pfSense bugtracker: Issueshttps://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162024-03-25T09:20:00ZpfSense bugtracker
Redmine pfSense Plus - Bug #15361 (New): Error in virtual IP aliases when using IPv6 "network" / "broadca...https://redmine.pfsense.org/issues/153612024-03-25T09:20:00ZMathis Cavalli
<p>There is no network address in IPv6, nor broadcasts like IPv4<br />When adding / editing an IP alias and putting there an address like fd00::/64 it shows the following error : "The network address cannot be used for this VIP" <br />It happened on my pfSense+ box but it seems the CE 2.7.2 is also affected.</p> pfSense Plus - Bug #15332 (New): Kea doesn't start without any logs when upload config with addit...https://redmine.pfsense.org/issues/153322024-03-12T13:17:13Zaleksei prokofiev
<p>If the config has additioan DHCP pool with extra parametrs configured, such default-lease-time or max-lease-time, then KEA won't start with out any logs. To fix that need delete from config those extra option. Or just resave affected pool without any changes, it will lead rewrite config without extra options. <br />For example <br /><pool><br /> <range><br /> <from>192.168.6.2</from><br /> <to>192.168.6.48</to><br /> </range><br /> <descr><![CDATA[NTP Server]]></descr><br /> <defaultleasetime>600</defaultleasetime><br /> <maxleasetime>3600</maxleasetime><br />After resave it will deleted<br /><pool><br /> <range><br /> <from>192.168.6.2</from><br /> <to>192.168.6.48</to><br /> </range><br /> <descr><![CDATA[NTP Server]]></descr><br /> <defaultleasetime></defaultleasetime><br /> <maxleasetime></maxleasetime></p> pfSense Plus - Bug #15262 (New): Captive Portal Has High CPU Interrupts With Large Number of Usershttps://redmine.pfsense.org/issues/152622024-02-15T19:33:29ZKris Phillips
<p>When 700+ Captive Portal users are in use, CPU interrupts will cause high load averages to occur. This can lead to connectivity problems, such as packet loss on WAN uplinks, webConfigurator responsiveness issues, etc.</p>
<p>Tested with a customer who had load averages of 14-16 with Captive Portal on with 1400+ users. Once Captive Portal was turned off, load averages dropped to 0.5.</p>
<p>Load seems higher for Captive Portal when there is significant numbers of users since the transition to pf from ipfw.</p> pfSense Plus - Bug #15202 (New): Add Option for Network Portion of Subnet "Wildcard" for IPv6 Ruleshttps://redmine.pfsense.org/issues/152022024-01-27T22:28:27ZKris Phillips
<p>Filtering hosts with IPv6 is extremely difficult when utilizing an upstream provider that is providing a Prefix Delegation via DHCPv6 because the Prefix Delegation can change, which invalidates existing rules.</p>
<p>If there was a way to detect the interface PD for firewall rules, similar to how the DHCPv6 server currently detects the delegated prefix, users could assign rules based on only the host portion of the subnet and have the firewall filter rule automatically fill in the delegated prefix network ID portion before feeding it to pf.</p>
<p>This solves the following two scenarios:</p>
<p>1. A static DHCPv6 lease is assigned, but the delegated prefix changes<br />2. Clients configured via SLAAC typically will have the same host portion of an address, regardless of the network portion discovered by RAs, unless they are utilizing privacy extensions.</p>
<p>Obviously, this won't help in cases where SLAAC is used with RFC4941, but in many cases when creating rules like this it's possible to disable privacy extensions optionally in most operating systems.</p> pfSense Plus - Bug #15196 (Confirmed): AWS ena interfaces can become unstable/stop respondinghttps://redmine.pfsense.org/issues/151962024-01-27T01:01:22ZKris Phillips
<p>On AMD Epyc hardware in AWS, pfSense Plus ena interfaces can lose their IP addressing and then stop responding entirely.</p>
<p>The following log messages are present when this occurs:</p>
<p>Jan 16 18:34:35 np-aws-001 kernel: ena0: <ENA adapter> mem 0x80404000-0x80407fff at device 5.0 on pci0<br />Jan 16 18:34:35 np-aws-001 kernel: ena0: Elastic Network Adapter (ENA)ena v2.6.2<br />Jan 16 18:34:35 np-aws-001 kernel: ena0: Unable to allocate LLQ bar resource. LLQ mode won't be used.<br />Jan 16 18:34:35 np-aws-001 kernel: ena0: ena_com_validate_version() [TID:100000]: ENA device version: 0.10<br />Jan 16 18:34:35 np-aws-001 kernel: ena0: ena_com_validate_version() [TID:100000]: ENA controller version: 0.0.1 implementation version 1<br />Jan 16 18:34:35 np-aws-001 kernel: ena0: LLQ is not supported. Fallback to host mode policy.<br />Jan 16 18:34:35 np-aws-001 kernel: ena0: Ethernet address: 06:ba:32:98:fd:07<br />Jan 16 18:34:35 np-aws-001 kernel: ena0: [nm] netmap attach<br />Jan 16 18:34:35 np-aws-001 kernel: ena0: netmap queues/slots: TX 2/1024, RX 2/1024</p>
<p>and</p>
<p>Jan 19 03:49:07 kernel ena0: Found a Tx that wasn't completed on time, qid 1, index 925. 180522704 usecs have passed since last cleanup. Missing Tx timeout value 5000 msecs.<br />Jan 19 03:49:07 kernel ena0: Found a Tx that wasn't completed on time, qid 1, index 924. 179482704 usecs have passed since last cleanup. Missing Tx timeout value 5000 msecs.<br />Jan 19 03:49:07 kernel ena0: Found a Tx that wasn't completed on time, qid 1, index 923. 178472704 usecs have passed since last cleanup. Missing Tx timeout value 5000 msecs.<br />Jan 19 03:48:54 kernel ena0: Found a Tx that wasn't completed on time, qid 1, index 922. 167002704 usecs have passed since last cleanup. Missing Tx timeout value 5000 msecs.</p> pfSense Plus - Bug #15017 (Incomplete): DHCP relay CARP status VIP function is not working in pfs...https://redmine.pfsense.org/issues/150172023-11-20T19:51:25ZRobert Karsai
<p>Hello,<br />It seems that after 23.05.1->23.09 upgrade DHCP relay CARP status VIP function is not working properly, DHCP relay agent stays active all times (dhcrelay stays green on the dashboard widget, also pgrep dhcrelay<br />returns running processes in CLI), it will not be stopped when the chosen VIP is in BACKUP status. Not a big deal, there can be two active relay agents in the same network, but this is not how it supposed to work. Strangely this only affects our pfSense+ 23.09 clusters, in pfSense CE 2.7.1 this is not an issue.<br />--<br />BR<br />Robert</p> pfSense Plus - Bug #14968 (New): Google LDAP fail to bindhttps://redmine.pfsense.org/issues/149682023-11-11T13:11:11ZLev Prokofev
<p>Even with a freshly created cert and Bind user login/pass it fails to bind with the message:</p>
<p><em>/system_authservers.php: ERROR! ldap_get_user_ous() could not bind to server.</em></p>
<p>It seems the TLS talk between the client and server went smoothly (packet capture attached)</p>
<p>Ticket for reference #2067635022</p> pfSense Plus - Bug #14879 (New): Disabling DNS Rebinding Checks deletes private domains from unbo...https://redmine.pfsense.org/issues/148792023-10-14T12:37:45ZBob Dig
<p>This will make Domain Overrides not work anymore, at least with split DNS. <br />More Details are described here: <a class="external" href="https://forum.netgate.com/topic/183401/disabling-dns-rebinding-checks-does-alter-domain-overrides">https://forum.netgate.com/topic/183401/disabling-dns-rebinding-checks-does-alter-domain-overrides</a> .</p>
<p>Only tested with 23.05.1</p> pfSense Plus - Bug #14778 (Incomplete): /usr/local/www/csrf/csrf-magic.php on line 161 PH...https://redmine.pfsense.org/issues/147782023-09-13T16:04:10ZAndrew Rojek
<p>Got this error message when trying to view a small list of CIDR addresses in Firewall->Aliases.<br />It was followed by a white blank screen and I had to reload the console page to reveal the error message below...</p>
<p>Crash report begins. Anonymous machine information:</p>
<p>arm64<br />14.0-CURRENT<br />FreeBSD 14.0-CURRENT #1 plus-RELENG_23_05_1-n256108-459fc493a87: Wed Jun 28 04:25:15 UTC 2023 root@freebsd:/var/jenkins/workspace/pfSense-Plus-snapshots-23_05_1-main/obj/aarch64/0P4W6joa/var/jenkins/workspace/pfSense-Plus-snapshots-23_05_1-main/source</p>
<p>Crash report details:</p>
<p>PHP Errors:<br />[13-Sep-2023 10:08:16 Europe/London] PHP Fatal error: str_ireplace(): Cannot use output buffering in output buffering display handlers in /usr/local/www/csrf/csrf-magic.php on line 161<br />[13-Sep-2023 10:08:53 Europe/London] PHP Fatal error: str_ireplace(): Cannot use output buffering in output buffering display handlers in /usr/local/www/csrf/csrf-magic.php on line 161</p>
<p>No FreeBSD crash data found.</p>
<p>Thank you.</p> pfSense Plus - Bug #14401 (New): Changing from Switchport to Discrete Interface in VGA/Serial Con...https://redmine.pfsense.org/issues/144012023-05-21T02:29:00ZKris Phillips
<p>If you have an interface on a switchport device, like the 7100, and reassign the interface to a discrete interface like an igb interface using the VGA or Serial console, the Status --> Dashboard and Status --> Interfaces pages will continue to use the old switchport monitor setting until you save and apply the interface, thus always showing the port as down after moving the cable. Since the Interfaces --> WAN/LAN/OPT/etc selection does not show a port monitor setting if it's using a discrete interface, there is no way to eliminate it without just saving the interface and applying.</p> pfSense Plus - Bug #14329 (New): DDNS IPv6 update PHP errorhttps://redmine.pfsense.org/issues/143292023-04-30T23:55:28ZRyan Haraschak
<p>Dynamic DNS updates to DigitalOcean for IPv6 fail with a PHP error. This error appears in both the GUI's crash report banner, and in the browser if a forced update is invoked.<br />DigitalOcean IPv4 (same API key) appears to be successful.</p>
<p>Firmware and all packages on latest version.</p>
<pre>
Crash report begins. Anonymous machine information:
amd64
14.0-CURRENT
FreeBSD 14.0-CURRENT #0 plus-RELENG_23_01-n256037-6e914874a5e: Fri Feb 10 20:30:29 UTC 2023 root@freebsd:/var/jenkins/workspace/pfSense-Plus-snapshots-23_01-main/obj/amd64/VDZvZksF/var/jenkins/workspace/pfSense-Plus-snapshots-23_01-main/sources/FreeBS
Crash report details:
PHP Errors:
[28-Apr-2023 01:01:00 Asia/Tokyo] PHP Fatal error: Uncaught Error: Attempt to assign property "domain_records" on null in /etc/inc/dyndns.class:1425
Stack trace:
#0 /etc/inc/dyndns.class(479): updatedns->_update()
#1 /etc/inc/services.inc(2355): updatedns->__construct('digitalocean-v6', '[redacted hostname]', '[redacted domain]', '', '[redacted key]', false, false, '', 'opt4', NULL, NULL, NULL, '', NULL, '', '3600', '', 'opt4', '', '0', false, false, false, NULL)
#2 /etc/inc/services.inc(2407): services_dyndns_configure_client(Array)
#3 /etc/rc.dyndns.update(40): services_dyndns_configure()
#4 {main}
thrown in /etc/inc/dyndns.class on line 1425
</pre> pfSense Plus - Bug #14104 (New): Google LDAP connections still fail even after adding SNI for TLS...https://redmine.pfsense.org/issues/141042023-03-14T03:11:56ZAzamat Khakimyanov
<p>tested on 23.01 and with IPv6</p>
<p>After fixing <a class="external" href="https://redmine.pfsense.org/issues/11626">https://redmine.pfsense.org/issues/11626</a> I see that the LDAP client is sending the SNI header during TLS negotiation ('Client_Hello.png') but Google LDAP connections still fail.</p>
<p>In PCAP I got 'Alert (Level: Fatal, Description: Unknown CA)' so looks like Google LDAP is still replying with a self-signed certificate that will not pass CA validation checks (<a class="external" href="https://support.google.com/a/answer/9190869">https://support.google.com/a/answer/9190869</a>)</p>
<p>Strange part is that I got no error if I run #ldapsearch -H ldaps://ldap.google.com -x -d1</p>
<p><em>ldap_url_parse_ext(ldaps://ldap.google.com)<br />ldap_create<br />ldap_url_parse_ext(ldaps://ldap.google.com:636/??base)<br />ldap_sasl_bind<br />ldap_send_initial_request<br />ldap_new_connection 1 1 0<br />ldap_int_open_connection<br />ldap_connect_to_host: TCP ldap.google.com:636<br />ldap_new_socket: 3<br />ldap_prepare_socket: 3<br />ldap_connect_to_host: Trying 2001:4860:4802:32::3a 636<br />ldap_pvt_connect: fd: 3 tm: -1 async: 0<br />attempting to connect:<br />connect success<br />TLS trace: SSL_connect:before SSL initialization<br />TLS trace: SSL_connect:SSLv3/TLS write client hello<br />TLS trace: SSL_connect:SSLv3/TLS write client hello<br />TLS trace: SSL_connect:SSLv3/TLS read server hello<br />TLS trace: SSL_connect:TLSv1.3 read encrypted extensions<br />TLS trace: SSL_connect:SSLv3/TLS read server certificate request<br />TLS certificate verification: depth: 2, err: 0, subject: /C=US/O=Google Trust Services LLC/CN=GTS Root R1, issuer: /C=US/O=Google Trust Services LLC/CN=GTS Root R1<br />TLS certificate verification: depth: 1, err: 0, subject: /C=US/O=Google Trust Services LLC/CN=GTS CA 1C3, issuer: /C=US/O=Google Trust Services LLC/CN=GTS Root R1<br />TLS certificate verification: depth: 0, err: 0, subject: /CN=ldap.google.com, issuer: /C=US/O=Google Trust Services LLC/CN=GTS CA 1C3<br />TLS trace: SSL_connect:SSLv3/TLS read server certificate<br />TLS trace: SSL_connect:TLSv1.3 read server certificate verify<br />TLS trace: SSL_connect:SSLv3/TLS read finished<br />TLS trace: SSL_connect:SSLv3/TLS write change cipher spec<br />TLS trace: SSL_connect:SSLv3/TLS write client certificate<br />TLS trace: SSL_connect:SSLv3/TLS write finished<br />ldap_open_defconn: successful</em></p> pfSense Plus - Bug #13949 (New): Boot Environments do not seem to cleanly restore the systemhttps://redmine.pfsense.org/issues/139492023-02-12T09:51:54ZYuri Weinstein
<p>I tried and set up 25.01RC and had a minor issue so decided to roll back to 22.05.</p>
<p>To my surprise, after restoring the system back to 22.05, two packages: `ntopng` and `pfBlockerNG-devel` had errors and required reinstalls.</p>
<p>Boot Environments did not cleanly restore the system to the known state!</p>
<p>See more than 1 user reporting this problem => <a class="external" href="https://forum.netgate.com/topic/177764/boot-environments-unexpected-behavior">https://forum.netgate.com/topic/177764/boot-environments-unexpected-behavior</a></p> pfSense Plus - Bug #13542 (New): Boot delay caused when OpenVPN config uses alias list that relie...https://redmine.pfsense.org/issues/135422022-10-04T07:14:19ZAdrien Carlyleadrien.carlyle@gmail.com
<p>pfSense+ 22.05 in Azure</p>
<p>I use OpenVPN with an alias list that includes 76 (and growing) FQDNs.</p>
<p>When the system is set to internal DNS with public fallback, the system hangs for 10+ minutes at boot at "Syncing OpenVPN settings", I assume this is because each record lookup fails and has to time out before it is resolved via public DNS.</p>
<p>Changing this option to public DNS only works around the issue, but there are some cases where I need the firewall to use internal DNS so work with domain overrides.</p>
<p>Perhaps the resolver could be brought online just after WAN is established, or the fallback behavior could be tweaked so that it falls back for an entire alias list instead of each individual entry (since tables are refreshed periodically anyway)</p> pfSense Plus - Bug #13074 (New): AES-GCM with SafeXcel on Netgate 2100 causes MBUF overloadhttps://redmine.pfsense.org/issues/130742022-04-19T12:10:00ZChris S
<p>Running IPSec tunnels on a Netgate 2100 with AES-GCM and SafeXcel enabled seem to cause an MBUF overload requiring a reboot to re-establish the tunnel.</p>
<p>First spotted by NOCling in the forums. I was able to reproduce on my own 6100-2100 IPsec setup.</p>
<p><a class="external" href="https://forum.netgate.com/topic/171469/netgate-2100-s2s-aes-gcm-and-safexcel-mbuf-overload">https://forum.netgate.com/topic/171469/netgate-2100-s2s-aes-gcm-and-safexcel-mbuf-overload</a></p>