pfSense bugtracker: Issueshttps://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162024-03-18T20:37:19ZpfSense bugtracker
Redmine pfSense - Bug #15349 (New): 1:1 NAT rule for subnet always uses full subnet rangehttps://redmine.pfsense.org/issues/153492024-03-18T20:37:19ZYehuda Katz
<p>Creating a 1:1 NAT rule for something like <code>10.0.0.5/28 -> 10.1.0.7/28</code> will actually create the proper rules for the entire <code>/24</code> subnet.</p>
<p>Output from <code>pfctl -s nat</code>:</p>
<pre>
[2.7.2-RELEASE][admin@pfSense.home.arpa]/root: pfctl -s nat | grep 10.0
binat on vtnet0 inet from 10.1.0.0/28 to any -> 10.0.0.0/28
</pre>
<p>This is probably the correct behavior, but may not be what people expect and does not appear to be documented.<br />It would probably make sense for the web interface to reject this kind of rule and require the subnet be specified properly by the first IP in the range.</p> pfSense - Feature #15348 (New): Block out PSK when viewing Phase 1 IPsec configurationhttps://redmine.pfsense.org/issues/153482024-03-18T14:31:12ZMike Moore
<p>When filling out a PSK in the phase 1 proposal section, the PSK really should be entered in obfuscated with the option in the WebUI to show the password.<br />Entering a password in clear text so anyone shoulder surfing can see it is a security issue.</p> pfSense - Bug #15347 (New): OpenVPN Multiple WAN Asymmetric Routinghttps://redmine.pfsense.org/issues/153472024-03-16T22:12:32ZTimo M
<p>Using OpenVPN in multi-wan / failover environment (a OpenVPN interface has been created and is used by the OpenVPN server). WAN1 is Tier 1 and WAN2 is Tier 2. To be able to access OpenVPN server through both WAN1 and WAN2, I used the port forward method to bind the OpenVPN server to localhost and forward traffic from both WAN1 and WAN2 to it as described in the documentation:</p>
<p><a class="external" href="https://docs.netgate.com/pfsense/en/latest/multiwan/openvpn.html#bind-to-localhost-and-setup-port-forwards">https://docs.netgate.com/pfsense/en/latest/multiwan/openvpn.html#bind-to-localhost-and-setup-port-forwards</a></p>
<p>FreeRADIUS is used as the authentication backend for OpenVPN (to be able to use 2FA). When connecting through WAN2 (which is on Tier 2) traffic appears to exit back out WAN1 after the RADIUS authentication completes leading to asymmetric routing. I see the following in the logs from FreeRADIUS:</p>
<p><code>(0) Login OK: [user_id] (from client pfsenseclient port 1194 cli *WAN1_IP* :1194)</code></p>
<p>I can confirm that the connection to the OpenVPN server was indeed made through WAN2 by looking firewall states / traffic. Is this a bug, or is thus configuration (OpenVPN server with FreeRADIUS authentication) not supported (e.g. the <code>reply-to</code> functionality does not work properly)? Thanks in advance.</p> pfSense - Bug #15346 (Confirmed): Port Forward Add Unassociated Filter Rule Not Workinghttps://redmine.pfsense.org/issues/153462024-03-16T21:51:40ZTimo M
<p>Upon creating a port forward entry on pfSense Plus 23.09.1 and choosing the "Add unassociated filter rule" option under Filter Rule Association, no firewall rule was actually created. Next time I checked the port forward Filter Rule Association setting on the rule that was created, it had been automatically set to "None". The documentation seems to indicate that a rule should still be created even when the unassociated option is chosen.</p>
<p><a class="external" href="https://docs.netgate.com/pfsense/en/latest/nat/port-forwards.html#port-forward-settings">https://docs.netgate.com/pfsense/en/latest/nat/port-forwards.html#port-forward-settings</a></p> pfSense Docs - Correction #15345 (New): Advanced options -- fix typohttps://redmine.pfsense.org/issues/153452024-03-16T19:46:36ZCraig Coonrad
<p>URL: <a class="external" href="https://docs.netgate.com/pfsense/en/latest/config/advanced-firewall-nat.html#advanced-options">https://docs.netgate.com/pfsense/en/latest/config/advanced-firewall-nat.html#advanced-options</a></p>
<blockquote>
<p>Tip: While this option control the global default</p>
</blockquote>
<p>to</p>
<blockquote>
<p>Tip: While this option controls the global default</p>
</blockquote> pfSense Docs - Correction #15344 (New): Interface Bound States -- fix typohttps://redmine.pfsense.org/issues/153442024-03-16T19:40:53ZCraig Coonrad
<p>URL: <a class="external" href="https://docs.netgate.com/pfsense/en/latest/config/advanced-firewall-nat.html#interface-bound-states">https://docs.netgate.com/pfsense/en/latest/config/advanced-firewall-nat.html#interface-bound-states</a></p>
<blockquote>
<p>If a packet attempts to takes an path</p>
</blockquote>
<p>Think that should be:</p>
<blockquote>
<p>If a packet attempts to takes a path</p>
</blockquote> pfSense - Bug #15343 (New): DHCP host names for Windows 10/11 hosts have "." at the endhttps://redmine.pfsense.org/issues/153432024-03-15T16:50:34ZDaryl Morse
<p>Since changing to Kea DHCP, DHCP host names for Windows 10 and Windows 11 hosts are being created with a "." at the end.</p>
<p>This does not happen for types of hosts.</p>
<p>This does not affect DHCPv6.</p> pfSense Docs - Todo #15342 (Feedback): Document differences due to password security changeshttps://redmine.pfsense.org/issues/153422024-03-15T16:21:48ZJim Pingle
<p>In <a class="issue tracker-4 status-4 priority-5 priority-high4" title="Todo: Prevent usage of the default password in User Manager accounts (Feedback)" href="https://redmine.pfsense.org/issues/15266">#15266</a> significant changes were made in how passwords are handled. These changes need to be documented.</p>
<p>There is a summary of changes in <a class="issue tracker-4 status-4 priority-5 priority-high4" title="Todo: Prevent usage of the default password in User Manager accounts (Feedback)" href="https://redmine.pfsense.org/issues/15266#note-10">#15266#note-10</a></p> pfSense - Bug #15341 (New): PHP errors in ``xmlrpc.php`` during configuration synchronization con...https://redmine.pfsense.org/issues/153412024-03-15T15:35:41ZChristopher Cope
<pre>
[15-Mar-2024 09:50:55 America/Chicago] PHP Fatal error: Uncaught TypeError: Cannot access offset of type string on string in /usr/local/www/xmlrpc.php:718
Stack trace:
#0 /usr/local/www/xmlrpc.php(638): pfsense_xmlrpc_server->filter_configure(false, false)
#1 /usr/local/share/pear/XML/RPC2/Server/CallHandler/Instance.php(141): pfsense_xmlrpc_server->restore_config_section(Array, 900)
#2 /usr/local/share/pear/XML/RPC2/Backend/Php/Server.php(135): XML_RPC2_Server_Callhandler_Instance->__call('pfsense.restore...', Array)
#3 /usr/local/share/pear/XML/RPC2/Backend/Php/Server.php(99): XML_RPC2_Backend_Php_Server->getResponse()
#4 /usr/local/www/xmlrpc.php(987): XML_RPC2_Backend_Php_Server->handleCall()
</pre>
<p>The error is being hit on<br /><pre>
23.09.1-RELEASE (amd64)
built on Wed Dec 20 13:27:00 EST 2023
FreeBSD 14.0-CURRENT
</pre></p>
<p>This seems to a similar issue to <a class="external" href="https://redmine.pfsense.org/issues/14034">https://redmine.pfsense.org/issues/14034</a> but this has to do with OpenVPN tags. I'll get a merge request together this week.</p> pfSense Packages - Feature #15340 (New): provide the ability to deactivate actions in Guihttps://redmine.pfsense.org/issues/153402024-03-15T14:52:21ZMike Moore
<p>When using the webUI to push changes there are times when i need to deactivate a portion of the config. For example, i create an ACL that has header restrictions (visit /login.php) but for testing purposes, i need to permit access to a URL i would need to delete the configuration under 'Actions' in the GUI Frontend configuration. Add it back later when testing is done. So i would take a screenshot of the config to add it later.</p>
<p>If possible similar to firewall rules, provide the ability to 'deactivate' ACLs Actions. Otherwise, the workaround is to delete the action and re-add it later.<br />Of course the other workaround would be to add the configuration through 'Advanced Passthru' but that defeats the purpose of using the GUI to build the rules.</p> pfSense Plus - Regression #15337 (New): pfSense-boot pkg fails install in UFShttps://redmine.pfsense.org/issues/153372024-03-13T22:05:02ZSteve Wheeler
<p>Upgrading UFS installs to the current 24.03 snapshot fails when running the POST-INSTALL script inb the pfSense upgrade pkg:<br /><pre>
Installed packages to be UPGRADED:
pfSense-boot: 24.03.b.20240312.0600 -> 24.03.b.20240313.0600 [pfSense-core]
Number of packages to be upgraded: 1
[1/1] Upgrading pfSense-boot from 24.03.b.20240312.0600 to 24.03.b.20240313.0600...
[1/1] Extracting pfSense-boot-24.03.b.20240313.0600: .......... done
/bin/sh: Syntax error: end of file unexpected (expecting "fi")
pkg-static: POST-INSTALL script failed
failed.
Failed
</pre></p>
<p>This appears to be caused by the script truncating the UFS ID:<br /><pre>
+ mount -p
+ awk '$2 ~ /^\/$/ { match($1, "[[:alpha:]/]+[[:digit:]]+"); print substr($1, RSTART, RLENGTH); }'
+ bootdevs=/dev/ufsid/6023315
+ mount -p
+ awk '$2 ~/\/boot\/efi/'
+ [ -n '' ]
+ gpart show -p /dev/ufsid/6023315
+ awk '$4 ~ /efi/ {print $3}'
gpart: No such geom: /dev/ufsid/6023315.
</pre></p> pfSense Packages - Bug #15334 (Confirmed): Interface Description not updated properly when add/cr...https://redmine.pfsense.org/issues/153342024-03-12T15:37:02ZSergei Shablovsky
<p><strong>Brilliant pfSense DevTeam!</strong></p>
<p><strong>WHERE</strong><br />in <strong>Services / Suricata</strong> package<br />on <strong>Interfaces</strong></p>
<p><strong>ISSUE</strong><br />Interface <strong>Description</strong> not updated properly in <strong>General Settings / Description</strong> when add/creating new interface in Suricata (by pressing “+” button at the right):</p>
<p>When page first time loaded, the Description field are pre-filled by Inreface name (taked from Interfaces / General Configurateion page from Description field).</p>
<p><strong>AFTER ANOTHER INTERFACE from drop-down list SELECTED , the DESCRIPTION PRE-FILLED BY BSD INTERFACE NAME (LAN, WAN, OPT1, OPT2,…)</strong> and not the Inreface name (taked from Interfaces / General Configurateion page from Description field).</p>
<p>P.S.<br />Also would be good after first page loading AUTOMATICALLY take focus and select all text in Description field to eliminate User interaction and improve overall User’s UI experience.</p> pfSense Packages - Bug #15333 (Confirmed): Interface Description not updated properly when add/cr...https://redmine.pfsense.org/issues/153332024-03-12T15:30:46ZSergei Shablovsky
<p><strong>Brilliant pfSense DevTeam!</strong></p>
<p><strong>WHERE</strong><br />in <strong>Services / Suricata</strong> package<br />on <strong>Interfaces</strong></p>
<p><strong>ISSUE</strong><br />Interface <strong>Description</strong> not updated properly in <strong>General Settings / Description</strong> when add/creating new interface in Suricata (by pressing “+” button at the right):</p>
<p>When page first time loaded, the Description field are pre-filled by Inreface name (taked from Interfaces / General Configurateion page from Description field).</p>
<p><strong>AFTER ANOTHER INTERFACE</strong> from drop-down list <strong>SELECTED</strong> , the <strong>DESCRIPTION PRE-FILLDE BY BSD INTERFACE NAME (LAN, WAN, OPT1, OPT2,…)</strong> and not the Inreface name (taked from Interfaces / General Configurateion page from Description field).</p>
<p>P.S.<br />Also would be good after first page loading AUTOMATICALLY take focus and select all text in Description field.</p> pfSense Plus - Bug #15332 (New): Kea doesn't start without any logs when upload config with addit...https://redmine.pfsense.org/issues/153322024-03-12T13:17:13Zaleksei prokofiev
<p>If the config has additioan DHCP pool with extra parametrs configured, such default-lease-time or max-lease-time, then KEA won't start with out any logs. To fix that need delete from config those extra option. Or just resave affected pool without any changes, it will lead rewrite config without extra options. <br />For example <br /><pool><br /> <range><br /> <from>192.168.6.2</from><br /> <to>192.168.6.48</to><br /> </range><br /> <descr><![CDATA[NTP Server]]></descr><br /> <defaultleasetime>600</defaultleasetime><br /> <maxleasetime>3600</maxleasetime><br />After resave it will deleted<br /><pool><br /> <range><br /> <from>192.168.6.2</from><br /> <to>192.168.6.48</to><br /> </range><br /> <descr><![CDATA[NTP Server]]></descr><br /> <defaultleasetime></defaultleasetime><br /> <maxleasetime></maxleasetime></p> pfSense - Feature #15331 (New): Client (service) for CloudFlare WARP/WAR+https://redmine.pfsense.org/issues/153312024-03-11T16:52:27ZSergei Shablovsky
<p><strong>On now CloudFlare in fact for a couple of years are fastest and reliable proxy and SDN for most users.</strong><br />(Sometimes magistrale and core borders routing problems that hit Akamai, make a not big touch on CF.)<br />Most of “child problems” as newly and fast growing company HAS GONE AWAY.</p>
<p>And <strong>NUMBER OF POINT OF PERSISTENCE (data centers, servers on colocation) ARE CONSTANTLY GROW!</strong></p>
<p><strong>All this make WARP/WARP+ CloudFlare service more and more wanted not only by most of ordinary users, advanced users, but small and middle private business and government organization.</strong></p>
<p>And as a result, from 2022 more and more ciders try to realize CloudFlare WARP/WARP+ client code for various OSs, especially on which routers/firewalls are based.</p>
<p>Please take a look on <br />thread on pfSense CE<br /><a class="external" href="https://forum.netgate.com/topic/177267/connecting-to-cloudflare-surely-its-possible">https://forum.netgate.com/topic/177267/connecting-to-cloudflare-surely-its-possible</a></p>
<p>thread on CloudFlare</p>
<p><a class="external" href="https://community.cloudflare.com/t/warp-client-for-freebsd-based-firewalls-eg-pfsense-opnsense/426717/1">https://community.cloudflare.com/t/warp-client-for-freebsd-based-firewalls-eg-pfsense-opnsense/426717/1</a></p>
<p>So, the downline of all of this:<br />making CloudFlare WARP/WARP+ client as separate package for pfSense is not so much time and efforts.</p>
<p>If DevTeam make it right now, testing and feedbacks from users within summer (when not so much business workload and negative impact would be minimal) for the next upcoming release (2.7.3-REL) this *adding more value to pfSense” and growing distance from concurrent OPNsense.</p>