# attr_filter.access_challenge.post-auth
}
#start pfsense GUI
if (LDAP-Group == "pfsense_admins" && NAS-Identifier == "webConfigurator-pfsense.home.arpa") {
update {
reply:Class := "pfsense_admins"
}
noop
}
elsif (LDAP-Group == "pfsense_monitors" && NAS-Identifier == "webConfigurator-pfsense.home.arpa") {
update {
reply:Class := "pfsense_monitors"
}
noop
}
else {
reject
}
}
...
</pre></p>
<p>I would also like to suggest an option to create new sites in <strong>sites-enabled/</strong> folder, to speed up things using a file for each NAS client, very welcome for larger deployments.</p> pfSense - Bug #14587 (New): Firewall Log Sort By Timehttps://redmine.pfsense.org/issues/145872023-07-18T15:14:08ZBrian Shell
<p>When viewing the System Logs > Firewall, and trying to sort by Time with newest first, it appears the sort is working alphabetically instead of chronologically. For example, this is the order I see when attempting to sort. Don't be concerned about the gaps of time between as this is simply due to to events being logged during those times and that is expected based on the logging I have enabled. Jun 30, Jun 28, Jun 27, Jun 26, Jun 25, Jun 24, Jun 23, Jun 22, Jun 21, Jul 6, Jul 4, Jul 18, Jul 13, Jul 10. Hopefully this will be something reproducible so a developer can see it because it is hard to explain in words. Attaching part of a screenshot so you can see the sorting. You won't see the issue from my screenshot I would have to scroll down and send many pages of screens.</p> pfSense - Todo #14359 (New): Reorganize Advanced Optionshttps://redmine.pfsense.org/issues/143592023-05-08T19:10:44ZJim Pingle
<p>The placement of several options under the various Advanced options tabs doesn't make much sense in current versions. Some are only at their current locations for historical reasons.</p>
<p>Some things should be moved, such as:</p>
<ul>
<li>Cryptographic and Thermal hardware - Split into two separate sections, no compelling reason to combine them these days.</li>
<li>Schedules - Move from Misc to Firewall & NAT tab since it's about killing states based on rule schedules</li>
<li>Gateway Monitoring - Move from Misc to Firewall & NAT tab since it's mostly about firewall states and rules based on gateway events/status.</li>
<li>Load Balancing - Move from Misc to Firewall & NAT tab since it's a pf gateway behavior option, also rename so it's more clear that it is for Multi-WAN.</li>
<li>Reset All States - Move from Networking Firewall & NAT tab since it's about resetting firewall states</li>
<li>Advanced Options section of Firewall & NAT tab, move to bottom of the page</li>
</ul>
<p>The Firewall & NAT page is getting rather long, however, so it may also be worth considering if that should be split into multiple tabs. For example the gateway bits could go on a Gateways & Multi-WAN tab.</p>
<p>It's all up for debate, but the current layout seems confusing for new users in various ways.</p> pfSense Packages - Bug #14200 (New): WireGuard reply-to without NAThttps://redmine.pfsense.org/issues/142002023-03-29T10:02:59ZCarrnell Tech
<p>I have discovered that the WireGuard package requires the interface to have the gateway set for the reply-to rules to function as expected. However, this also creates an undesired auto NAT rules that need to be manually disabled in order to use the reply-to rules effectively.</p>
<p>I have posted all the detail and the road for my discovery on the forums and a great amount of detail along with it:<br /><a class="external" href="https://forum.netgate.com/topic/178908/wan-to-wireguard-to-lan-reply-to-bug">https://forum.netgate.com/topic/178908/wan-to-wireguard-to-lan-reply-to-bug</a></p>
My hope is that one of the following fix ideas could be implemented:
<ul>
<li>Could add verbiage on the interface or package GUI to indicate that these steps are required for true reply-to packets to function.</li>
<li>Add some sort of check box to prevent the auto added NAT rules for WireGuard interfaces, or, a check box that adds reply-to rules without the need for gateway to be filled.</li>
<li>Or, if possible, change the WireGuard package in such a way that it treats the WireGuard interface with reply-to rules with or without the gateway being set in the interface.</li>
</ul>
<p>To give you more of an idea of why I had more trouble with this particular part than anything previous is that I was migrating away from OpenVPN to WireGuard. Where OpenVPN functioned as desired without the gateway being set, I did not think to read the interface documentation mostly because the verbiage only mentions the need for it being set for internet access type scenarios, of which, I overlooked thinking it was unnecessary. On my testing environment, it was not until I started changing what I thought were unnecessary checkbox and dropdowns that I discovered the gateway was needed, I then started to read the documentation for it, which lead me to my final conclusion.</p>
<p>Appreciate your time!<br />Thank you!</p> pfSense Packages - Bug #14146 (New): Small Typo in 'Advanced Outbound firewall rule settings' war...https://redmine.pfsense.org/issues/141462023-03-22T07:36:44ZJon Brown
<p>When creating an IPv4 outbound permit rule (Firewall --> pfBlockerNG --> Ip --> IPv4) and you leave the <b>Custom Protocol</b> on any you get the following error:</p>
<pre>
Settings: Protocol setting cannot be set to 'Default' with Advanced Outbound firewall rule settings.
</pre>
<p><img src="https://redmine.pfsense.org/attachments/download/4819/pfblocker-with-any-error-message.jpg" alt="" /></p>
<p>There is a typo where it is saying it cannot be left on 'Default', there is not default protocol. This should read as follows:</p>
<pre>
Settings: Protocol setting cannot be set to 'Any' with Advanced Outbound firewall rule settings.
</pre>
<p>I have swapped <strong>default</strong> for <strong>any</strong></p> pfSense Plus - Feature #14133 (New): Exporting and Importing - Change Layouthttps://redmine.pfsense.org/issues/141332023-03-20T03:47:01ZSteven Cedrone
<p>Please change Backup & Restore to allow for choosing only what areas you want to import/export without having to do it one area at a time.</p>
<p>The drop down-style boxes for "Backup Area" and "Restore Area" should allow you to hold CTRL and choose multiple areas at a time. Or change the drop-down boxes to scrolling boxes similar to other Areas of PfSense when you select Multiple WAN or LAN connections in PfBlocker for example.</p>
<p>This would be quite handy for exporting partial settings for new setup-up's without having to do it area by area.</p> pfSense Plus - Regression #14080 (New): Installer fails to install to a geom mirrorhttps://redmine.pfsense.org/issues/140802023-03-07T18:12:14ZSteve Wheeler
<p>The 23.01 installer fails to create the expected mount points when trying to reinstall UFS to an existing gmirror.</p>
<p>It also cannot create the expected partitions using 'auto' to a new geom mirror.</p>