pfSense bugtracker: Issueshttps://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162024-01-27T22:28:27ZpfSense bugtracker
Redmine pfSense Plus - Bug #15202 (New): Add Option for Network Portion of Subnet "Wildcard" for IPv6 Ruleshttps://redmine.pfsense.org/issues/152022024-01-27T22:28:27ZKris Phillips
<p>Filtering hosts with IPv6 is extremely difficult when utilizing an upstream provider that is providing a Prefix Delegation via DHCPv6 because the Prefix Delegation can change, which invalidates existing rules.</p>
<p>If there was a way to detect the interface PD for firewall rules, similar to how the DHCPv6 server currently detects the delegated prefix, users could assign rules based on only the host portion of the subnet and have the firewall filter rule automatically fill in the delegated prefix network ID portion before feeding it to pf.</p>
<p>This solves the following two scenarios:</p>
<p>1. A static DHCPv6 lease is assigned, but the delegated prefix changes<br />2. Clients configured via SLAAC typically will have the same host portion of an address, regardless of the network portion discovered by RAs, unless they are utilizing privacy extensions.</p>
<p>Obviously, this won't help in cases where SLAAC is used with RFC4941, but in many cases when creating rules like this it's possible to disable privacy extensions optionally in most operating systems.</p> pfSense Plus - Bug #15196 (Confirmed): AWS ena interfaces can become unstable/stop respondinghttps://redmine.pfsense.org/issues/151962024-01-27T01:01:22ZKris Phillips
<p>On AMD Epyc hardware in AWS, pfSense Plus ena interfaces can lose their IP addressing and then stop responding entirely.</p>
<p>The following log messages are present when this occurs:</p>
<p>Jan 16 18:34:35 np-aws-001 kernel: ena0: <ENA adapter> mem 0x80404000-0x80407fff at device 5.0 on pci0<br />Jan 16 18:34:35 np-aws-001 kernel: ena0: Elastic Network Adapter (ENA)ena v2.6.2<br />Jan 16 18:34:35 np-aws-001 kernel: ena0: Unable to allocate LLQ bar resource. LLQ mode won't be used.<br />Jan 16 18:34:35 np-aws-001 kernel: ena0: ena_com_validate_version() [TID:100000]: ENA device version: 0.10<br />Jan 16 18:34:35 np-aws-001 kernel: ena0: ena_com_validate_version() [TID:100000]: ENA controller version: 0.0.1 implementation version 1<br />Jan 16 18:34:35 np-aws-001 kernel: ena0: LLQ is not supported. Fallback to host mode policy.<br />Jan 16 18:34:35 np-aws-001 kernel: ena0: Ethernet address: 06:ba:32:98:fd:07<br />Jan 16 18:34:35 np-aws-001 kernel: ena0: [nm] netmap attach<br />Jan 16 18:34:35 np-aws-001 kernel: ena0: netmap queues/slots: TX 2/1024, RX 2/1024</p>
<p>and</p>
<p>Jan 19 03:49:07 kernel ena0: Found a Tx that wasn't completed on time, qid 1, index 925. 180522704 usecs have passed since last cleanup. Missing Tx timeout value 5000 msecs.<br />Jan 19 03:49:07 kernel ena0: Found a Tx that wasn't completed on time, qid 1, index 924. 179482704 usecs have passed since last cleanup. Missing Tx timeout value 5000 msecs.<br />Jan 19 03:49:07 kernel ena0: Found a Tx that wasn't completed on time, qid 1, index 923. 178472704 usecs have passed since last cleanup. Missing Tx timeout value 5000 msecs.<br />Jan 19 03:48:54 kernel ena0: Found a Tx that wasn't completed on time, qid 1, index 922. 167002704 usecs have passed since last cleanup. Missing Tx timeout value 5000 msecs.</p> pfSense Plus - Feature #14945 (New): Allow IPsec VTI ``ipsecX`` interfaces to be added to interfa...https://redmine.pfsense.org/issues/149452023-11-06T16:54:39ZMike Moore
<p>Provide the ability to add IPsecX interfaces that are set up for VTI and filtering enabled, to be part of an Interface Group.<br />With the help of a Netgate Admin, modifying a .php file ive been able to test grouping IPsec interfaces and so far so good.</p>
<p>reference: <a class="external" href="https://forum.netgate.com/topic/183820/interface-groups-no-ipsec-tunnels-listed/8?_=1699278877471">https://forum.netgate.com/topic/183820/interface-groups-no-ipsec-tunnels-listed/8?_=1699278877471</a></p> pfSense Plus - Bug #14778 (Incomplete): /usr/local/www/csrf/csrf-magic.php on line 161 PH...https://redmine.pfsense.org/issues/147782023-09-13T16:04:10ZAndrew Rojek
<p>Got this error message when trying to view a small list of CIDR addresses in Firewall->Aliases.<br />It was followed by a white blank screen and I had to reload the console page to reveal the error message below...</p>
<p>Crash report begins. Anonymous machine information:</p>
<p>arm64<br />14.0-CURRENT<br />FreeBSD 14.0-CURRENT #1 plus-RELENG_23_05_1-n256108-459fc493a87: Wed Jun 28 04:25:15 UTC 2023 root@freebsd:/var/jenkins/workspace/pfSense-Plus-snapshots-23_05_1-main/obj/aarch64/0P4W6joa/var/jenkins/workspace/pfSense-Plus-snapshots-23_05_1-main/source</p>
<p>Crash report details:</p>
<p>PHP Errors:<br />[13-Sep-2023 10:08:16 Europe/London] PHP Fatal error: str_ireplace(): Cannot use output buffering in output buffering display handlers in /usr/local/www/csrf/csrf-magic.php on line 161<br />[13-Sep-2023 10:08:53 Europe/London] PHP Fatal error: str_ireplace(): Cannot use output buffering in output buffering display handlers in /usr/local/www/csrf/csrf-magic.php on line 161</p>
<p>No FreeBSD crash data found.</p>
<p>Thank you.</p> pfSense Plus - Feature #14743 (New): Add Passkey/Certificate-based Authenticationhttps://redmine.pfsense.org/issues/147432023-09-03T04:21:49ZKris Phillips
<p>pfSense Plus's webConfigurator is currently limited in authentication for local auth, requiring third party implementations to add 2FA or other authentication means.</p>
<p>There is already redmine 12546 for adding 2FA to pfSense Plus natively, but it would also be beneficial to add passkey/cert-based authentication to pfSense Plus' webConfigurator and other functions.</p> pfSense Plus - Regression #14703 (New): 2100 pcie wireless issueshttps://redmine.pfsense.org/issues/147032023-08-21T18:51:41ZJonathan Lee
<p>Hello fellow pfSense Packages Redmine community members can you please help.</p>
<p>1. The SG-2100MAX the Compex WLE200NX Wireless A/B/G/N Network Mini PCIe Adapter is the only card that will work with the 2100. Other appliances have support for other cards that is missing inside the 2100.</p>
<p>2. The pfSense GUI has removed all antenna port options that are in the prior versions of pfSense.</p>
<p>3. The pfSense software will not allow any dev.ath.0.tpack, or dev.ath.0.tpcts adjustments. When changed they default back to the original settings when adjustments are made. However per Netgate docs users should be able to change them.</p>
<p>4. The antenna diversity does not enable within the 2100 when multiple antena are in use.</p>
<p>As listed in Netgate docs we should have options for antenna adjustments and transmit power adjustments as seen here:</p>
<p><em>"If the signal is weak even when nearby the access point antenna, check the antenna again. For mini-PCI or mini-PCIe cards, if only one pigtail in use and there are two internal connectors, try hooking the pigtail up to the other internal connector on the card. Also try changing the Channel or adjusting the Transmit Power, or the Antenna Settings on the wireless interface configuration. For mini-PCI and mini-PCIe cards, check for broken ends on the fragile pigtail connectors where they plug into the card. If the Regulatory Domain settings have not been configured, set them before testing again."</em></p>
<p>Users can not adjust antenna settings or transmit power as the gui options are no longer listed.</p>
<p>I have also purchased and tested the Apple AR5BXB112 607-7211-A 661-5946 Network Mini PCIe card as it is known to work with other member's appliances. However, the 2100 does not detect any other pcie hardware. Per other forum members the AR5BXB112 card does work within other Netgate appliances. I have recently learned from member stephenw10 that the Compex card is the only card that he has seen work inside the 2100.</p>
<p>If other hardware such as the AR5BXB112 work inside other official Netgate appliances does the arm architecture that is inside the 2100 cause some lack of software support?</p>
<p>Secondly:<br />I was hoping to test the following options as the AR5BXB112 card contains 3 antenna ports, 0, 1, and 2.</p>
<p>per stephenw10<br /><em>"I have always used the defaults there:</em></p>
<p><em>dev.ath.0.rxantenna: 1</em><br /><em>dev.ath.0.txantenna: 0" <br /></em><br />I have also confirmed this is also the case for my system default values.</p>
<p>As PfSense uses freeBSD I researched this and found.</p>
<p><em>"Options 0,1,2 (antenna port 1 or 2, both=0) dev.ath.0.diversity: options 0,1(0=disable 1=enable)"</em></p>
<p>Leading to the third software issue I found I can not enable diversity within the 2100 manually when the two antenna are populated.</p>
<p>Finally, If there is cards that are supported within other systems that have 3 antenna ports there is no options for aux antenna to get configured for dev.at.0.rx</p>
<p>The pfSense GUI has sense removed the antenna port options that are in the prior pfSense versions.</p>
<p>See my short research inside of netgate docs ran to find the issues:<br /><a class="external" href="https://forum.netgate.com/topic/181597/pfsense-as-wireless-ap-transmit-power-adjustments">https://forum.netgate.com/topic/181597/pfsense-as-wireless-ap-transmit-power-adjustments</a></p>
<p>While researching this I found some information that 0: is for both, 1: is for main, 2: is for aux. Again my card lists port 0, and 1. Furthermore another mini pcie card had three ports that can be used with PfSense I am told the mini pcie AR5BXB112 comes with 0, 1, 2 antenna ports.</p>
<p>Ref:<br /><a class="external" href="https://lists.freebsd.org/pipermail/freebsd-wireless/2011-September/000682.html">https://lists.freebsd.org/pipermail/freebsd-wireless/2011-September/000682.html</a></p>
<p>Per Netgate Docs:<br />"Interesting sysctls from shell that cannot be controlled from GUI" section it lists items you can control manually however when they are changed inside the 2100 they do not stay or take the config changes particularly, the transmit power adjustments and diversity settings will never stay set.</p>
<p><a class="external" href="https://docs.netgate.com/pfsense/en/latest/wireless/configuration-ap.html">https://docs.netgate.com/pfsense/en/latest/wireless/configuration-ap.html</a></p> pfSense Plus - Feature #14297 (New): Add Option for Vendor Class ID in DHCP Clienthttps://redmine.pfsense.org/issues/142972023-04-21T15:07:26ZKris Phillips
<p>Some ISPs require a Vendor Class ID be sent (option 60) when requesting DHCP. This can currently be accomplished in pfSense with vendor-class-identifier manually added to a dhcp config file, but adding this as a field would be helpful.</p> pfSense Plus - Feature #14131 (New): Add Dynamic DNS Service: DYNUhttps://redmine.pfsense.org/issues/141312023-03-20T03:30:05ZSteven Cedrone
<p>Please add Dynamic DNS provider DYNU</p>
<p><a class="external" href="https://www.dynu.com/en-US/">https://www.dynu.com/en-US/</a></p>
<p>It's working now but sometimes won't update and it appears it's PfSense causing it because other non PfSense routers that update on the same connection will update all the time without fail.</p>
<p>Update URL:<br /><a class="external" href="https://api.dynu.com/nic/update?hostname=XXXXXX.ddnsfree.com&password=999999">https://api.dynu.com/nic/update?hostname=XXXXXX.ddnsfree.com&password=999999</a> (EXAMPLE)</p>
<p>Result Match:<br />good|nochg|good <span>IP</span></p> pfSense Plus - Feature #14125 (New): Add Cateogory field to Available Packages Tab like Installed...https://redmine.pfsense.org/issues/141252023-03-19T02:33:48ZScott Costa
<p>Under the Installed Packages the header fields have the following listed at the top Name Category Version Description Action</p>
<p>Under the Available Packages the header fields have the following listed at the top Name Version Description</p>
<p>Could the Category field be added to help provide more information as to if the package is a sysutil, security, benchmarks, etc...</p> pfSense Plus - Feature #14066 (New): Add line number to rules and insert optionhttps://redmine.pfsense.org/issues/140662023-03-03T09:20:22ZMike Moore
<p>From a rule management perspective, is it possible to do the following:<br />1. Add line numbers in the GUI. So an admin can say 'Line 30' needs to be modified instead of having to relay the rule to the team and everyone hunting for that specific rule. Of course the line numbers will need to be adjusted each time a rule is added or deleted. Makes administration easier.</p>
<p>2. Insert a rule within the rule set. Currently, the only options are to add a rule at the top or at the bottom or maybe copy an existing rule which would place it underneath what you are copying - which is a good step. Having a large rule set it makes sense to create a rule and have the option presented to 'place after line 15' for example.</p>
<p>This is all about better rule administration and management.</p> pfSense Plus - Feature #14017 (New): Ability to remove all packages before upgardes with saved co...https://redmine.pfsense.org/issues/140172023-02-22T14:38:47ZYuri Weinstein
<p>Currently, every time when a new upgrade is available the first thing recommended to do is uninstalling all packages.</p>
<p>I suggest considering a feature that will allow selecting all packages to be removed as a part of the upgrade and then afterward installing all of them back.</p> pfSense Plus - Bug #13074 (New): AES-GCM with SafeXcel on Netgate 2100 causes MBUF overloadhttps://redmine.pfsense.org/issues/130742022-04-19T12:10:00ZChris S
<p>Running IPSec tunnels on a Netgate 2100 with AES-GCM and SafeXcel enabled seem to cause an MBUF overload requiring a reboot to re-establish the tunnel.</p>
<p>First spotted by NOCling in the forums. I was able to reproduce on my own 6100-2100 IPsec setup.</p>
<p><a class="external" href="https://forum.netgate.com/topic/171469/netgate-2100-s2s-aes-gcm-and-safexcel-mbuf-overload">https://forum.netgate.com/topic/171469/netgate-2100-s2s-aes-gcm-and-safexcel-mbuf-overload</a></p> pfSense Plus - Feature #12832 (New): 6100 configurable Blinking Blue LED https://redmine.pfsense.org/issues/128322022-02-19T11:56:10Zshawn butts
<p>The blinking blue like for "normal operation status" feels like an "everything is ok ALARM!!!!"</p>
<p>I'd like to see an option to either make it solid blue for "normal" or disable the LED altogether.</p> pfSense Plus - Feature #12546 (New): Add 2FA Support to pfSense Plus Local Database Authenticationhttps://redmine.pfsense.org/issues/125462021-11-27T17:36:40ZKris Phillips
<p>To eliminate the reliance on unsupported packages like freeRADIUS for making this work, we should add the capability to the built-in user database in pfSense for time-based tokens. This could be "bolted on" to the end of passwords similar to how other options accomplish this for OpenVPN or IPSec VPNs, but we may be able to add a field to the webConfigurator login for 2FA.</p> pfSense Plus - Feature #11732 (New): Add VXLAN Support to pfSense Plushttps://redmine.pfsense.org/issues/117322021-03-26T11:23:30ZKris Phillips
<p>VXLAN Support would be useful for scalable cloud deployments of pfSense Plus</p>