pfSense bugtracker: Issueshttps://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162024-03-28T15:30:27ZpfSense bugtracker
Redmine pfSense Plus - Feature #15368 (New): Bulk import DHCP host reservationshttps://redmine.pfsense.org/issues/153682024-03-28T15:30:27ZChris W
<p>It'd be a huge time saver to import from a CSV or XML file into Kea, or even just pasting into a text field like Firewall > Alias > Bulk Import currently does.</p> pfSense Plus - Bug #15361 (New): Error in virtual IP aliases when using IPv6 "network" / "broadca...https://redmine.pfsense.org/issues/153612024-03-25T09:20:00ZMathis Cavalli
<p>There is no network address in IPv6, nor broadcasts like IPv4<br />When adding / editing an IP alias and putting there an address like fd00::/64 it shows the following error : "The network address cannot be used for this VIP" <br />It happened on my pfSense+ box but it seems the CE 2.7.2 is also affected.</p> pfSense Plus - Bug #15332 (New): Kea doesn't start without any logs when upload config with addit...https://redmine.pfsense.org/issues/153322024-03-12T13:17:13Zaleksei prokofiev
<p>If the config has additioan DHCP pool with extra parametrs configured, such default-lease-time or max-lease-time, then KEA won't start with out any logs. To fix that need delete from config those extra option. Or just resave affected pool without any changes, it will lead rewrite config without extra options. <br />For example <br /><pool><br /> <range><br /> <from>192.168.6.2</from><br /> <to>192.168.6.48</to><br /> </range><br /> <descr><![CDATA[NTP Server]]></descr><br /> <defaultleasetime>600</defaultleasetime><br /> <maxleasetime>3600</maxleasetime><br />After resave it will deleted<br /><pool><br /> <range><br /> <from>192.168.6.2</from><br /> <to>192.168.6.48</to><br /> </range><br /> <descr><![CDATA[NTP Server]]></descr><br /> <defaultleasetime></defaultleasetime><br /> <maxleasetime></maxleasetime></p> pfSense Plus - Regression #15320 (New): XMLRPC Sync Trigger on CARP Maintenance Mode Causes webCo...https://redmine.pfsense.org/issues/153202024-03-08T03:13:23ZKris Phillips
<p>When syncing a large configuration file with a large number of Virtual IPs, XMLRPC Sync can cause the webConfigurator to completely hang on a secondary unit in an HA pair for several minutes. This can also lead to 504 Timeout messages. The webConfigurator will typically recover on it's own, but this will often take several minutes.</p>
<p>Disabling the Virtual IP portion of the XMLRPC sync resolves this issue and the failover is nearly instantaneous, along with complete responsiveness from the webConfigurator.</p>
<p>Likely improvements can be made to the PHP code to not just blindly copy and rebuild the entire Virtual IP configuration on the secondary unit, as these hangs can lead to high CPU load and responsiveness issues for the secondary firewall that you just failed over to. This is obviously less than ideal since that unit is supposed to be taking over traffic in a manual failover scenario.</p> pfSense Plus - Bug #15316 (Confirmed): OpenVPN Clients with Gateway Group Interface on DHCP Exits...https://redmine.pfsense.org/issues/153162024-03-06T17:08:29ZKris Phillips
<p>By default with DHCP gateways, they are not populated into the config as <gateway_item>, but can be present in a <gateway_group>. Because of this, when assigning a gateway group to an OpenVPN client that has an interface go down in the current, active tier, OpenVPN will not properly fail over. Instead, it will hang for a long time, produce errors stating that it's "unable to bind" to the interface (because it's unplugged and the gateway disappears), give an error about being unable to delete a route, and then exits on "Error 1".</p>
<p>If you go into each gateway item under System --> Routing, edit the gateway items without making any changes, save, and apply, the gateways will become present in the config.xml, they'll show as "Pending" in gateway statuses (rather than disappearing entirely), and OpenVPN will fail over as expected.</p>
<p>Either we should be adding a <gateway_item> for each gateway that is present in a <gateway_group> or we should fix OpenVPN so that it doesn't bomb out when a gateway disappears rather than transitioning to Pending.</p> pfSense Plus - Feature #15306 (New): Change Gateway Status from Pending to Unavailablehttps://redmine.pfsense.org/issues/153062024-03-03T01:25:28ZKris Phillips
<p>Per customer statement and request, gateway statuses of "Pending" are confusing as a state for gateways that do not exist yet due to dynamic allocation. Something like a state of "Unavailable" may be more appropriate wording.</p> pfSense Plus - Bug #15303 (New): dpinger service does not always switch from Pending to Onlinehttps://redmine.pfsense.org/issues/153032024-03-02T17:07:07ZKris Phillips
<p>There are several situations where dpinger will not detect a gateway that is available when it should, forcing a restart of the dpinger service to "trigger" it to recheck.</p>
<p>Known situations, but there may be more:</p>
<p>1. Adding a new VTI tunnel as an interface<br />2. A release/renew of an IPv6 gateway (IPv4 gateway will show up, but IPv6 will not until a dpinger restart)<br />3. Adding an OpenVPN client/server as an interface</p>
<p>Related documentation redmine: <a class="external" href="https://redmine.pfsense.org/issues/15230">https://redmine.pfsense.org/issues/15230</a></p> pfSense Plus - Feature #15295 (New): State Filter Rule ID needs clarificationhttps://redmine.pfsense.org/issues/152952024-02-28T23:38:28ZMike Moore
<p>Not sure if this is a feature request but this isn't a bug.</p>
<p>See the forum post for details - <a class="external" href="https://forum.netgate.com/topic/186429/no-states-show-up-when-filtering-by-trackerid/5?_=1709161373761">https://forum.netgate.com/topic/186429/no-states-show-up-when-filtering-by-trackerid/5?_=1709161373761</a></p>
<p>Searching for states under Diagnostics/States/States and if you filter by Rule ID I mistakingly thought this meant TrackerID. The RuleID shows up if you hover over the state's entry of the firewall rule in the GUI and look at the bottom of the WebUI url and it will show what the corresponding ruleID is.</p>
<p>This doesnt make much sense considering if I search the firewall log in the WebUI and if i filter by "Rule Tracker ID" I can submit the TrackerID there and im able to narrow down my search whereas if i filter in the states screen nothing matches Rule ID because it's specifically looking for a number that the system generates for the Rule but there is no place in the UI to even know what that rule number could or would be.</p>
<p>The solution would be to either:<br />1. Fix the State filter so that it can filter by tracker ID instead of Rule ID<br />2. OR update documentation to inform users of the best place to find the rule ID.</p> pfSense Plus - Feature #15280 (New): Boot Environments 2.0https://redmine.pfsense.org/issues/152802024-02-21T19:59:52ZChristian McDonaldcmcdonald@netgate.com
<p>Changes:</p>
<ul>
<li>Configuration History is now a separate page and is no longer part of Backup & Restore.</li>
<li>Configuration History is now aware of Boot Environments. Supports downloading, deleting and restoring across boot environment boundaries.</li>
<li>System updates are now installed in an offline clone of the running system and booted "temporarily" to facilitate automatic fallback to previous working environment.</li>
<li>Boot Verification is performed when booting temporary Boot Environments. System will automatically reboot into prior boot environment upon boot failure.</li>
</ul>
<p><img src="https://redmine.pfsense.org/attachments/download/5936/clipboard-202402211456-bdjnl.png" alt="" /><br /><img src="https://redmine.pfsense.org/attachments/download/5937/clipboard-202402211457-fegcy.png" alt="" /><br /><img src="https://redmine.pfsense.org/attachments/download/5938/clipboard-202402211457-rbjkq.png" alt="" /><br /><img src="https://redmine.pfsense.org/attachments/download/5939/clipboard-202402211457-fcvqv.png" alt="" /><br /><img src="https://redmine.pfsense.org/attachments/download/5940/clipboard-202402211458-ydyne.png" alt="" /></p> pfSense Plus - Todo #15266 (Feedback): Prevent usage of the default password in User Manager acco...https://redmine.pfsense.org/issues/152662024-02-16T18:53:24ZJim Pingle
<p>Currently we detect in the GUI when the admin account is using the default password (<code>"pfsense"</code>) and print a warning message: source:src/usr/local/www/head.inc#L564</p>
<p>We should change that to check any account (not just <code>admin</code>) and force a password change during one or more of the user's initial interactions, for example:</p>
<ul>
<li>During the setup wizard</li>
<li>GUI login any time the password matches the default password</li>
<li>Shell (console or SSH) login any time the password matches the default password</li>
<li>Possibly during the installation process</li>
</ul>
<p>We should also not allow the user to change their password to any variation of "pfsense" in upper/lower/mixed case.</p> pfSense Plus - Bug #15196 (Confirmed): AWS ena interfaces can become unstable/stop respondinghttps://redmine.pfsense.org/issues/151962024-01-27T01:01:22ZKris Phillips
<p>On AMD Epyc hardware in AWS, pfSense Plus ena interfaces can lose their IP addressing and then stop responding entirely.</p>
<p>The following log messages are present when this occurs:</p>
<p>Jan 16 18:34:35 np-aws-001 kernel: ena0: <ENA adapter> mem 0x80404000-0x80407fff at device 5.0 on pci0<br />Jan 16 18:34:35 np-aws-001 kernel: ena0: Elastic Network Adapter (ENA)ena v2.6.2<br />Jan 16 18:34:35 np-aws-001 kernel: ena0: Unable to allocate LLQ bar resource. LLQ mode won't be used.<br />Jan 16 18:34:35 np-aws-001 kernel: ena0: ena_com_validate_version() [TID:100000]: ENA device version: 0.10<br />Jan 16 18:34:35 np-aws-001 kernel: ena0: ena_com_validate_version() [TID:100000]: ENA controller version: 0.0.1 implementation version 1<br />Jan 16 18:34:35 np-aws-001 kernel: ena0: LLQ is not supported. Fallback to host mode policy.<br />Jan 16 18:34:35 np-aws-001 kernel: ena0: Ethernet address: 06:ba:32:98:fd:07<br />Jan 16 18:34:35 np-aws-001 kernel: ena0: [nm] netmap attach<br />Jan 16 18:34:35 np-aws-001 kernel: ena0: netmap queues/slots: TX 2/1024, RX 2/1024</p>
<p>and</p>
<p>Jan 19 03:49:07 kernel ena0: Found a Tx that wasn't completed on time, qid 1, index 925. 180522704 usecs have passed since last cleanup. Missing Tx timeout value 5000 msecs.<br />Jan 19 03:49:07 kernel ena0: Found a Tx that wasn't completed on time, qid 1, index 924. 179482704 usecs have passed since last cleanup. Missing Tx timeout value 5000 msecs.<br />Jan 19 03:49:07 kernel ena0: Found a Tx that wasn't completed on time, qid 1, index 923. 178472704 usecs have passed since last cleanup. Missing Tx timeout value 5000 msecs.<br />Jan 19 03:48:54 kernel ena0: Found a Tx that wasn't completed on time, qid 1, index 922. 167002704 usecs have passed since last cleanup. Missing Tx timeout value 5000 msecs.</p> pfSense Plus - Bug #15157 (Incomplete): Problem in Restore Backuphttps://redmine.pfsense.org/issues/151572024-01-12T23:35:22ZRamon Alonso Costa
<p>I am having the following issue when trying to update the DNS Resolver backup. Below is the file with the error.</p> pfSense Plus - Bug #14894 (New): Password protected console login prompt does not render properly...https://redmine.pfsense.org/issues/148942023-10-18T19:47:24ZJim Pingle
<p>After resolving other console issues with the 4100/6100/8200 in <a class="issue tracker-1 status-3 priority-4 priority-default closed" title="Bug: Serial console output fails to render properly in certain cases on 4100, 6100, and 8200. (Resolved)" href="https://redmine.pfsense.org/issues/13455">#13455</a> a problem remains with the login prompt.</p>
<p>It is not printing a newline before the FreeBSD version string nor is it printing a newline before the password prompt:</p>
<pre>
[...])FreeBSD/amd64 (pfsense.home.arpa) (ttyu0)
login: rootPassword:
Netgate 4100 [...]
</pre>
<p>It should look like this:</p>
<pre>
FreeBSD/amd64 (pfsense.home.arpa) (ttyu0)
login: root
Password:
Netgate 4100 [...]
</pre>
<p>Changing the console type doesn't have any effect, nor does changing various aspects of the TTY (e.g. setting it to <code>xterm</code> or <code>cons25w</code> instead of <code>vt100</code>, or using <code>std</code> instead of <code>3wire</code>).</p> pfSense Plus - Regression #14378 (Confirmed): Packages are not removed when using the hardware re...https://redmine.pfsense.org/issues/143782023-05-12T00:41:38ZSteve Wheeler
<p>More precisely it appears that packages are re-installed after rebooting into the new config.</p>
<p>This does not happen using the factory default options in the GUI or console menu.</p>
<p>Tested on 4100 and 6100 with 23.05.r.20230509.2241</p> pfSense Plus - Feature #14297 (New): Add Option for Vendor Class ID in DHCP Clienthttps://redmine.pfsense.org/issues/142972023-04-21T15:07:26ZKris Phillips
<p>Some ISPs require a Vendor Class ID be sent (option 60) when requesting DHCP. This can currently be accomplished in pfSense with vendor-class-identifier manually added to a dhcp config file, but adding this as a field would be helpful.</p>