pfSense bugtracker: Issueshttps://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162024-02-16T18:53:24ZpfSense bugtracker
Redmine pfSense Plus - Todo #15266 (Feedback): Prevent usage of the default password in User Manager acco...https://redmine.pfsense.org/issues/152662024-02-16T18:53:24ZJim Pingle
<p>Currently we detect in the GUI when the admin account is using the default password (<code>"pfsense"</code>) and print a warning message: source:src/usr/local/www/head.inc#L564</p>
<p>We should change that to check any account (not just <code>admin</code>) and force a password change during one or more of the user's initial interactions, for example:</p>
<ul>
<li>During the setup wizard</li>
<li>GUI login any time the password matches the default password</li>
<li>Shell (console or SSH) login any time the password matches the default password</li>
<li>Possibly during the installation process</li>
</ul>
<p>We should also not allow the user to change their password to any variation of "pfsense" in upper/lower/mixed case.</p> pfSense Plus - Bug #15262 (New): Captive Portal Has High CPU Interrupts With Large Number of Usershttps://redmine.pfsense.org/issues/152622024-02-15T19:33:29ZKris Phillips
<p>When 700+ Captive Portal users are in use, CPU interrupts will cause high load averages to occur. This can lead to connectivity problems, such as packet loss on WAN uplinks, webConfigurator responsiveness issues, etc.</p>
<p>Tested with a customer who had load averages of 14-16 with Captive Portal on with 1400+ users. Once Captive Portal was turned off, load averages dropped to 0.5.</p>
<p>Load seems higher for Captive Portal when there is significant numbers of users since the transition to pf from ipfw.</p> pfSense Plus - Bug #15157 (Incomplete): Problem in Restore Backuphttps://redmine.pfsense.org/issues/151572024-01-12T23:35:22ZRamon Alonso Costa
<p>I am having the following issue when trying to update the DNS Resolver backup. Below is the file with the error.</p> pfSense Plus - Bug #15126 (New): SG-1100 pfSense+ recovery results in non aligned disk sliceshttps://redmine.pfsense.org/issues/151262023-12-29T03:11:42ZDavid Burnsdavid.burns@dugeem.net
<p>Currently preparing for an upgrade of SG-1100 remote worker fleet.</p>
<p>However after installing the latest SG-1100 recovery image (pfSense-plus-compat-recovery-23.09.1-RELEASE-aarch64.img.gz) it appears that the resulting image restore to SG-1100 eMMC is not aligned:<br />(reference <a class="external" href="https://docs.netgate.com/pfsense/en/latest/solutions/sg-1100/reinstall-pfsense.html">https://docs.netgate.com/pfsense/en/latest/solutions/sg-1100/reinstall-pfsense.html</a>)</p>
<pre>
gpart show mmcsd0
=> 1 15273599 mmcsd0 MBR (7.3G)
1 409600 1 efi (200M)
409601 131072 2 fat32 (64M)
540673 14732927 3 freebsd [active] (7.0G)
</pre>
<p>This is a UFS build. Clearly the FreeBSD slice (starting sector 540673) is not aligned with 4k / 32k / 1M boundary. Non aligned writes may have an impact on eMMC life (depends on write workload of course).</p>
<p>Within the slice the actual UFS partition is at least 8k aligned (although suboptimal given that the UFS2 default block size is 32kB):</p>
<pre>
gpart show mmcsd0s3
=> 0 14732927 mmcsd0s3 BSD (7.0G)
0 16 - free - (8.0K)
16 14732911 1 freebsd-ufs (7.0G)
</pre>
<p>Compare this to a Netgate 7100 (with ZFS):</p>
<pre>
gpart show mmcsd0
40 61071280 mmcsd0 GPT (29G)
40 1024 1 freebsd-boot (512K)
1064 984 - free - (492K)
2048 4194304 2 freebsd-swap (2.0G)
4196352 56872960 3 freebsd-zfs (27G)
61069312 2008 - free - (1.0M)
</pre>
<p>Hopefully image build can be corrected using appropriate <strong><code>gpart add -t freebsd -a 1M ... /dev/mmcsd0</code></strong> argument parameters.</p>
<p>Lastly is the SG-1100 (aarch64) recovery image also used for SG-2100? If so this issue may also impact SG-2100.</p> pfSense Plus - Feature #15070 (New): Script to fix: ld-elf.so.1: Shared object "libssl.so.30" not...https://redmine.pfsense.org/issues/150702023-12-06T05:14:20ZJonathan Lee
<p>When using boot environments to move system back a version to last stable version users can no longer check for updates. This version is displayed under GUI as a version to still use. Thus a boot environment should not contain this error for standard users it should default back also.</p>
<p>Error is:<br /><code>ld-elf.so.1: Shared object "libssl.so.30" not found, required by "pfSense-repoc"</code></p>
<p>stephenw10 fixed my issue with the linked library Boot Environment issue for plus</p>
<p><code>pkg-static upgrade -f pfSense-repoc</code></p>
<p>can we add a simple script that will auto run this command when users change to an older boot environment have a try catch error condition for this?</p>
<p>That way previous stable version boot environments do not see this error.</p> pfSense Plus - Bug #14968 (New): Google LDAP fail to bindhttps://redmine.pfsense.org/issues/149682023-11-11T13:11:11ZLev Prokofev
<p>Even with a freshly created cert and Bind user login/pass it fails to bind with the message:</p>
<p><em>/system_authservers.php: ERROR! ldap_get_user_ous() could not bind to server.</em></p>
<p>It seems the TLS talk between the client and server went smoothly (packet capture attached)</p>
<p>Ticket for reference #2067635022</p> pfSense Plus - Feature #14915 (New): MAC-aliasses / Lists with MAC-addresses would be very helpfullhttps://redmine.pfsense.org/issues/149152023-10-24T14:54:14ZLouis B
<p>I would like to create a MAC-filter using the Ethernet layer firewall and it is absolutely not practical / a good idea to define a rule for each mac-address to check. In general If you want to set a TAG in favor of policy filtering, it will almost certainly be related to a group of mac-addresses, not a single one.</p>
<p>So it would be very helpful if the firewall alias function would be extended for mac-addresses.</p> pfSense Plus - Feature #14789 (Pull Request Review): Captive Portal - Add OTP authentication opti...https://redmine.pfsense.org/issues/147892023-09-18T06:34:26ZBarry Schut
<p>I have created a small modification to the captive portal pages so it would be possible to use an OTP as login option for the portal.</p>
<p>This will allow for an ever changing password on the portal but also control over who gets to use it.</p>
<p>In my personal situation:</p>
<p>I have a guest wifi and I am using the captive portal to allow people to login. With a small hardware OTP generator (hand held device) I can grant visitors access. No fuss, no accounts, no risk of leaking details.</p>
<p>I will be creating a pull request soon.</p> pfSense Plus - Bug #14175 (New): LDAP authentication for SSH failshttps://redmine.pfsense.org/issues/141752023-03-24T12:58:35ZGeorgiy Tyutyunnik
<p>LDAP authentication fails for SSH user authentication via LDAP with error (Invalid credentials).<br />Same user successfully authenticates to GUI.<br />User group with shell access is defined on pfSense and recognized at LDAP login, Shell Authentication Group DN is defined. <br />Logs for successful gui and failed ssh logins are attached.</p> pfSense Plus - Feature #14133 (New): Exporting and Importing - Change Layouthttps://redmine.pfsense.org/issues/141332023-03-20T03:47:01ZSteven Cedrone
<p>Please change Backup & Restore to allow for choosing only what areas you want to import/export without having to do it one area at a time.</p>
<p>The drop down-style boxes for "Backup Area" and "Restore Area" should allow you to hold CTRL and choose multiple areas at a time. Or change the drop-down boxes to scrolling boxes similar to other Areas of PfSense when you select Multiple WAN or LAN connections in PfBlocker for example.</p>
<p>This would be quite handy for exporting partial settings for new setup-up's without having to do it area by area.</p> pfSense Plus - Bug #14104 (New): Google LDAP connections still fail even after adding SNI for TLS...https://redmine.pfsense.org/issues/141042023-03-14T03:11:56ZAzamat Khakimyanov
<p>tested on 23.01 and with IPv6</p>
<p>After fixing <a class="external" href="https://redmine.pfsense.org/issues/11626">https://redmine.pfsense.org/issues/11626</a> I see that the LDAP client is sending the SNI header during TLS negotiation ('Client_Hello.png') but Google LDAP connections still fail.</p>
<p>In PCAP I got 'Alert (Level: Fatal, Description: Unknown CA)' so looks like Google LDAP is still replying with a self-signed certificate that will not pass CA validation checks (<a class="external" href="https://support.google.com/a/answer/9190869">https://support.google.com/a/answer/9190869</a>)</p>
<p>Strange part is that I got no error if I run #ldapsearch -H ldaps://ldap.google.com -x -d1</p>
<p><em>ldap_url_parse_ext(ldaps://ldap.google.com)<br />ldap_create<br />ldap_url_parse_ext(ldaps://ldap.google.com:636/??base)<br />ldap_sasl_bind<br />ldap_send_initial_request<br />ldap_new_connection 1 1 0<br />ldap_int_open_connection<br />ldap_connect_to_host: TCP ldap.google.com:636<br />ldap_new_socket: 3<br />ldap_prepare_socket: 3<br />ldap_connect_to_host: Trying 2001:4860:4802:32::3a 636<br />ldap_pvt_connect: fd: 3 tm: -1 async: 0<br />attempting to connect:<br />connect success<br />TLS trace: SSL_connect:before SSL initialization<br />TLS trace: SSL_connect:SSLv3/TLS write client hello<br />TLS trace: SSL_connect:SSLv3/TLS write client hello<br />TLS trace: SSL_connect:SSLv3/TLS read server hello<br />TLS trace: SSL_connect:TLSv1.3 read encrypted extensions<br />TLS trace: SSL_connect:SSLv3/TLS read server certificate request<br />TLS certificate verification: depth: 2, err: 0, subject: /C=US/O=Google Trust Services LLC/CN=GTS Root R1, issuer: /C=US/O=Google Trust Services LLC/CN=GTS Root R1<br />TLS certificate verification: depth: 1, err: 0, subject: /C=US/O=Google Trust Services LLC/CN=GTS CA 1C3, issuer: /C=US/O=Google Trust Services LLC/CN=GTS Root R1<br />TLS certificate verification: depth: 0, err: 0, subject: /CN=ldap.google.com, issuer: /C=US/O=Google Trust Services LLC/CN=GTS CA 1C3<br />TLS trace: SSL_connect:SSLv3/TLS read server certificate<br />TLS trace: SSL_connect:TLSv1.3 read server certificate verify<br />TLS trace: SSL_connect:SSLv3/TLS read finished<br />TLS trace: SSL_connect:SSLv3/TLS write change cipher spec<br />TLS trace: SSL_connect:SSLv3/TLS write client certificate<br />TLS trace: SSL_connect:SSLv3/TLS write finished<br />ldap_open_defconn: successful</em></p> pfSense Plus - Bug #13949 (New): Boot Environments do not seem to cleanly restore the systemhttps://redmine.pfsense.org/issues/139492023-02-12T09:51:54ZYuri Weinstein
<p>I tried and set up 25.01RC and had a minor issue so decided to roll back to 22.05.</p>
<p>To my surprise, after restoring the system back to 22.05, two packages: `ntopng` and `pfBlockerNG-devel` had errors and required reinstalls.</p>
<p>Boot Environments did not cleanly restore the system to the known state!</p>
<p>See more than 1 user reporting this problem => <a class="external" href="https://forum.netgate.com/topic/177764/boot-environments-unexpected-behavior">https://forum.netgate.com/topic/177764/boot-environments-unexpected-behavior</a></p> pfSense Plus - Bug #13569 (New): Restarting an OpenVPN server running on a CARP VIP in an HA clus...https://redmine.pfsense.org/issues/135692022-10-17T03:37:55ZAzamat Khakimyanov
<p>Our customer (Ticket #1161128024) pointed out on possible problem with HA cluster and TCP streams. During troubleshooting customer found out that having OpenVPN Server running on VIP (WAN CARP VIP or IP Alias bundled with WAN CARP VIP) causes this issue: during failover all TCP streams break down.</p>
<p>I was able to reproduce this issue:<br />- HA cluster<br />- OpenVPN Server with WAN CARP VIP as an Interface<br />- downloading process (FreeBSD image) and TCP stream (VLC with Network Stream: <a class="external" href="http://webcam.rhein-taunus-krematorium.de/mjpg/video.mjpg">http://webcam.rhein-taunus-krematorium.de/mjpg/video.mjpg</a>) running on internal host<br />- active RA OpenVPN connection from external host</p>
<p>Putting Primary into Persistent CARP Maintenance mode destroyed both downloading process and TCP stream:<br />- System log on Primary<br /><em>Oct 17 08:08:24 check_reload_status 389 Reloading filter<br />Oct 17 08:08:24 kernel ovpns1: link state changed to DOWN<br />Oct 17 08:08:21 php-fpm 5328 /rc.filter_synchronize: XMLRPC reload data success with <a class="external" href="https://10.10.99.2:443/xmlrpc.php">https://10.10.99.2:443/xmlrpc.php</a> (pfsense.restore_config_section).<br />Oct 17 08:08:21 php-fpm 5328 /rc.filter_synchronize: Beginning XMLRPC sync data to <a class="external" href="https://10.10.99.2:443/xmlrpc.php">https://10.10.99.2:443/xmlrpc.php</a>.<br />Oct 17 08:08:21 php-fpm 5328 /rc.filter_synchronize: XMLRPC versioncheck: 22.7 -- 22.7<br />Oct 17 08:08:21 php-fpm 5328 /rc.filter_synchronize: XMLRPC reload data success with <a class="external" href="https://10.10.99.2:443/xmlrpc.php">https://10.10.99.2:443/xmlrpc.php</a> (pfsense.host_firmware_version).<br />Oct 17 08:08:21 php-fpm 5328 /rc.filter_synchronize: Beginning XMLRPC sync data to <a class="external" href="https://10.10.99.2:443/xmlrpc.php">https://10.10.99.2:443/xmlrpc.php</a>.<br />Oct 17 08:08:21 check_reload_status 389 Carp backup event<br />Oct 17 08:08:21 check_reload_status 389 Carp backup event<br />Oct 17 08:08:21 kernel carp: 3@vtnet1: MASTER -> BACKUP (more frequent advertisement received)<br />Oct 17 08:08:21 kernel carp: 2@vtnet0: MASTER -> BACKUP (more frequent advertisement received)<br />Oct 17 08:08:21 kernel carp: 4@vtnet2: MASTER -> BACKUP (more frequent advertisement received)<br />Oct 17 08:08:21 check_reload_status 389 Carp backup event<br />Oct 17 08:08:20 check_reload_status 389 Syncing firewall<br />Oct 17 08:08:20 php-fpm 5328 /status_carp.php: Configuration Change: <a class="email" href="mailto:admin@192.168.122.1">admin@192.168.122.1</a> (Local Database): Enter CARP maintenance mode</em></p>
<p>- System log on Secondary node<br /><em>Oct 17 08:08:25 php-fpm 359 /rc.start_packages: Restarting/Starting all packages.<br />Oct 17 08:08:24 check_reload_status 389 Starting packages<br />Oct 17 08:08:24 check_reload_status 389 Reloading filter<br />Oct 17 08:08:24 php-fpm 359 /rc.newwanip: Netgate pfSense Plus package system has detected an IP change or dynamic WAN reconnection - -> 172.27.240.1 - Restarting packages.<br />Oct 17 08:08:24 php-fpm 359 /rc.newwanip: rc.newwanip called with empty interface.<br />Oct 17 08:08:24 php-fpm 359 /rc.newwanip: rc.newwanip: on (IP address: 172.27.240.1) (interface: []) (real interface: ovpns1).<br />Oct 17 08:08:24 php-fpm 359 /rc.newwanip: rc.newwanip: Info: starting on ovpns1.<br />Oct 17 08:08:23 check_reload_status 389 rc.newwanip starting ovpns1<br />Oct 17 08:08:23 check_reload_status 389 Reloading filter<br />Oct 17 08:08:23 kernel ovpns1: link state changed to UP<br />Oct 17 08:08:21 check_reload_status 389 Reloading filter<br />Oct 17 08:08:21 check_reload_status 389 Syncing firewall<br />Oct 17 08:08:21 php-fpm 62370 /xmlrpc.php: Configuration Change: (system)@10.10.99.1: Merged in config (staticroutes, gateways, virtualip, system, hasync, aliases, ca, cert, crl, dhcpd, dnshaper, filter, ipsec, nat, openvpn, schedules, shaper, unbound, wol sections) from XMLRPC client.<br />Oct 17 08:08:21 check_reload_status 389 Carp master event<br />Oct 17 08:08:21 check_reload_status 389 Carp master event<br />Oct 17 08:08:21 kernel arp: 10.10.130.1 moved from 00:00:5e:00:01:04 to 52:54:00:33:21:c0 on vtnet2<br />Oct 17 08:08:21 kernel carp: 2@vtnet0: BACKUP -> MASTER (preempting a slower master)<br />Oct 17 08:08:21 kernel carp: 3@vtnet1: BACKUP -> MASTER (preempting a slower master)<br />Oct 17 08:08:21 kernel carp: 4@vtnet2: BACKUP -> MASTER (preempting a slower master)<br />Oct 17 08:08:21 check_reload_status 389 Carp master event</em></p> pfSense Plus - Feature #12546 (New): Add 2FA Support to pfSense Plus Local Database Authenticationhttps://redmine.pfsense.org/issues/125462021-11-27T17:36:40ZKris Phillips
<p>To eliminate the reliance on unsupported packages like freeRADIUS for making this work, we should add the capability to the built-in user database in pfSense for time-based tokens. This could be "bolted on" to the end of passwords similar to how other options accomplish this for OpenVPN or IPSec VPNs, but we may be able to add a field to the webConfigurator login for 2FA.</p> pfSense Plus - Feature #11920 (New): SAML Authentication for pfSense (VPN and webConfigurator)https://redmine.pfsense.org/issues/119202021-05-13T14:27:23ZKris Phillips
<p>A customer has requested SAML authentication support for things like Azure as an alternative to LDAP and RADIUS. Please reference internal ticket number 84890 for more details.</p>
<p>There are some projects that exist for making the webConfigurator work with SAML for authentication. See here:<br /><a class="external" href="https://github.com/jaredhendrickson13/pfsense-saml2-auth">https://github.com/jaredhendrickson13/pfsense-saml2-auth</a></p>
<p>Additionally, it seems that OpenVPN has support for this as an authentication method.</p>