pfSense bugtracker: Issueshttps://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162024-01-03T11:03:01ZpfSense bugtracker
Redmine pfSense - Bug #15134 (Incomplete): Post upgrade to 2.7.2 - Change in alias name stops all traffichttps://redmine.pfsense.org/issues/151342024-01-03T11:03:01ZRajko Bogdanovicrajko@itroom-a.com
<p>After installing the last 2.7.2 release, when we edited an Alias name - that rule stopped working, and all traffic was blocked from that point until a full reboot was done. <br />Once rebooted, old nat/access rules are working again using a new alias.</p> pfSense - Bug #14734 (New): Alias FQDN resolving issue results in incomplete tableshttps://redmine.pfsense.org/issues/147342023-08-31T13:59:20ZRobert Gijsen
<p>In CE 2.7.0, there are still issues when FQDN are used in aliasses. Vonsider an alias with 3 entries, 2 static IP's and one FQDN, pointing to one of those IP's as well. When the FQDN changes to the other IP, the IP it had initially is gone from the table.</p>
<p>Steps to reproduce:</p>
Create an alias
<ul>
<li>add 1.1.1.1</li>
<li>add 8.8.8.8</li>
<li>add a (public) dns entry you created, pointing to 1.1.1.1, ie pfsensetest.domain.com</li>
<li>monitor the table-entry for the alias, all will be ok</li>
<li>now change the DNS entry for pfsensetest.domain.com from 1.1.1.1 to 8.8.8.8 and wait for it to be replicated and pfSense to pick it up</li>
<li>in my setups, 1.1.1.1 got deleted from the table. So while 8.8.8.8 is in there 'twice' now, and 1.1.1.1 only once statically, it's not there anymore</li>
<li>killing filterdns and reloading filters repopulates the tables correctly it seems.</li>
</ul>
<p>It looks like when the FQDN is resolved, it overrules the static entry if one with the same value exists, and when the FQDN changes, the static entry is not put back in to the table. I tailed resolver.log while reproducing the issue, but it made no notion at all of resolving the FQDN to another IP. So I don't know what log to add, or which log to enable verbose logging for.</p>
<p>I consider this high priority, as it has high potential of actually functionally breaking an environment.</p> pfSense - Bug #14313 (Assigned): Unable to create nested URL table aliaseshttps://redmine.pfsense.org/issues/143132023-04-26T05:22:32ZAzamat Khakimyanov
<p>In docs there is a phrase:<br /><em>"URL table aliases can nest other URL table aliases, and URL aliases can nest other URL aliases."</em></p>
<p>I'm tested it on 23.01 and on 23.05-DEV and I can't create nested alias with 2 URL table aliases inside:</p>
<p>1. If I tried to create 'Type: Host(s)' alias, I got <br /><em>"The following input errors were detected:<br />The alias(es): urltest1 urltest2 cannot be nested because they are not of the same type."</em></p>
<p>2. If I tried to create 'Type: Network(s)' alias, there was no error but I didn't see this new alias in Diagnostics/Tables</p>
<p>3. If I tried to create 'Type: URL (IPs)' alias, I got <br /><em>"The following input errors were detected:<br />A valid URL or alias must be provided. Could not fetch usable data from 'urltest1'.<br />A valid URL or alias must be provided. Could not fetch usable data from 'urltest2'."</em></p>
<p>4. If I tried to create 'Type: URL Table (IPs)' alias and add one of these URL Table aliases I already created, I got<br /><em>"The following input errors were detected:<br />A valid URL must be provided."</em></p>
<p>5. If I tried to import aliases, I got no errors but I didn't see this new alias in Diagnostics/Tables</p> pfSense - Bug #13772 (Confirmed): Changing the alias resolve interval to the default value does n...https://redmine.pfsense.org/issues/137722022-12-18T11:52:17ZMarcos M
<p>Under <code>System / Advanced / Firewall & NAT</code>, if the <code>Aliases Hostnames Resolve Interval</code> option is changed from a custom value to a blank (default) value, <code>filterdns</code> processes are not restarted. Changes to custom values do correctly restart the processes.</p> pfSense - Bug #13706 (Confirmed): Static routes are not updated when updating a nested alias.https://redmine.pfsense.org/issues/137062022-11-28T19:16:13ZMarcos M
<p>Tested on <code>22.05</code> and <code>23.01.a.20221123.0600</code>.</p>
Setup:
<ul>
<li>Create the network alias <code>a2</code> with a subnet defined.</li>
<li>Create the network alias <code>a1</code> with <code>a2</code> as an entry and an additional subnet.</li>
<li>Add a static route using the alias <code>a1</code>.</li>
</ul>
Issue:
<ul>
<li>Updating <code>a2</code> correctly updates the alias table seen under Diagnostics / Tables, but it does not affect the route table.</li>
<li>Re-saving <code>a1</code> adds a new route with the updated settings, but the old route is not removed.</li>
<li>Removing <code>a2</code> from <code>a1</code> does not delete the routes.</li>
</ul> pfSense - Bug #13500 (New): Remote groups with special characters ($) / LDAP not supported.https://redmine.pfsense.org/issues/135002022-09-18T14:52:59ZDavid Duchscher
<p>A bunch of our groups in our campus Active Directory / LDAP by policy are prefixed with a dollar sign ($ and pfSense does not allow creation of these groups.</p>
<p>I worked around the issue by creating and configuring the group without it and then adding it manually to the config.xml file.</p> pfSense - Bug #13093 (Feedback): LDAP authentication fails with extended query and RFC2307 group ...https://redmine.pfsense.org/issues/130932022-04-24T11:05:29ZChris Linstruth
<p>LDAP authentication fails with extended query and RFC2307 group lookups enabled</p>
<a name="With-Extended-Query-On-and-RFC2307-Groups-off-Works"></a>
<h2 >With Extended Query On and RFC2307 Groups off (Works):<a href="#With-Extended-Query-On-and-RFC2307-Groups-off-Works" class="wiki-anchor">¶</a></h2>
<p>First (Why is it searching that base?):</p>
<pre><code>Base<br /> uid=testuser,ou=Users,o=9c65b5a4c5d919372fee0eee,dc=jumpcloud,dc=com</code></pre>
<pre><code>Search Filter<br /> (uid=testuser)</code></pre>
<pre><code>Number of Results<br /> 0</code></pre>
<p>Then:</p>
<pre><code>Base<br /> ou=Users,o=9c65b5a4c5d919372fee0eee,dc=jumpcloud,dc=com</code></pre>
<pre><code>Search Filter<br /> (&(uid=testuser)(&(objectClass=inetOrgPerson)(memberOf=cn=vpn,ou=users,o=9c65b5a4c5d919372fee0eee,dc=jumpcloud,dc=com)))</code></pre>
<pre><code>Number of Results<br /> 1</code></pre>
<p>Then:</p>
<pre><code>Bind to:</code></pre>
<pre><code>User testuser authenticated successfully. This user is a member of groups:</code></pre>
<a name="With-Extended-Query-off-and-RFC2307-Groups-on-Use-DN-for-username-search-on-Works"></a>
<h2 >With Extended Query off and RFC2307 Groups on, Use DN for username search on (Works):<a href="#With-Extended-Query-off-and-RFC2307-Groups-on-Use-DN-for-username-search-on-Works" class="wiki-anchor">¶</a></h2>
<p>First:</p>
<pre><code>bind to <br /> Distinguished Name<br /> uid=testuser,ou=Users,o=9c65b5a4c5d919372fee0eee,dc=jumpcloud,dc=com <br /> Successful</code></pre>
<p>Then:</p>
<pre><code>Base<br /> ou=Users,o=9c65b5a4c5d919372fee0eee,dc=jumpcloud,dc=com </code></pre>
<pre><code>Search Filter<br /> (uid=testuser)</code></pre>
<pre><code>Number of Results<br /> 1</code></pre>
<p>Then (Yes, it was logged twice):</p>
<pre><code>Base<br /> ou=Users,o=9c65b5a4c5d919372fee0eee,dc=jumpcloud,dc=com </code></pre>
<pre><code>Search Filter<br /> (uid=testuser)</code></pre>
<pre><code>Number of Results<br /> 1</code></pre>
<p>Then:</p>
<pre><code>Base<br /> ou=Users,o=9c65b5a4c5d919372fee0eee,dc=jumpcloud,dc=com</code></pre>
<pre><code>Search Filter<br /> (&(objectClass=groupOfNames)(member=uid=testuser,ou=users,o=9c65b5a4c5d919372fee0eee,dc=jumpcloud,dc=com))</code></pre>
<pre><code>Number of Results<br /> 3</code></pre>
<pre><code>User testuser authenticated successfully. This user is a member of groups:<br /> Nextcloud<br /> VPN</code></pre>
<a name="With-Extended-Query-on-and-RFC2307-Groups-on-Use-DN-for-username-search-on-Fails"></a>
<h2 >With Extended Query on and RFC2307 Groups on, Use DN for username search on (Fails):<a href="#With-Extended-Query-on-and-RFC2307-Groups-on-Use-DN-for-username-search-on-Fails" class="wiki-anchor">¶</a></h2>
<pre><code>Base<br /> ou=Users,o=9c65b5a4c5d919372fee0eee,dc=jumpcloud,dc=com</code></pre>
<pre><code>Search Filter<br /> (&(member=uid=testuser,ou=users,o=9c65b5a4c5d919372fee0eee,dc=jumpcloud,dc=com)(&(objectClass=inetOrgPerson)(memberOf=cn=vpn,ou=users,o=9c65b5a4c5d919372fee0eee,dc=jumpcloud,dc=com)))</code></pre>
<pre><code>Number of Results<br /> 0</code></pre>
<pre><code>The following input errors were detected:<br /> Authentication failed.</code></pre>
<p>This looks like it is putting the extended query where it does not belong. It also looks like it is searching for the user as if it was a group with the member=uid=testuser,ou=users,o=9c65b5a4c5d919372fee0eee,dc=jumpcloud,dc=com query but it's also setting an objectClass=inetOrgPerson which is never going to succeed.</p>
<p>To me it should perform the user search with the extended query to get the DN then use that DN to search groupOfNames for the member=</p>
<p>Seems like it should test the bind to authenticate the user before the group search just to save unnecessary lookups if the authentication is just going to fail.</p>
<p>One should be able to use an extended query to limit the users to a specific group <strong>and</strong> do a query to get the list of groups the user is a member of. That does not look to be possible currently.</p> pfSense - Bug #12726 (New): LDAP select container button auto populatehttps://redmine.pfsense.org/issues/127262022-01-25T13:48:31ZFederico Galli
<p>Hi! I would like to suggest an improvement to the Authentication server page. I see that the Authentication containers is underlined, to mean that it is mandatory. If you first fill all the necessary fields, then you can click the select container button to choose which containers to use, right? But there has to be something in that field first, in order to the window to appear. If you type just any single letter, then that window with the containers to tick appears. Maybe some logic could be changed, that if everything else is correctly completed, there was no need for anything to be in the Authentication containers field, before clicking the save button.</p> pfSense - Bug #12715 (New): Long system startup time when LDAP is configured and unavailable duri...https://redmine.pfsense.org/issues/127152022-01-21T15:36:42ZChristian McDonaldcmcdonald@netgate.com
<ol>
<li>Currently if LDAP is unavailable at system startup, several LDAP queries have to timeout before the system will proceed with startup. There is no recycling of connections, so <em>n</em> LDAP queries requires <em>n</em> separate connections, and thus <em>n</em> separate timeouts. This results in a hang at startup that is several minutes long in some cases, probably dependent on the number of LDAP calls that are required (e.g. <em>n</em> * LDAP_timeout).</li>
<li>If LDAP is unavailable during system startup, the system will appear to hang at "Synchronizing user settings..." </li>
<li>This is unavoidable if LDAP connectivity relies on a VPN (e.g. IPsec, WireGuard, etc.), FRR for dynamic routes, etc...these services are started later in the startup process.</li>
<li>We should implement some sort of global state that will prevent subsequent LDAP queries if one times out during system startup, as subsequent attempts are likely to fail as well.</li>
</ol>
<p>Related to <a class="external" href="https://redmine.pfsense.org/issues/11644">https://redmine.pfsense.org/issues/11644</a></p> pfSense - Bug #12519 (New): Fail authentication using special character in password via the LDAP ...https://redmine.pfsense.org/issues/125192021-11-12T07:10:33ZLuca De Andreis
<p>Hi all,</p>
<p>using openVPN authentication by ldap connector to AD 2016 server, I realized that using a character in the password like this "€" the authentication always fails, deleting that character everything works as expected.</p>
<p>Thnaks<br />Luca</p> pfSense - Bug #12283 (New): LDAP/RADIUS authentication servers configuration does not allow sourc...https://redmine.pfsense.org/issues/122832021-08-20T01:15:40ZViktor Gurov
<p>This is a limitation of the Auth_RADIUS package and <code>ldap_connect()</code></p>
<p>But this is required in some cases - when multiple routes are available to the authentication servers.<br />or the next hop router is on the APIPA network (for example, at the other end of the AWS tunnel)</p> pfSense - Bug #12095 (New): Memory leak in pcscdhttps://redmine.pfsense.org/issues/120952021-06-30T15:27:43ZSteve Wheeler
<p>The PCSC daemon looks to have a memory leak even when it's not in use. Or even when there are no IPSec tunnels defined which might be tied to it.</p>
<pre>
last pid: 99559; load averages: 0.25, 0.18, 0.11 up 12+01:45:56 18:38:11
69 processes: 1 running, 68 sleeping
CPU: 0.2% user, 0.0% nice, 1.2% system, 0.0% interrupt, 98.6% idle
Mem: 31M Active, 1047M Inact, 502M Wired, 116M Buf, 347M Free
Swap: 1908M Total, 1908M Free
PID USERNAME THR PRI NICE SIZE RES STATE C TIME WCPU COMMAND
7760 root 3 20 0 990M 976M select 1 24:23 0.14% pcscd
9887 root 1 52 0 105M 39M accept 0 1:20 0.00% php-fpm
87665 root 1 52 0 102M 36M accept 0 0:43 0.00% php-fpm
4918 root 1 52 0 102M 36M accept 1 0:40 0.00% php-fpm
77558 root 1 52 0 102M 36M accept 1 0:38 0.00% php-fpm
</pre>
<p>Stopping and then startingthe services resets the memory use to ~4MB. If you have IPSec tunnels defined which doing that the IPSec service will also need to be stopped and then started.</p>
<p>There looks to be a limit at ~1GB so it could be only lower memory systems that are affected.</p>
<p>Tested: CE 2.5.1, Plus 21.05 and 21.09.</p> pfSense - Bug #10765 (New): Ampersands in ldap_extended_query are escaped twicehttps://redmine.pfsense.org/issues/107652020-07-15T11:04:32ZLouis Sautier
<p>Hello,<br />I recently ran into an issue with an LDAP server whose Query field contained an ampersand.</p>
<p>The field is set to<br /><pre>
memberOf=CN=Some Group,OU=One & Two,DC=blah,DC=local
</pre><br />That results in<br /><pre><code class="xml syntaxhl"><span class="nt"><ldap_extended_query></span><span class="cp"><![CDATA[memberOf=CN=Some Group,OU=One &amp; Two,DC=blah,DC=local]]></span><span class="nt"></ldap_extended_query></span>
</code></pre><br />in config.xml.</p>
<p>Re-writing the XML config with Python shows that <code>&</code> is escaped twice (once because of CDATA, once because of the HTML entities):<br /><pre><code class="python syntaxhl"><span class="c1">#!/usr/bin/env python3
</span><span class="kn">import</span> <span class="nn">xml.etree.ElementTree</span> <span class="k">as</span> <span class="n">ET</span>
<span class="n">xml</span> <span class="o">=</span> <span class="s">"<ldap_extended_query><![CDATA[memberOf=CN=Some Group,OU=One &amp; Two,DC=blah,DC=local]]></ldap_extended_query>"</span>
<span class="n">tree</span> <span class="o">=</span> <span class="n">ET</span><span class="p">.</span><span class="n">fromstring</span><span class="p">(</span><span class="n">xml</span><span class="p">)</span>
<span class="k">print</span><span class="p">(</span><span class="n">ET</span><span class="p">.</span><span class="n">tostring</span><span class="p">(</span><span class="n">tree</span><span class="p">,</span> <span class="n">encoding</span><span class="o">=</span><span class="s">"unicode"</span><span class="p">))</span>
</code></pre></p>
<p>Running the script results in<br /><pre><code class="xml syntaxhl"><span class="nt"><ldap_extended_query></span>memberOf=CN=Some Group,OU=One <span class="ni">&amp;</span>amp; Two,DC=blah,DC=local<span class="nt"></ldap_extended_query></span>
</code></pre></p>
<p>Both syntaxes should be equivalent. However, when the configuration is reloaded, the query (as shown in the WEB UI) becomes<br /><pre>
memberOf=CN=Some Group,OU=One &amp; Two,DC=blah,DC=local
</pre><br />and is now invalid.</p> pfSense - Bug #10352 (New): RADIUS authentication fails with MSCHAPv1 or MSCHAPv2 when passwords ...https://redmine.pfsense.org/issues/103522020-03-17T09:27:26ZJim Pingle
<p>RADIUS authentication fails with the authentication server entry set to use MSCHAPv1 or MSCHAPv2 when passwords contain international characters. Authentication with the same password succeeds when set to PAP or MD5-CHAP.</p>
<p>I've tried running through a few different encodings (UTF-8, UTF-16, and the chap module's own unicode conversion function) without success.</p>
<p>It works when using <code>radtest</code> at the CLI regardless of type passed to that program. Packet captures of similar requests don't show significant differences between PHP and radtest.</p>
<p>Could be a limitation of Crypt_CHAP_MSv1 / Crypt_CHAP_MSv2 / Auth_RADIUS_*, but we should at least eliminate possible local code causes first.</p>
<p>Low priority since there are ways to make it work (PAP, MD5-CHAP), and users could choose to use other compatible passwords.</p> pfSense - Bug #7665 (New): Host range validation for Aliases is not strict enoughhttps://redmine.pfsense.org/issues/76652017-06-28T11:41:34ZRe Load
<p>Steps to reproduce:</p>
<p>1. Enter an invalid host range for an IP alias, such as 192.168.1.1-10, and click Save.</p>
<p>The host range will be accepted, but does not function as one might expect. In fact, the syntax is invalid and only the first host in the range will be matched by this alias.</p>
<p>Desired behaviour:</p>
<p>The host range should be rejected by the form validation. The correct syntax for the example above would be 192.168.1.1-192.168.1.10</p>