pfSense bugtracker: Issueshttps://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162024-01-13T23:54:32ZpfSense bugtracker
Redmine pfSense - Bug #15162 (Confirmed): Wrong string in “MAC address”https://redmine.pfsense.org/issues/151622024-01-13T23:54:32ZSergei Shablovsky
<p>Hi, brilliant pfSense stuff!</p>
<p>Wrong string in “ <strong>MAC address</strong> ” txt entry field in “ <strong>Services / Wake-on-LAN / Edit</strong> ” when press on “ <strong>+* ” in “ *Actions</strong> ” column in “ <strong>Diagnostics / ARP Table</strong> ” page in WebGUI.</p> pfSense - Bug #14936 (New): radvd service shows as stopped in services list when it should be dis...https://redmine.pfsense.org/issues/149362023-11-01T15:03:21ZJim Pingle
<p>The <code>is_radvd_enabled()</code> function in <code>pfsense-utils.inc</code> appears to incorrectly interpret the state of the radvd service in some cases.</p>
<p>For example I have a system with WAN DHCP6, LAN Track6 to WAN, but on LAN I have DHCPv6 disabled and RA disabled. When configured in this way, the radvd service is shown in the services list, but is listed as stopped. The <code>radvd.conf</code> file only contains the header, which is expected since there are no interfaces with RA enabled.</p> pfSense - Feature #14886 (New): Visual improvement to the Gateway widget: display the icon in a c...https://redmine.pfsense.org/issues/148862023-10-16T19:25:35ZPatrik Stahlman
<p>A small tweak to the Gateway widget to display the icon in a color reflecting the status.</p>
<p>Rationale: <br />In my four column setup the status text is not always visible so I can't quickly determine the gateway status without shifting/scrolling the widget to the right. With this change I can see the status in the icon color.</p>
<p>Change:<br />1. move the code that determines the background color before the output of the icon. No change to the code, just a move.<br />2. add the background color to the icon formatting</p> pfSense - Feature #13220 (New): Voucher per-roll bandwidth restrictions and traffic quotashttps://redmine.pfsense.org/issues/132202022-05-26T08:08:08ZRaymond Chauke
<p>I hope PFSENSE can Enable per-voucher roll bandwidth restriction. where during the vouchers roll creation i can be able set KB,MB or GB speed per voucher's roll.</p>
<p>where during the vouchers roll creation i can be able set KB,MB or GB Traffic quota Clients can be disconnected after exceeding 1gb or 500mb amount of traffic, inclusive of both downloads and uploads per voucher's roll.</p> pfSense - Bug #13110 (New): changing CARP VIP address does not update outbound NAT interface IPhttps://redmine.pfsense.org/issues/131102022-04-30T13:19:52Z→ luckman212luke.hamburg@gmail.com
<p>In my testing, on a 2 node HA cluster running 22.05.a.20220426.1313, if you change the Virtual IP, it is properly synced to the backup node, but the manual outbound NAT rule is not updated, so things break slightly. I am not sure if this is by design, but since you are selecting the IP by interface name, it seems like it would intuitively work the way other aliases work and "follow" changes to the chosen named VIP.</p> pfSense - Feature #12863 (New): dynamically tune sha512crypt roundshttps://redmine.pfsense.org/issues/128632022-02-24T00:16:27ZRoyce Williamsroyce@tycho.org
<p>As touched on in <a class="issue tracker-1 status-5 priority-4 priority-default closed" title="Bug: Suboptimal Password Hashing (Closed)" href="https://redmine.pfsense.org/issues/12800">#12800</a> and <a class="issue tracker-2 status-3 priority-4 priority-default closed" title="Feature: GUI option to select the user password hashing algorithm (Resolved)" href="https://redmine.pfsense.org/issues/12855">#12855</a>, sha512crypt's default number of rounds (5000) can be cracked relatively quickly by modern standards. But "fixing" this with a static, arbitrary number of rounds could adversely impact login speed and user experience, depending on platform.</p>
<p>I propose a middle-ground solution: tune the number of rounds based on platform capability to a target runtime. Multiple UX studies have cited 500ms (half a second) as an upper bound for user login delay tolerance.</p>
<p><a href="https://gist.github.com/roycewilliams/09ddd10504d560c02b28049759cd666f" class="external">This reference code</a> detects the number of rounds near 500ms performance, using a simple approach: performing a test hash, and then applying its performance ratio to the rounds count. It then hashes the password with that number of rounds. It abstracts both the sha512crypt hashing and the dynamic rounds tuning into their own functions. It also improves salt entropy in passing, to match bcrypt and scrypt's 128 bits and to match the sha512crypt</p>
<p>The code is overly commented, to explain the reasoning behind various design choices, such as those informed by attack techniques well known in the password-cracking community.</p>
<p>Sample results for a few platforms at 500ms runtimes (I am actively soliciting for additional data points):</p>
<pre>
* AMD Geode LX800 500 MHz (alix2): rounds=11851
* AMD GX-412TC SOC (apu2): rounds=157921
* Intel(R) Celeron(R) CPU N3150 @ 1.60GHz: rounds=209662
* Pentium(R) Dual-Core CPU E5: rounds=568985
* 11th Gen Intel(R) Core(TM) i7-11700K @ 3.60GHz: rounds=1741092
</pre>
<p>Note especially these higher values. A modern CPU can run 1.7 million rounds of sha512crypt in half a second. By contrast, a medium-sized pentest cracking rig (equivalent of 6 GTX 1080s) can do a little over 2 billion rounds in half a second against a single hash (scaling downward across multiple salted hashes).</p>
<p>So while not even a strong hash can protect a single very weak password for long, strengthening these hashes can do a much better job of protecting midrange and stronger ones.</p> pfSense - Feature #10732 (New): Warning banner for secondary HA nodehttps://redmine.pfsense.org/issues/107322020-07-06T05:41:14ZConstantine Kormashev
<p>It would be good if the secondary HA node has a banner with a warning all management actions have to be performed on the primary node only. And user can see this banner after login, as they see default password waring now.</p>
There are a couple of ways to detect a secondary node:
<ul>
<li>hidden flag in the config, see <a class="external" href="https://redmine.pfsense.org/issues/10731">https://redmine.pfsense.org/issues/10731</a></li>
<li>CARP interfaces are in BACKUP state</li>
</ul> pfSense - Feature #10731 (New): XML-sync primary/secondary config flaghttps://redmine.pfsense.org/issues/107312020-07-06T05:38:54ZConstantine Kormashev
<p>To prevent XML-sync misconfiguring on a HA cluster, it would be good to make a config flag that can be used for distinguishing primary and secondary nodes. It might be a hidden flag in the config, which is set to primary if XML-sync is enabled on the node and after propagated to another node as secondary, and vice versa. If the node's flag is secondary, then its XML-sync menu is blocked. This flag can be also used for other purposes. E.g. it might be evidence of init XML-sync was successful and so on.</p>
<p>There is a small issue here, flag on secondary is propagated by primary, that means if we would like to clear secondary role without a primary, then we need something like a Red Force Clear button, which can reset the flag.<br />The other way would be clearing the secondary flag each reboot and keep it unflagged until the 1st XML-sync session, but this is less obvious.</p> pfSense - Feature #10446 (New): VIP address is not shown in firewall ruleshttps://redmine.pfsense.org/issues/104462020-04-09T09:37:53ZSilmor Senedlen
<p>Good day<br />I noticed that VIP address(Type: IP Alias) is not shown in Source/Destination drop-down menu in Firewall rules.<br />At the same time it is displayed in NAT >> Port Forward rules in Source/Destination drop-down menu.</p>
<p>Example in attached screenshots.</p>
<p>2.4.5-RELEASE (amd64)</p> pfSense - Feature #10258 (New): allow to sign CAhttps://redmine.pfsense.org/issues/102582020-02-13T05:27:42ZViktor Gurov
<p>To create cross-signed intermediate CA,</p>
<p>This feature can be added to the page System / Certificate Manager / CAs / Edit -> Method list<br />in this way you can import a CA and then sign it with another CA in the system</p> pfSense - Bug #9837 (New): ipv6 is not completely disabled on the interfaceshttps://redmine.pfsense.org/issues/98372019-10-20T14:04:36ZViktor Gurov
<p>When IPv6 Configuration Type is None on Interfaces configuration page, IPv6 link-local addresses still uses<br />You can see OSPFv3 hello packets, can use ipv6 from these interfaces,<br />or, if rules like "IPv4+IPv6" used, can connect to services</p>
<p>to completely disable IPv6 on interfaces, option <strong>ifdisabled</strong> must be used, i.e. "ifconfig vtnet0 inet6 ifdisabled" <br />from ifconfig (8):<br /><pre>
ifdisabled
Set a flag to disable all of IPv6 network communications on the
specified interface. Note that if there are already configured
IPv6 addresses on that interface, all of them are marked as
"tentative" and DAD will be performed when this flag is cleared.
</pre></p>
<p>pfSense 2.5.0.a.20191018.2017</p> pfSense - Bug #9755 (New): package description wrong link https://www.freshports.org/security/ope...https://redmine.pfsense.org/issues/97552019-09-13T05:20:05ZViktor Gurov
<p>Package Dependencies:<br /> openvpn-client-export-2.4.7 - wrong link</p>
<p><a class="external" href="https://www.freshports.org/security/openvpn-client-export">https://www.freshports.org/security/openvpn-client-export</a>:<br />FreshPorts -- Document not found<br />Sorry, but I don't know anything about that.</p>
<p>/security/openvpn-client-export</p>
<p>Perhaps a list of categories or the search page might be helpful.</p> pfSense - Feature #8775 (New): Use SRV record for LDAP Authenticationhttps://redmine.pfsense.org/issues/87752018-08-09T18:26:27Zfw admin
<p>Maybe it is me, but, using an SRV record to resolve to either SSL or TLS LDAP server doesn't work. IMO, this would provide elegant failover for authentication.</p>
<p>Keep up the great work.</p> pfSense - Bug #8464 (New): Wireless USB card does not connect to WiFi automatically after reboot/...https://redmine.pfsense.org/issues/84642018-04-17T03:35:41ZConstantine Kormashev
<p>Wireless USB card on Realtek RTL8192SU chipset in BSS mode does not connect to WiFi until wilreless interface is set to down and after to up state manually. E.g. after device reboot.<br />There is not any problem with forwarding in case device already connected to WiFi, problem happens only after device reboot/halt.<br />Tried with Dlink DWA131 (Realtek RTL8192SU) on 3100 and 2220.<br />During down/up interface there are messages in console:<br /><pre>
rsu0: rsu_join_bss: still scanning! (attempt 0)
rsu0_wlan0: ieee80211_new_state_locked: pending SCAN -> AUTH transition lost
</pre></p> pfSense - Feature #7934 (New): format support phone# for international usehttps://redmine.pfsense.org/issues/79342017-10-12T16:10:20ZAdam Thompsonathompso@athompso.net
<p>In the new 2.4.0 release, the Netgate Services and Support dashboard gadget shows the phone# to call. (Good idea, btw!)<br />So that international users know where to call, the phone# should include the country code as "+1".<br />ITU-standard formatting is "+1 (512) 900-2546", but I guess "+1-512-900-2546" would also be recognized by pretty much everyone.<br />You have people in Brazil - check to see which format they would normally expect to see.<br />The important part is the "+" followed by "1", not the punctuation.</p>