pfSense bugtracker: Issueshttps://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162019-07-25T10:00:31ZpfSense bugtracker
Redmine pfSense Packages - Feature #9648 (New): Multiple node Sync HAProxy configuration to backup CARP m...https://redmine.pfsense.org/issues/96482019-07-25T10:00:31ZFrikkie Botha
<p>We have a cluster of 3x PFSense Firewalls running in 3 AZs on AWS.</p>
<p>FW-A (AZ-A) is configured to sync to FW-B (AZ-B) which then syncs to FW-C (AZ-C)</p>
<p>This works perfectly for all components of PFSense except for HAProxy.</p>
<p>HAProxy only syncs from FW-A (AZ-A) to FW-B (AZ-B).</p>
<p>The only workaround currently to get the changes thru to all AZs after making a change on FW-A is to</p>
<p>1. Disable the HAProxy sync on FW-B<br />2. Click Save & Apply Changes<br />3. Enable the HAProxy sync on FW-B<br />4. Click Save & Apply Changes</p>
<p>This does however only do the sync once from FW-B to FW-C and the same process needs to be followed again if an update is made to HAProxy on FW-A</p> pfSense Packages - Bug #9486 (New): ifindex values used for softflowd are incorrecthttps://redmine.pfsense.org/issues/94862019-04-26T13:16:29ZJesse White
<p>With this patch, we now pass ifIndex values to softflowd for inclusion in the flow packets:<br /> <a class="external" href="https://github.com/pfsense/FreeBSD-ports/pull/501/files#diff-451c93a8b870e13a749022e7ecf64cd6R52">https://github.com/pfsense/FreeBSD-ports/pull/501/files#diff-451c93a8b870e13a749022e7ecf64cd6R52</a></p>
<p>However, the values used are arbitrary and do not line up with the values used by other services on the system such as snmpd:<br /><pre>
ps ax | grep soft
91600 - Ss 0:00.64 /usr/local/sbin/softflowd -i 1:igb1 -n 127.0.0.1:8877 -v 5 -T full -t general=60 -p /var/run/softflowd.igb1.pid -c /var/r
91913 - Is 0:00.00 /usr/local/sbin/softflowd -i 2:igb1.2 -n 127.0.0.1:8877 -v 5 -T full -t general=60 -p /var/run/softflowd.igb1.2.pid -c /v
92156 - Is 0:00.00 /usr/local/sbin/softflowd -i 3:igb1.3 -n 127.0.0.1:8877 -v 5 -T full -t general=60 -p /var/run/softflowd.igb1.3.pid -c /v
92774 - Is 0:00.00 /usr/local/sbin/softflowd -i 4:ovpnc2 -n 127.0.0.1:8877 -v 5 -T full -t general=60 -p /var/run/softflowd.ovpnc2.pid -c /v
93644 - Ss 0:00.69 /usr/local/sbin/softflowd -i 5:igb0 -n 127.0.0.1:8877 -v 5 -T full -t general=60 -p /var/run/softflowd.igb0.pid -c /var/r
93969 - Is 0:00.00 /usr/local/sbin/softflowd -i 6:lo0 -n 127.0.0.1:8877 -v 5 -T full -t general=60 -p /var/run/softflowd.lo0.pid -c /var/run
</pre></p>
<pre>
$ snmpwalk -c public -v 2c 10.1.1.1 IF-MIB::ifDescr
IF-MIB::ifDescr.1 = STRING: igb0
IF-MIB::ifDescr.2 = STRING: igb1
IF-MIB::ifDescr.3 = STRING: enc0
IF-MIB::ifDescr.4 = STRING: lo0
IF-MIB::ifDescr.5 = STRING: pflog0
IF-MIB::ifDescr.6 = STRING: pfsync0
IF-MIB::ifDescr.7 = STRING: igb1.2
IF-MIB::ifDescr.8 = STRING: igb1.3
IF-MIB::ifDescr.9 = STRING: ovpnc2
</pre>
<p>For example igb1.2 is set to ifIndex 2, but it should really be 7.</p>
<p>The proper ifIndex can be retrieved using:<br /> <a class="external" href="https://www.freebsd.org/cgi/man.cgi?query=if_nametoindex&apropos=0&sektion=3&manpath=FreeBSD+11.0-RELEASE&arch=default&format=html">https://www.freebsd.org/cgi/man.cgi?query=if_nametoindex&apropos=0&sektion=3&manpath=FreeBSD+11.0-RELEASE&arch=default&format=html</a></p> pfSense - Feature #9336 (New): Make Dynamic DNS update notification e-mail optionalhttps://redmine.pfsense.org/issues/93362019-02-18T10:18:26ZSven L
<p>I'd like to keep pfsense email notifications enabled, unfortunately we have a dynamic ip that changes every day and we use dyndns. That means I get a notification every day when the ip changes and pfsense updates dyndns. Please let me disable this notification for ip changes.</p> pfSense - Feature #8879 (New): DHCP options ADD force optionshttps://redmine.pfsense.org/issues/88792018-09-07T09:11:16Zjonathan MANTOVANI
<p>DHCP server offer the possiblilty to add DHCP options.<br />Maybe add for options the possibility to force the options (with a checkbox).<br />exemple on dnsmasq conf : --dhcp-option-force=208,f1:00:74:7e INSTEADOF --dhcp-option=208,f1:00:74:7e</p> pfSense - Feature #8599 (New): IPv6 flow labelshttps://redmine.pfsense.org/issues/85992018-06-25T11:38:02ZIsaac McDonald
<p>Here's a short list of possible uses for IPv6 flow labels in pfSense:</p>
<ul>
<li>Ability to apply QOS based on IPv6 flow labels</li>
<li>Using the IPv6 Flow Label for Load Balancing in Server Farms[<a class="external" href="https://tools.ietf.org/html/rfc7098">https://tools.ietf.org/html/rfc7098</a>]</li>
<li>Utilize IPv6 flow labels in Equal Cost MultiPath (ECMP) or Link Aggregation (LAG) implementations [<a class="external" href="https://tools.ietf.org/html/rfc6438">https://tools.ietf.org/html/rfc6438</a>]</li>
</ul>
<p>Windows 10 now populates IPv6 flow labels by default: [[<a class="external" href="https://blogs.technet.microsoft.com/networking/2017/07/13/core-network-stack-features-in-the-creators-update-for-windows-10/">https://blogs.technet.microsoft.com/networking/2017/07/13/core-network-stack-features-in-the-creators-update-for-windows-10/</a>]]</p>
<p><code>Beginning with the Creators Update, outbound TCP and UDP packets over IPv6 have this field set to a hash of the 5-tuple (Src IP, Dst IP, Src Port, Dst Port). Middleboxes can use the FlowLabel field to perform ECMP for in-encapsulated native IPv6 traffic without having to parse the transport headers. This will make IPv6 only datacenters doing load balancing or flow classification more efficient.</code></p>
<p>FreeBSD also includes support for IPv6 flow labels.</p>
<p>Thanks</p> pfSense - Todo #8270 (New): Fix grammatically erroneous repetitionhttps://redmine.pfsense.org/issues/82702018-01-10T16:06:23ZMaxwell Cody
<p>The pfSense web interface has some grammatically incorrect repetition due to, what I suspect to be, a very lackadaisical use of initialisms. You will notice that on at least four different pages, the phrase "IP Protocol" is used to refer to the delineation between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). The grammatical error here is rather simple to notice by simply deconstructing the initialism. By deconstructing the initialism you will see that the deconstructed phrase reads "Internet Protocol Protocol." This is grammatically incorrect.</p>
<p>I've personally come up with two unique and novel solutions to this issue.</p>
<p>1. Change the phrase to read simply "Protocol." <br />2. Change the phrase to read "IP Version." (Deconstructing the initialism here may be preferable)</p>
Pages affected:
<ul>
<li>status_logs_settings.php</li>
<li>diag_testport.php</li>
<li>diag_traceroute.php</li>
<li>diag_ping.php</li>
</ul> pfSense Packages - Feature #8161 (New): Add virtual server support to FreeRadiushttps://redmine.pfsense.org/issues/81612017-12-04T18:53:44ZVictor Hooi
<p>It's great and super convenient that the FreeRadius server is included as a package with pfSense.</p>
<p>I currently use this to provide WPA-Enterprise authentication with my Ubiquiti Unifi access points.</p>
<p>However, it would be fantastic if we could add virtual server support via the online GUI - this is a key feature in FreeRadius, and lets you setup multiple lists of users (e.g. for different WiFi SSIDs).</p>
<p>This person has tried to hack around the lack of support:</p>
<p><a class="external" href="https://forum.pfsense.org/index.php?topic=126862.0">https://forum.pfsense.org/index.php?topic=126862.0</a></p>
<p>but that breaks every time you update via the GUI.</p> pfSense - Bug #8157 (New): Traffic Graph clutter from time to timehttps://redmine.pfsense.org/issues/81572017-12-03T06:40:58ZIngo-Stefan Schillingischilling@hotmail.com
<p>When traffic is more occasional with (great) peaks the graph clutters. See attached file. This happens since version 2.4 and is here in 2.4.2-RELEASE (amd64) .</p> pfSense Packages - Feature #8148 (New): OpenVPN - Output Windows Client .MSI Installer for GPO de...https://redmine.pfsense.org/issues/81482017-11-30T13:16:20ZJason Gibbons
<p>First, pfSense is a great product. I appreciate all of the development efforts.</p>
<p>It would be very helpful if the OpenVPN Windows client installer would also generate an .MSI. This would allow GPO deployment which would greatly ease the adoption of OpenVPN in that environment. OpenVPN Access Server has a script to do this. Is it possible to add something like this to pfSense as well?</p>
<p><a class="external" href="https://docs.openvpn.net/configuration/active-directory-deploying-the-access-server-connect-client-via-gpos/">https://docs.openvpn.net/configuration/active-directory-deploying-the-access-server-connect-client-via-gpos/</a></p>
<p>Thanks!</p> pfSense - Feature #7934 (New): format support phone# for international usehttps://redmine.pfsense.org/issues/79342017-10-12T16:10:20ZAdam Thompsonathompso@athompso.net
<p>In the new 2.4.0 release, the Netgate Services and Support dashboard gadget shows the phone# to call. (Good idea, btw!)<br />So that international users know where to call, the phone# should include the country code as "+1".<br />ITU-standard formatting is "+1 (512) 900-2546", but I guess "+1-512-900-2546" would also be recognized by pretty much everyone.<br />You have people in Brazil - check to see which format they would normally expect to see.<br />The important part is the "+" followed by "1", not the punctuation.</p> pfSense - Bug #7857 (New): Interfaces Widget U/I fails to wrap IPV6 addresses when the string is ...https://redmine.pfsense.org/issues/78572017-09-13T03:43:10ZBryan Stenson
<p>Strictly a U/I issue, the widget fails to wrap when the browser window is set small enough to make the string too wide for the box.</p> pfSense - Bug #7648 (New): SPAN ports on an interface renders CARP HA inoperativehttps://redmine.pfsense.org/issues/76482017-06-14T21:05:03ZDavid Van Cleef
<p>When a SPAN port is added to an interface, CARP breaks.</p>
<p>The source address of the CARP announcement, which should be from the IETF VRRP mac range changes to the mac of the physical interface.</p> pfSense Packages - Feature #7608 (New): Captive Portal amount of traffic Account + Free Radius+M...https://redmine.pfsense.org/issues/76082017-05-28T01:47:49Zmohsen abbaspour
<p>limitation on amount of traffic does not work when used CP and Free Radiusand and Mysql to gether </p>
<pre><code>It seams that captive does not count amount of Traffic</code></pre> pfSense - Feature #7030 (New): New Feature Load Balance Per Amount Of GBhttps://redmine.pfsense.org/issues/70302016-12-21T12:45:15Zchristian alfideo arminio
<p><a class="external" href="https://forum.pfsense.org/index.php?topic=122752.0">https://forum.pfsense.org/index.php?topic=122752.0</a></p> pfSense - Feature #5835 (New): Improve OpenVPN client gateway detection in edge cases where the r...https://redmine.pfsense.org/issues/58352016-02-01T08:37:46ZJim Pingle
<p>There are a few edge cases where OpenVPN does not set the "route_vpn_gateway" or "ifconfig_remote" environment variables so the "up" script cannot determine the gateway.</p>
<p>Currently the script falls back to using the local IP address in this case, which works OK for some things like policy routing when the interface is assigned, but it causes the wrong IP address to be monitored.</p>
The problem scenario requires BOTH of the following to be true:
<ul>
<li>tap mode OR tun+topology subnet is used</li>
<li>Server does not push ANY routes</li>
</ul>
<p>In that case, the only possible way for the client to determine the gateway is by subnet calculation, assuming the gateway is the first IP address in the block. Our code currently falls back to using the client adapter address in this case when the other two variables are unset.</p>
<p>Fixing it would require the ability to do subnet math or similar calculation from a shell script, or perhaps pulling the config off the interface using ifconfig or another similar function.</p>
<p>Since it appears to work fine from a user perspective aside from picking the right monitor IP address, it's pretty minor as far as I can tell so far.</p>