pfSense bugtracker: Issueshttps://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162024-01-12T23:40:15ZpfSense bugtracker
Redmine pfSense Packages - Regression #15159 (Confirmed): XMLRPC Replication Target required even if not ...https://redmine.pfsense.org/issues/151592024-01-12T23:40:15ZSteve Y
<p>On page Firewall/pfBlockerNG/Sync if "Sync to configured system backup server" is selected, "XMLRPC Replication Targets" > "Target IP/Hostname" is still a required field.</p> pfSense - Bug #15067 (Feedback): Secondary node attempts to delete the ``admins`` group when sync...https://redmine.pfsense.org/issues/150672023-12-05T20:40:48ZCraig Coonrad
<p>Version: 23.09-RELEASE</p>
<p>Error message:</p>
<pre>
Dec 5 20:37:30 fw102.local php-fpm[77756]: /xmlrpc.php: The command '/usr/sbin/pw groupdel -g 'admins'' returned exit code '64', the output was 'pw: Bad id 'admins': invalid'
</pre> pfSense Packages - Regression #15064 (Confirmed): Statis menu entry for APCUPSD leads to settings...https://redmine.pfsense.org/issues/150642023-12-05T10:50:58Zodo maitre
<p>if you call services/apcupsd in the gui you get the same result as if you call status/apcupsd. Both time you get the configuration menu (pkg_edit.php?xml=apcupsd.xml).(should be "apcupsd_status.php" when calling status/apcupsd)<br />I guess there is something wrong.</p> pfSense - Todo #14359 (New): Reorganize Advanced Optionshttps://redmine.pfsense.org/issues/143592023-05-08T19:10:44ZJim Pingle
<p>The placement of several options under the various Advanced options tabs doesn't make much sense in current versions. Some are only at their current locations for historical reasons.</p>
<p>Some things should be moved, such as:</p>
<ul>
<li>Cryptographic and Thermal hardware - Split into two separate sections, no compelling reason to combine them these days.</li>
<li>Schedules - Move from Misc to Firewall & NAT tab since it's about killing states based on rule schedules</li>
<li>Gateway Monitoring - Move from Misc to Firewall & NAT tab since it's mostly about firewall states and rules based on gateway events/status.</li>
<li>Load Balancing - Move from Misc to Firewall & NAT tab since it's a pf gateway behavior option, also rename so it's more clear that it is for Multi-WAN.</li>
<li>Reset All States - Move from Networking Firewall & NAT tab since it's about resetting firewall states</li>
<li>Advanced Options section of Firewall & NAT tab, move to bottom of the page</li>
</ul>
<p>The Firewall & NAT page is getting rather long, however, so it may also be worth considering if that should be split into multiple tabs. For example the gateway bits could go on a Gateways & Multi-WAN tab.</p>
<p>It's all up for debate, but the current layout seems confusing for new users in various ways.</p> pfSense Packages - Bug #14200 (New): WireGuard reply-to without NAThttps://redmine.pfsense.org/issues/142002023-03-29T10:02:59ZCarrnell Tech
<p>I have discovered that the WireGuard package requires the interface to have the gateway set for the reply-to rules to function as expected. However, this also creates an undesired auto NAT rules that need to be manually disabled in order to use the reply-to rules effectively.</p>
<p>I have posted all the detail and the road for my discovery on the forums and a great amount of detail along with it:<br /><a class="external" href="https://forum.netgate.com/topic/178908/wan-to-wireguard-to-lan-reply-to-bug">https://forum.netgate.com/topic/178908/wan-to-wireguard-to-lan-reply-to-bug</a></p>
My hope is that one of the following fix ideas could be implemented:
<ul>
<li>Could add verbiage on the interface or package GUI to indicate that these steps are required for true reply-to packets to function.</li>
<li>Add some sort of check box to prevent the auto added NAT rules for WireGuard interfaces, or, a check box that adds reply-to rules without the need for gateway to be filled.</li>
<li>Or, if possible, change the WireGuard package in such a way that it treats the WireGuard interface with reply-to rules with or without the gateway being set in the interface.</li>
</ul>
<p>To give you more of an idea of why I had more trouble with this particular part than anything previous is that I was migrating away from OpenVPN to WireGuard. Where OpenVPN functioned as desired without the gateway being set, I did not think to read the interface documentation mostly because the verbiage only mentions the need for it being set for internet access type scenarios, of which, I overlooked thinking it was unnecessary. On my testing environment, it was not until I started changing what I thought were unnecessary checkbox and dropdowns that I discovered the gateway was needed, I then started to read the documentation for it, which lead me to my final conclusion.</p>
<p>Appreciate your time!<br />Thank you!</p> pfSense Packages - Bug #14146 (New): Small Typo in 'Advanced Outbound firewall rule settings' war...https://redmine.pfsense.org/issues/141462023-03-22T07:36:44ZJon Brown
<p>When creating an IPv4 outbound permit rule (Firewall --> pfBlockerNG --> Ip --> IPv4) and you leave the <b>Custom Protocol</b> on any you get the following error:</p>
<pre>
Settings: Protocol setting cannot be set to 'Default' with Advanced Outbound firewall rule settings.
</pre>
<p><img src="https://redmine.pfsense.org/attachments/download/4819/pfblocker-with-any-error-message.jpg" alt="" /></p>
<p>There is a typo where it is saying it cannot be left on 'Default', there is not default protocol. This should read as follows:</p>
<pre>
Settings: Protocol setting cannot be set to 'Any' with Advanced Outbound firewall rule settings.
</pre>
<p>I have swapped <strong>default</strong> for <strong>any</strong></p> pfSense Packages - Bug #11493 (New): After upgrade zabbix proxy wont starthttps://redmine.pfsense.org/issues/114932021-02-21T05:31:00ZPim Janssen
<p>Due to database changes between zabbix-proxy versions. The proxy database needs to be removed after upgrading else the proxy service won't start.</p>
<p>Workaround <br />manual remove database /var/db/zabbix-proxy/proxy.db</p> pfSense Packages - Bug #11000 (New): haproxy deprecated trick suggestedhttps://redmine.pfsense.org/issues/110002020-10-22T17:51:10ZManuel Piovan
<p>haproxy-devel<br />under backend<br />the description for "Http check version" say:<br /><pre><code class="php syntaxhl"><span class="nc">Defaults</span> <span class="n">to</span> <span class="s2">"HTTP/1.0"</span> <span class="k">if</span> <span class="n">left</span> <span class="n">blank</span><span class="mf">.</span> <span class="nc">Note</span> <span class="n">that</span> <span class="n">the</span> <span class="nc">Host</span> <span class="n">field</span> <span class="n">is</span> <span class="n">mandatory</span> <span class="n">in</span> <span class="no">HTTP</span><span class="o">/</span><span class="mf">1.1</span><span class="p">,</span> <span class="k">and</span> <span class="k">as</span> <span class="n">a</span> <span class="n">trick</span><span class="p">,</span> <span class="n">it</span> <span class="n">is</span> <span class="n">possible</span> <span class="n">to</span> <span class="n">pass</span> <span class="n">it</span> <span class="n">after</span> <span class="s2">"</span><span class="se">\r\n</span><span class="s2">"</span> <span class="n">following</span> <span class="n">the</span> <span class="n">version</span> <span class="n">string</span> <span class="n">like</span> <span class="n">this</span><span class="o">:</span>
<span class="no">HTTP</span><span class="o">/</span><span class="mf">1.1</span><span class="err">\</span><span class="n">r\nHost</span><span class="o">:</span><span class="err">\</span> <span class="n">www</span>
</code></pre><br />but this lead to a Warning</p>
<pre><code class="php syntaxhl"><span class="p">[</span><span class="no">WARNING</span><span class="p">]</span> <span class="mi">296</span><span class="o">/</span><span class="mo">00442</span><span class="mi">8</span> <span class="p">(</span><span class="mi">78254</span><span class="p">)</span> <span class="o">:</span> <span class="n">parsing</span> <span class="p">[</span><span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">haproxy</span><span class="o">/</span><span class="n">haproxy</span><span class="mf">.</span><span class="n">cfg</span><span class="o">:</span><span class="mi">67</span><span class="p">]</span><span class="o">:</span> <span class="s1">'option httpchk'</span> <span class="o">:</span> <span class="n">hiding</span> <span class="n">headers</span> <span class="k">or</span> <span class="n">body</span> <span class="n">at</span> <span class="n">the</span> <span class="n">end</span> <span class="n">of</span> <span class="n">the</span> <span class="n">version</span> <span class="n">string</span> <span class="n">is</span> <span class="n">deprecated</span><span class="mf">.</span> <span class="nc">Please</span><span class="p">,</span> <span class="n">consider</span> <span class="n">to</span> <span class="kn">use</span> <span class="s1">'http-check send'</span> <span class="n">directive</span> <span class="n">instead</span><span class="mf">.</span>
</code></pre> pfSense - Feature #10731 (New): XML-sync primary/secondary config flaghttps://redmine.pfsense.org/issues/107312020-07-06T05:38:54ZConstantine Kormashev
<p>To prevent XML-sync misconfiguring on a HA cluster, it would be good to make a config flag that can be used for distinguishing primary and secondary nodes. It might be a hidden flag in the config, which is set to primary if XML-sync is enabled on the node and after propagated to another node as secondary, and vice versa. If the node's flag is secondary, then its XML-sync menu is blocked. This flag can be also used for other purposes. E.g. it might be evidence of init XML-sync was successful and so on.</p>
<p>There is a small issue here, flag on secondary is propagated by primary, that means if we would like to clear secondary role without a primary, then we need something like a Red Force Clear button, which can reset the flag.<br />The other way would be clearing the secondary flag each reboot and keep it unflagged until the 1st XML-sync session, but this is less obvious.</p> pfSense - Bug #10701 (New): Firewall Log too wide with Rule Description Columnhttps://redmine.pfsense.org/issues/107012020-06-25T05:41:01ZLouis B
<p>Hello,</p>
<p>I just noticed that at least with systemlog firewall the layout does not fit inside the page any more. May be there are layout issues at other places as well. I did not check.</p>
<p>I noticed it with version </p>
<pre><code>2.5.0-DEVELOPMENT (amd64)<br />built on Tue Jun 23 01:04:03 EDT 2020<br />FreeBSD 12.1-STABLE</code></pre>
<p>And I tried with multiple browsers (all the same)</p>
<p>Louis</p> pfSense Packages - Feature #9648 (New): Multiple node Sync HAProxy configuration to backup CARP m...https://redmine.pfsense.org/issues/96482019-07-25T10:00:31ZFrikkie Botha
<p>We have a cluster of 3x PFSense Firewalls running in 3 AZs on AWS.</p>
<p>FW-A (AZ-A) is configured to sync to FW-B (AZ-B) which then syncs to FW-C (AZ-C)</p>
<p>This works perfectly for all components of PFSense except for HAProxy.</p>
<p>HAProxy only syncs from FW-A (AZ-A) to FW-B (AZ-B).</p>
<p>The only workaround currently to get the changes thru to all AZs after making a change on FW-A is to</p>
<p>1. Disable the HAProxy sync on FW-B<br />2. Click Save & Apply Changes<br />3. Enable the HAProxy sync on FW-B<br />4. Click Save & Apply Changes</p>
<p>This does however only do the sync once from FW-B to FW-C and the same process needs to be followed again if an update is made to HAProxy on FW-A</p> pfSense Packages - Bug #9486 (New): ifindex values used for softflowd are incorrecthttps://redmine.pfsense.org/issues/94862019-04-26T13:16:29ZJesse White
<p>With this patch, we now pass ifIndex values to softflowd for inclusion in the flow packets:<br /> <a class="external" href="https://github.com/pfsense/FreeBSD-ports/pull/501/files#diff-451c93a8b870e13a749022e7ecf64cd6R52">https://github.com/pfsense/FreeBSD-ports/pull/501/files#diff-451c93a8b870e13a749022e7ecf64cd6R52</a></p>
<p>However, the values used are arbitrary and do not line up with the values used by other services on the system such as snmpd:<br /><pre>
ps ax | grep soft
91600 - Ss 0:00.64 /usr/local/sbin/softflowd -i 1:igb1 -n 127.0.0.1:8877 -v 5 -T full -t general=60 -p /var/run/softflowd.igb1.pid -c /var/r
91913 - Is 0:00.00 /usr/local/sbin/softflowd -i 2:igb1.2 -n 127.0.0.1:8877 -v 5 -T full -t general=60 -p /var/run/softflowd.igb1.2.pid -c /v
92156 - Is 0:00.00 /usr/local/sbin/softflowd -i 3:igb1.3 -n 127.0.0.1:8877 -v 5 -T full -t general=60 -p /var/run/softflowd.igb1.3.pid -c /v
92774 - Is 0:00.00 /usr/local/sbin/softflowd -i 4:ovpnc2 -n 127.0.0.1:8877 -v 5 -T full -t general=60 -p /var/run/softflowd.ovpnc2.pid -c /v
93644 - Ss 0:00.69 /usr/local/sbin/softflowd -i 5:igb0 -n 127.0.0.1:8877 -v 5 -T full -t general=60 -p /var/run/softflowd.igb0.pid -c /var/r
93969 - Is 0:00.00 /usr/local/sbin/softflowd -i 6:lo0 -n 127.0.0.1:8877 -v 5 -T full -t general=60 -p /var/run/softflowd.lo0.pid -c /var/run
</pre></p>
<pre>
$ snmpwalk -c public -v 2c 10.1.1.1 IF-MIB::ifDescr
IF-MIB::ifDescr.1 = STRING: igb0
IF-MIB::ifDescr.2 = STRING: igb1
IF-MIB::ifDescr.3 = STRING: enc0
IF-MIB::ifDescr.4 = STRING: lo0
IF-MIB::ifDescr.5 = STRING: pflog0
IF-MIB::ifDescr.6 = STRING: pfsync0
IF-MIB::ifDescr.7 = STRING: igb1.2
IF-MIB::ifDescr.8 = STRING: igb1.3
IF-MIB::ifDescr.9 = STRING: ovpnc2
</pre>
<p>For example igb1.2 is set to ifIndex 2, but it should really be 7.</p>
<p>The proper ifIndex can be retrieved using:<br /> <a class="external" href="https://www.freebsd.org/cgi/man.cgi?query=if_nametoindex&apropos=0&sektion=3&manpath=FreeBSD+11.0-RELEASE&arch=default&format=html">https://www.freebsd.org/cgi/man.cgi?query=if_nametoindex&apropos=0&sektion=3&manpath=FreeBSD+11.0-RELEASE&arch=default&format=html</a></p> pfSense - Bug #8464 (New): Wireless USB card does not connect to WiFi automatically after reboot/...https://redmine.pfsense.org/issues/84642018-04-17T03:35:41ZConstantine Kormashev
<p>Wireless USB card on Realtek RTL8192SU chipset in BSS mode does not connect to WiFi until wilreless interface is set to down and after to up state manually. E.g. after device reboot.<br />There is not any problem with forwarding in case device already connected to WiFi, problem happens only after device reboot/halt.<br />Tried with Dlink DWA131 (Realtek RTL8192SU) on 3100 and 2220.<br />During down/up interface there are messages in console:<br /><pre>
rsu0: rsu_join_bss: still scanning! (attempt 0)
rsu0_wlan0: ieee80211_new_state_locked: pending SCAN -> AUTH transition lost
</pre></p> pfSense Packages - Bug #8454 (New): Arpwatch package break email notifications from other sourceshttps://redmine.pfsense.org/issues/84542018-04-12T07:18:20ZYehuda Katz
<p>Arpwatch replaces /usr/sbin/sendmail with a symlink to a PHP script that specifically mentioned Arpwatch in the message subject:<br /><a class="external" href="https://github.com/pfsense/FreeBSD-ports/blob/015971be238550a1f9aa060fe5ed93849c01572e/net-mgmt/pfSense-pkg-arpwatch/files/usr/local/pkg/arpwatch.inc#L217">https://github.com/pfsense/FreeBSD-ports/blob/015971be238550a1f9aa060fe5ed93849c01572e/net-mgmt/pfSense-pkg-arpwatch/files/usr/local/pkg/arpwatch.inc#L217</a></p>
<p>This causes notifications from ACME (run by CRON) to come with subjects like this:</p>
<blockquote>
<p>wall.example.com - Arpwatch Notification : Cron <root@wall> /usr/local/pkg/acme/acme_command.sh "renewall"</p>
</blockquote> pfSense - Todo #8270 (New): Fix grammatically erroneous repetitionhttps://redmine.pfsense.org/issues/82702018-01-10T16:06:23ZMaxwell Cody
<p>The pfSense web interface has some grammatically incorrect repetition due to, what I suspect to be, a very lackadaisical use of initialisms. You will notice that on at least four different pages, the phrase "IP Protocol" is used to refer to the delineation between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). The grammatical error here is rather simple to notice by simply deconstructing the initialism. By deconstructing the initialism you will see that the deconstructed phrase reads "Internet Protocol Protocol." This is grammatically incorrect.</p>
<p>I've personally come up with two unique and novel solutions to this issue.</p>
<p>1. Change the phrase to read simply "Protocol." <br />2. Change the phrase to read "IP Version." (Deconstructing the initialism here may be preferable)</p>
Pages affected:
<ul>
<li>status_logs_settings.php</li>
<li>diag_testport.php</li>
<li>diag_traceroute.php</li>
<li>diag_ping.php</li>
</ul>