pfSense bugtracker: Issueshttps://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162022-09-29T18:43:21ZpfSense bugtracker
Redmine pfSense Plus - Bug #13530 (Incomplete): Remote Logging strange behaviorhttps://redmine.pfsense.org/issues/135302022-09-29T18:43:21ZMarcelo Cury
<p>My SG-3100 (22.05) is configured to send logs to a remote syslog server in my LAN on port 1514.</p>
pfsense remote logs configuration:
<ul>
<li>System Events</li>
<li>Firewall Events</li>
<li>DNS Events</li>
<li>DHCP Events</li>
<li>General Authentication Events</li>
<li>VPN Events</li>
<li>Gateway Monitor Events</li>
<li>Network Time Protocol Events</li>
</ul>
<p>It has been working fine for several days but today I noticed that the Firewall Events stopped ( <strong>filterlog</strong> ).<br />The problem didn't happen with other events such as <strong>dhcpd, dpinger, filterdns, php-fpm, dhclient, unbound</strong>...</p>
<p>I'm not sure what could have triggered the issue, but I fixed by going in <em>Status > System > Logs > Settings > Remote Logging Options</em> and clicked in <strong>Save</strong> .</p>
<p><code>2022-09-29T18:36:09.000-03:00 filterlog[41290]: 4,,,1000000103,mvneta2,match,block,in,4,0x0,,239,35008,0,none,6,tcp,40,91.191.209.198,x.x.x.x,47587,3474,0,S,1457975303,,1024,,<br />2022-09-29T18:36:18.000-03:00 filterlog[41290]: 4,,,1000000103,mvneta2,match,block,in,4,0x0,,45,28891,0,DF,6,tcp,52,123.160.221.63,x.x.x.x,48931,8410,0,S,1759706956,,65535,,mss;nop;wscale;nop;nop;sackOK<br />2022-09-29T18:36:26.000-03:00 filterlog[41290]: 4,,,1000000103,mvneta0,match,block,in,4,0x0,,241,43257,0,none,6,tcp,44,198.199.107.80,y.y.y.y,41585,46738,0,S,2466400818,,1024,,mss<br />2022-09-29T18:36:35.000-03:00 filterlog[41290]: 4,,,1000000103,mvneta0,match,block,in,4,0x0,,245,25298,0,none,6,tcp,44,78.128.113.158,y.y.y.y,45686,29828,0,S,1291403791,,1024,,mss<br />2022-09-29T18:36:42.000-03:00 filterlog[41290]: 4,,,1000000103,mvneta2,match,block,in,4,0x0,,238,19919,0,none,6,tcp,40,5.188.206.38,x.x.x.x,46182,19202,0,S,1628533656,,1024,,<br />2022-09-29T18:36:43.000-03:00 filterlog[41290]: 158,,,1644897877,mvneta1.10,match,pass,in,4,0x0,,64,1756,0,DF,6,tcp,60,192.168.10.4,50.17.133.142,45699,443,0,S,2029797087,,29200,,mss;sackOK;TS;nop;wscale<br />2022-09-29T18:36:47.000-03:00 filterlog[41290]: 158,,,1644897877,mvneta1.10,match,pass,in,4,0x0,,64,5909,0,DF,6,tcp,60,192.168.10.4,50.17.133.142,45700,443,0,S,405679345,,29200,,mss;sackOK;TS;nop;wscale<br />h1. *LAST FIREWALL EVENT ABOVE*<br />2022-09-29T18:36:49.000-03:00 dhcpd[49200]: Wrote 0 class decls to leases file.<br />2022-09-29T18:36:49.000-03:00 dhcpd[49200]: Server starting service.<br />2022-09-29T18:36:49.000-03:00 dhcpd[49200]: Sending on Socket/fallback/fallback-net<br />2022-09-29T18:36:49.000-03:00 dhcpd[49200]: Sending on BPF/mvneta1.100/00:08:a2:0c:c4:1c/192.168.255.248/29<br />2022-09-29T18:36:49.000-03:00 dhcpd[49200]: Listening on BPF/mvneta1.100/00:08:a2:0c:c4:1c/192.168.255.248/29<br />2022-09-29T18:36:49.000-03:00 dhcpd[49200]: Sending on BPF/mvneta1.10/00:08:a2:0c:c4:1c/192.168.10.0/27<br />2022-09-29T18:36:49.000-03:00 dhcpd[49200]: Listening on BPF/mvneta1.10/00:08:a2:0c:c4:1c/192.168.10.0/27<br />2022-09-29T18:36:49.000-03:00 dhcpd[49200]: Sending on BPF/mvneta1.20/00:08:a2:0c:c4:1c/192.168.20.0/24<br />2022-09-29T18:36:49.000-03:00 dhcpd[49200]: Listening on BPF/mvneta1.20/00:08:a2:0c:c4:1c/192.168.20.0/24<br />2022-09-29T18:36:49.000-03:00 dhcpd[49200]: Wrote 0 leases to leases file.<br />2022-09-29T18:36:49.000-03:00 dhcpd[49200]: Wrote 0 new dynamic host decls to leases file.<br />2022-09-29T18:36:49.000-03:00 dhcpd[49200]: Wrote 0 deleted host decls to leases file.<br />2022-09-29T18:36:49.000-03:00 dhcpd[49200]: All rights reserved.<br />2022-09-29T18:36:49.000-03:00 dhcpd[49200]: For info, please visit https://www.isc.org/software/dhcp/<br />2022-09-29T18:36:49.000-03:00 dhcpd[49200]: Database file: /var/db/dhcpd.leases<br />2022-09-29T18:36:49.000-03:00 dhcpd[49200]: Copyright 2004-2021 Internet Systems Consortium.<br />2022-09-29T18:36:49.000-03:00 dhcpd[49200]: Config file: /etc/dhcpd.conf<br />2022-09-29T18:36:49.000-03:00 dhcpd[49200]: Internet Systems Consortium DHCP Server 4.4.2-P1<br />2022-09-29T18:36:49.000-03:00 dhcpd[49200]: PID file: /var/run/dhcpd.pid<br />2022-09-29T18:36:49.000-03:00 dhcpd[49200]: For info, please visit https://www.isc.org/software/dhcp/<br />2022-09-29T18:36:49.000-03:00 dhcpd[49200]: All rights reserved.<br />2022-09-29T18:36:49.000-03:00 dhcpd[49200]: Copyright 2004-2021 Internet Systems Consortium.<br />2022-09-29T18:36:49.000-03:00 dhcpd[49200]: Internet Systems Consortium DHCP Server 4.4.2-P1<br />2022-09-29T18:38:54.000-03:00 dhcpd[49200]: DHCPACK on 192.168.10.13 to 08:00:23:f2:fa:1c via mvneta1.10<br />2022-09-29T18:38:54.000-03:00 dhcpd[49200]: DHCPREQUEST for 192.168.10.13 from 08:00:23:f2:fa:1c via mvneta1.10<br />2022-09-29T18:50:05.000-03:00 dpinger[58536]: NET_DHCP z.z.z.z: Alarm latency 10631us stddev 1319us loss 22%<br />2022-09-29T18:50:10.000-03:00 filterdns[55605]: Adding Action: pf table: plex_wans_ip host: a.a.a.a<br />2022-09-29T18:50:10.000-03:00 filterdns[55605]: merge_config: configuration reload<br />2022-09-29T18:50:24.000-03:00 php-fpm[447]: /index.php: Successful login for user 'admin_user' from: 192.168.255.254 (LDAP/rpi3)<br />2022-09-29T18:57:03.000-03:00 dhcpd[49200]: DHCPACK on 192.168.10.8 to a8:db:03:51:f4:fe via mvneta1.10<br />2022-09-29T18:57:03.000-03:00 dhcpd[49200]: DHCPREQUEST for 192.168.10.8 from a8:db:03:51:f4:fe via mvneta1.10</code></p> pfSense Plus - Bug #13497 (Incomplete): unbound process looks like stuck periodicallyhttps://redmine.pfsense.org/issues/134972022-09-16T01:16:46ZYaroslav Semenenko
<p>Hello,</p>
<p>I have Netgate 2100.<br />Unbound service is needed to restart sometimes due to it could not resolve public domain name.</p>
<p>Thanks,<br />Yaroslav</p> pfSense Plus - Bug #13233 (Feedback): OpenVPN DCO connection fails with Auth Digest Algorithm set...https://redmine.pfsense.org/issues/132332022-05-28T19:16:49ZSteve Wilson
<p>OpenVPN DCO configurations specifying an auth digest algorithm of SHA512 fail to connect. Changing the algorithm to SHA256 resolves the issue. See <a class="external" href="https://forum.netgate.com/topic/172479/openvpn-with-dco/6">https://forum.netgate.com/topic/172479/openvpn-with-dco/6</a>. It's not clear to me if this is intended (but as yet undocumented) behavior or a true bug. If DCO currently requires the auth digest algorithm to be SHA256 it should probably be flagged in the comments on the OpenVPN Server and Client set-up pages.</p> pfSense Plus - Bug #13206 (New): SG-3100 LED GPIO hangshttps://redmine.pfsense.org/issues/132062022-05-24T01:12:47ZDaniel Subert
<p>Hi,</p>
<p><a class="external" href="https://forum.netgate.com/topic/165566/number-of-running-processes-increasing">https://forum.netgate.com/topic/165566/number-of-running-processes-increasing</a></p>
<p>We seem to be experiencing the same issue linked above with our SG-3100 pfSenses. I haven't been able to find any other threads relating to this issue, or patch notes to suggest this has been fixed in a later version.</p>
<p>We upgraded all of our SG-3100s to version 21.05.2 back at the start of January and since then, 8/11 of our SG-3100s have experienced this issue as of today.</p>
<p>We haven't been able to identify any obvious symptoms or causes prior to when the processes increasing, which seem to be occurring at random times.</p>
<p>Similar to the thread linked above, multiple instances of the processes below were running and continuously increasing over time.</p>
<p>/bin/sh /usr/local/sbin/pfSense-led.sh update<br />/usr/sbin/gpioctl -f /dev/gpioc2 3 duty 150<br />/bin/sh /etc/rc.update_pkg_metadata</p>
<p>Performing a clean reboot of the pfSense seems to have resolved the issue and the processes on the affected pfSenses have not started climbing since. However, one of the pfSenses which had not experienced climbing processes but did receive a clean reboot recently had the following processes start climbing, which required a second clean reboot to resolve.</p>
<p>Has anyone come across this issue before or have any evidence to suggest this has been fixed in a later release? I have been unable to identify any fixes in the 22.01 and 22.05 release notes to suggest this issue has been resolved.</p>
<p><a class="external" href="https://docs.netgate.com/pfsense/en/latest/releases/22-01_2-6-0.html">https://docs.netgate.com/pfsense/en/latest/releases/22-01_2-6-0.html</a><br /><a class="external" href="https://docs.netgate.com/pfsense/en/latest/releases/22-05.html">https://docs.netgate.com/pfsense/en/latest/releases/22-05.html</a></p>
<p>Thanks</p>
<p><img src="https://redmine.pfsense.org/attachments/download/4250/SI4XeTCSiu.png" alt="" /><br /><img src="https://redmine.pfsense.org/attachments/download/4251/SI4XeTCSit.png" alt="" /></p> pfSense Plus - Bug #13074 (New): AES-GCM with SafeXcel on Netgate 2100 causes MBUF overloadhttps://redmine.pfsense.org/issues/130742022-04-19T12:10:00ZChris S
<p>Running IPSec tunnels on a Netgate 2100 with AES-GCM and SafeXcel enabled seem to cause an MBUF overload requiring a reboot to re-establish the tunnel.</p>
<p>First spotted by NOCling in the forums. I was able to reproduce on my own 6100-2100 IPsec setup.</p>
<p><a class="external" href="https://forum.netgate.com/topic/171469/netgate-2100-s2s-aes-gcm-and-safexcel-mbuf-overload">https://forum.netgate.com/topic/171469/netgate-2100-s2s-aes-gcm-and-safexcel-mbuf-overload</a></p> pfSense Plus - Bug #12894 (New): duplicating freshly created certificates through refreshinghttps://redmine.pfsense.org/issues/128942022-03-03T14:30:26ZVan Quach
<p>Version 22.01-Release FreeBSD 12.3-Stable</p>
<p>Bug: After successfully creating a certificate. The certificate gets duplicated by refreshing the page (while the green success notification is shown)</p>
<p>This happend to me with different CA and it doesn't matter what type of certificate it is.</p> pfSense Plus - Feature #12832 (New): 6100 configurable Blinking Blue LED https://redmine.pfsense.org/issues/128322022-02-19T11:56:10Zshawn butts
<p>The blinking blue like for "normal operation status" feels like an "everything is ok ALARM!!!!"</p>
<p>I'd like to see an option to either make it solid blue for "normal" or disable the LED altogether.</p> pfSense Plus - Bug #12759 (New): Proprietary packages link to non-existant or non-public github p...https://redmine.pfsense.org/issues/127592022-02-05T19:22:11ZKris Phillips
<p>When clicking on the version number to view the code for packages like openvpn-import and aws-wizard, these link to a non-existant Github page (or one that is private). We should probably add a way to just remove these links on proprietary packages for pfSense Plus.</p>
<p>For example, aws-wizard links to <a class="external" href="https://github.com/pfsense/FreeBSD-ports/commits/devel/net/pfSense-pkg-aws-wizard">https://github.com/pfsense/FreeBSD-ports/commits/devel/net/pfSense-pkg-aws-wizard</a> which is an invalid path.</p> pfSense Plus - Feature #12546 (New): Add 2FA Support to pfSense Plus Local Database Authenticationhttps://redmine.pfsense.org/issues/125462021-11-27T17:36:40ZKris Phillips
<p>To eliminate the reliance on unsupported packages like freeRADIUS for making this work, we should add the capability to the built-in user database in pfSense for time-based tokens. This could be "bolted on" to the end of passwords similar to how other options accomplish this for OpenVPN or IPSec VPNs, but we may be able to add a field to the webConfigurator login for 2FA.</p> pfSense Plus - Feature #12534 (New): Generate a ISO Image for Remote Restore of pfSense Plus on t...https://redmine.pfsense.org/issues/125342021-11-19T10:37:58ZKris Phillips
<p>The 1537 and 1541 both have IPMI that supports booting ISO images. However, it does not support booting IMG files which is what our recovery image for the unit is currently built as. This effectively makes a native feature of the units unusable for pfSense and only works for TNSR. These units are able to boot Community Edition just fine, but they should be running pfSense Plus.</p> pfSense Plus - Feature #12524 (New): OpenSSL QAT Enginehttps://redmine.pfsense.org/issues/125242021-11-15T05:07:22ZLuca De Andreis
<p>Hi all,</p>
<p>is possible to compile openssl to use QAT on PfSense plus, than accelerate OpenVPN ?</p>
<p>Thanks</p>
<p>Luca</p> pfSense Plus - Feature #11920 (New): SAML Authentication for pfSense (VPN and webConfigurator)https://redmine.pfsense.org/issues/119202021-05-13T14:27:23ZKris Phillips
<p>A customer has requested SAML authentication support for things like Azure as an alternative to LDAP and RADIUS. Please reference internal ticket number 84890 for more details.</p>
<p>There are some projects that exist for making the webConfigurator work with SAML for authentication. See here:<br /><a class="external" href="https://github.com/jaredhendrickson13/pfsense-saml2-auth">https://github.com/jaredhendrickson13/pfsense-saml2-auth</a></p>
<p>Additionally, it seems that OpenVPN has support for this as an authentication method.</p> pfSense Plus - Feature #11772 (New): Layer 2 Tunnel Bonding Capabilityhttps://redmine.pfsense.org/issues/117722021-04-01T16:22:24ZClint Guillot
<p>Ability to tunnel traffic over multiple WAN connections back to another PF appliance at a central location in order to aggregate bandwidth of the connections. This functionality is intended to allow the use of PF to compete against the bandwidth aggregation and failover functionality of products such as Velocloud.</p>
<p>This differs from the existing multi-wan failover and load balancing in two ways: 1. NAT is performed at the "central office" end of the tunnels, so that all traffic from customer appears to come from a single IP address and 2. because the tunnels are being bonded using some layer 2 method, the full aggregate bandwidth of both connections back to central is available to a single connection.</p>
<p>While #1 above can be done now using multiple tunnels and load balanced gateways, <a class="issue tracker-1 status-3 priority-4 priority-default closed parent" title="Bug: Gateway not added when switching from DHCP to static (Resolved)" href="https://redmine.pfsense.org/issues/2">#2</a> is not currently possible. Though the real-world usefulness of <a class="issue tracker-1 status-3 priority-4 priority-default closed parent" title="Bug: Gateway not added when switching from DHCP to static (Resolved)" href="https://redmine.pfsense.org/issues/2">#2</a> is limited to a small percentage of use cases, the "speed tests" most end users consider the most important metric of their ISP or "SDWAN" (drink!) solution fall into this group.</p> pfSense Plus - Bug #11770 (New): Pantech UML295 USB Modem No Longer Functionalhttps://redmine.pfsense.org/issues/117702021-04-01T11:28:59ZKris Phillips
<p>The Pantech UML295 modem in the USB port is caused pfSense to hang on reboot when upgrading to version 21.02 of the software.</p>
<p>When it hungup on startup, I had to reconfigure the inerfaces, then the device hung on startup at:</p>
<p>umodem0: <CDC Abstract Control Model (ACM)> on usb1<br />umodem0: data interface 5, has no CM over data, has no break on uhub1<br />umodem0: on uhub1<br />umodem1: data interface 7, has no CM over data, has no break on uhub1</p>
<p>I had to press return to get it to finish booting after waiting 20 minutes. Subsequent reboots hang for a time at</p>
<p>Should VLANs be setup now {y|n]? ugen1.2:</p>
<p>After a period of time, a message about the Pantech modem appears, and then back to the</p>
<p>See the attached log of the last boot. The Cell modem no long appears in the gateway group as a tier 2 device. It is still listed as a gateway, but it is not functional.</p>
<p>[Pulled from internal ticket 80843]</p> pfSense Plus - Feature #11732 (New): Add VXLAN Support to pfSense Plushttps://redmine.pfsense.org/issues/117322021-03-26T11:23:30ZKris Phillips
<p>VXLAN Support would be useful for scalable cloud deployments of pfSense Plus</p>