pfSense bugtracker: Issueshttps://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162023-10-17T13:24:33ZpfSense bugtracker
Redmine pfSense Packages - Feature #14890 (New): dtlspipe packagehttps://redmine.pfsense.org/issues/148902023-10-17T13:24:33Zyon Liuinfo@ipv6china.com
<p>This is a DTSL tool that has been tested and used. It can add DTLS support to almost all UDP. It is especially suitable for applications that are sensitive to network delays.<br />I have asked the author to add support for various systems. If you need help, we can contact the author.</p>
<p><a class="external" href="https://github.com/Snawoot/dtlspipe">https://github.com/Snawoot/dtlspipe</a></p> pfSense - Feature #14886 (New): Visual improvement to the Gateway widget: display the icon in a c...https://redmine.pfsense.org/issues/148862023-10-16T19:25:35ZPatrik Stahlman
<p>A small tweak to the Gateway widget to display the icon in a color reflecting the status.</p>
<p>Rationale: <br />In my four column setup the status text is not always visible so I can't quickly determine the gateway status without shifting/scrolling the widget to the right. With this change I can see the status in the icon color.</p>
<p>Change:<br />1. move the code that determines the background color before the output of the icon. No change to the code, just a move.<br />2. add the background color to the icon formatting</p> pfSense Packages - Bug #14200 (New): WireGuard reply-to without NAThttps://redmine.pfsense.org/issues/142002023-03-29T10:02:59ZCarrnell Tech
<p>I have discovered that the WireGuard package requires the interface to have the gateway set for the reply-to rules to function as expected. However, this also creates an undesired auto NAT rules that need to be manually disabled in order to use the reply-to rules effectively.</p>
<p>I have posted all the detail and the road for my discovery on the forums and a great amount of detail along with it:<br /><a class="external" href="https://forum.netgate.com/topic/178908/wan-to-wireguard-to-lan-reply-to-bug">https://forum.netgate.com/topic/178908/wan-to-wireguard-to-lan-reply-to-bug</a></p>
My hope is that one of the following fix ideas could be implemented:
<ul>
<li>Could add verbiage on the interface or package GUI to indicate that these steps are required for true reply-to packets to function.</li>
<li>Add some sort of check box to prevent the auto added NAT rules for WireGuard interfaces, or, a check box that adds reply-to rules without the need for gateway to be filled.</li>
<li>Or, if possible, change the WireGuard package in such a way that it treats the WireGuard interface with reply-to rules with or without the gateway being set in the interface.</li>
</ul>
<p>To give you more of an idea of why I had more trouble with this particular part than anything previous is that I was migrating away from OpenVPN to WireGuard. Where OpenVPN functioned as desired without the gateway being set, I did not think to read the interface documentation mostly because the verbiage only mentions the need for it being set for internet access type scenarios, of which, I overlooked thinking it was unnecessary. On my testing environment, it was not until I started changing what I thought were unnecessary checkbox and dropdowns that I discovered the gateway was needed, I then started to read the documentation for it, which lead me to my final conclusion.</p>
<p>Appreciate your time!<br />Thank you!</p> pfSense - Feature #13220 (New): Voucher per-roll bandwidth restrictions and traffic quotashttps://redmine.pfsense.org/issues/132202022-05-26T08:08:08ZRaymond Chauke
<p>I hope PFSENSE can Enable per-voucher roll bandwidth restriction. where during the vouchers roll creation i can be able set KB,MB or GB speed per voucher's roll.</p>
<p>where during the vouchers roll creation i can be able set KB,MB or GB Traffic quota Clients can be disconnected after exceeding 1gb or 500mb amount of traffic, inclusive of both downloads and uploads per voucher's roll.</p> pfSense - Bug #13110 (New): changing CARP VIP address does not update outbound NAT interface IPhttps://redmine.pfsense.org/issues/131102022-04-30T13:19:52Z→ luckman212luke.hamburg@gmail.com
<p>In my testing, on a 2 node HA cluster running 22.05.a.20220426.1313, if you change the Virtual IP, it is properly synced to the backup node, but the manual outbound NAT rule is not updated, so things break slightly. I am not sure if this is by design, but since you are selecting the IP by interface name, it seems like it would intuitively work the way other aliases work and "follow" changes to the chosen named VIP.</p> pfSense - Feature #12863 (New): dynamically tune sha512crypt roundshttps://redmine.pfsense.org/issues/128632022-02-24T00:16:27ZRoyce Williamsroyce@tycho.org
<p>As touched on in <a class="issue tracker-1 status-5 priority-4 priority-default closed" title="Bug: Suboptimal Password Hashing (Closed)" href="https://redmine.pfsense.org/issues/12800">#12800</a> and <a class="issue tracker-2 status-3 priority-4 priority-default closed" title="Feature: GUI option to select the user password hashing algorithm (Resolved)" href="https://redmine.pfsense.org/issues/12855">#12855</a>, sha512crypt's default number of rounds (5000) can be cracked relatively quickly by modern standards. But "fixing" this with a static, arbitrary number of rounds could adversely impact login speed and user experience, depending on platform.</p>
<p>I propose a middle-ground solution: tune the number of rounds based on platform capability to a target runtime. Multiple UX studies have cited 500ms (half a second) as an upper bound for user login delay tolerance.</p>
<p><a href="https://gist.github.com/roycewilliams/09ddd10504d560c02b28049759cd666f" class="external">This reference code</a> detects the number of rounds near 500ms performance, using a simple approach: performing a test hash, and then applying its performance ratio to the rounds count. It then hashes the password with that number of rounds. It abstracts both the sha512crypt hashing and the dynamic rounds tuning into their own functions. It also improves salt entropy in passing, to match bcrypt and scrypt's 128 bits and to match the sha512crypt</p>
<p>The code is overly commented, to explain the reasoning behind various design choices, such as those informed by attack techniques well known in the password-cracking community.</p>
<p>Sample results for a few platforms at 500ms runtimes (I am actively soliciting for additional data points):</p>
<pre>
* AMD Geode LX800 500 MHz (alix2): rounds=11851
* AMD GX-412TC SOC (apu2): rounds=157921
* Intel(R) Celeron(R) CPU N3150 @ 1.60GHz: rounds=209662
* Pentium(R) Dual-Core CPU E5: rounds=568985
* 11th Gen Intel(R) Core(TM) i7-11700K @ 3.60GHz: rounds=1741092
</pre>
<p>Note especially these higher values. A modern CPU can run 1.7 million rounds of sha512crypt in half a second. By contrast, a medium-sized pentest cracking rig (equivalent of 6 GTX 1080s) can do a little over 2 billion rounds in half a second against a single hash (scaling downward across multiple salted hashes).</p>
<p>So while not even a strong hash can protect a single very weak password for long, strengthening these hashes can do a much better job of protecting midrange and stronger ones.</p> pfSense Packages - Bug #11000 (New): haproxy deprecated trick suggestedhttps://redmine.pfsense.org/issues/110002020-10-22T17:51:10ZManuel Piovan
<p>haproxy-devel<br />under backend<br />the description for "Http check version" say:<br /><pre><code class="php syntaxhl"><span class="nc">Defaults</span> <span class="n">to</span> <span class="s2">"HTTP/1.0"</span> <span class="k">if</span> <span class="n">left</span> <span class="n">blank</span><span class="mf">.</span> <span class="nc">Note</span> <span class="n">that</span> <span class="n">the</span> <span class="nc">Host</span> <span class="n">field</span> <span class="n">is</span> <span class="n">mandatory</span> <span class="n">in</span> <span class="no">HTTP</span><span class="o">/</span><span class="mf">1.1</span><span class="p">,</span> <span class="k">and</span> <span class="k">as</span> <span class="n">a</span> <span class="n">trick</span><span class="p">,</span> <span class="n">it</span> <span class="n">is</span> <span class="n">possible</span> <span class="n">to</span> <span class="n">pass</span> <span class="n">it</span> <span class="n">after</span> <span class="s2">"</span><span class="se">\r\n</span><span class="s2">"</span> <span class="n">following</span> <span class="n">the</span> <span class="n">version</span> <span class="n">string</span> <span class="n">like</span> <span class="n">this</span><span class="o">:</span>
<span class="no">HTTP</span><span class="o">/</span><span class="mf">1.1</span><span class="err">\</span><span class="n">r\nHost</span><span class="o">:</span><span class="err">\</span> <span class="n">www</span>
</code></pre><br />but this lead to a Warning</p>
<pre><code class="php syntaxhl"><span class="p">[</span><span class="no">WARNING</span><span class="p">]</span> <span class="mi">296</span><span class="o">/</span><span class="mo">00442</span><span class="mi">8</span> <span class="p">(</span><span class="mi">78254</span><span class="p">)</span> <span class="o">:</span> <span class="n">parsing</span> <span class="p">[</span><span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">haproxy</span><span class="o">/</span><span class="n">haproxy</span><span class="mf">.</span><span class="n">cfg</span><span class="o">:</span><span class="mi">67</span><span class="p">]</span><span class="o">:</span> <span class="s1">'option httpchk'</span> <span class="o">:</span> <span class="n">hiding</span> <span class="n">headers</span> <span class="k">or</span> <span class="n">body</span> <span class="n">at</span> <span class="n">the</span> <span class="n">end</span> <span class="n">of</span> <span class="n">the</span> <span class="n">version</span> <span class="n">string</span> <span class="n">is</span> <span class="n">deprecated</span><span class="mf">.</span> <span class="nc">Please</span><span class="p">,</span> <span class="n">consider</span> <span class="n">to</span> <span class="kn">use</span> <span class="s1">'http-check send'</span> <span class="n">directive</span> <span class="n">instead</span><span class="mf">.</span>
</code></pre> pfSense - Feature #10732 (New): Warning banner for secondary HA nodehttps://redmine.pfsense.org/issues/107322020-07-06T05:41:14ZConstantine Kormashev
<p>It would be good if the secondary HA node has a banner with a warning all management actions have to be performed on the primary node only. And user can see this banner after login, as they see default password waring now.</p>
There are a couple of ways to detect a secondary node:
<ul>
<li>hidden flag in the config, see <a class="external" href="https://redmine.pfsense.org/issues/10731">https://redmine.pfsense.org/issues/10731</a></li>
<li>CARP interfaces are in BACKUP state</li>
</ul> pfSense - Feature #10731 (New): XML-sync primary/secondary config flaghttps://redmine.pfsense.org/issues/107312020-07-06T05:38:54ZConstantine Kormashev
<p>To prevent XML-sync misconfiguring on a HA cluster, it would be good to make a config flag that can be used for distinguishing primary and secondary nodes. It might be a hidden flag in the config, which is set to primary if XML-sync is enabled on the node and after propagated to another node as secondary, and vice versa. If the node's flag is secondary, then its XML-sync menu is blocked. This flag can be also used for other purposes. E.g. it might be evidence of init XML-sync was successful and so on.</p>
<p>There is a small issue here, flag on secondary is propagated by primary, that means if we would like to clear secondary role without a primary, then we need something like a Red Force Clear button, which can reset the flag.<br />The other way would be clearing the secondary flag each reboot and keep it unflagged until the 1st XML-sync session, but this is less obvious.</p> pfSense - Feature #10258 (New): allow to sign CAhttps://redmine.pfsense.org/issues/102582020-02-13T05:27:42ZViktor Gurov
<p>To create cross-signed intermediate CA,</p>
<p>This feature can be added to the page System / Certificate Manager / CAs / Edit -> Method list<br />in this way you can import a CA and then sign it with another CA in the system</p> pfSense - Bug #9837 (New): ipv6 is not completely disabled on the interfaceshttps://redmine.pfsense.org/issues/98372019-10-20T14:04:36ZViktor Gurov
<p>When IPv6 Configuration Type is None on Interfaces configuration page, IPv6 link-local addresses still uses<br />You can see OSPFv3 hello packets, can use ipv6 from these interfaces,<br />or, if rules like "IPv4+IPv6" used, can connect to services</p>
<p>to completely disable IPv6 on interfaces, option <strong>ifdisabled</strong> must be used, i.e. "ifconfig vtnet0 inet6 ifdisabled" <br />from ifconfig (8):<br /><pre>
ifdisabled
Set a flag to disable all of IPv6 network communications on the
specified interface. Note that if there are already configured
IPv6 addresses on that interface, all of them are marked as
"tentative" and DAD will be performed when this flag is cleared.
</pre></p>
<p>pfSense 2.5.0.a.20191018.2017</p> pfSense - Bug #9755 (New): package description wrong link https://www.freshports.org/security/ope...https://redmine.pfsense.org/issues/97552019-09-13T05:20:05ZViktor Gurov
<p>Package Dependencies:<br /> openvpn-client-export-2.4.7 - wrong link</p>
<p><a class="external" href="https://www.freshports.org/security/openvpn-client-export">https://www.freshports.org/security/openvpn-client-export</a>:<br />FreshPorts -- Document not found<br />Sorry, but I don't know anything about that.</p>
<p>/security/openvpn-client-export</p>
<p>Perhaps a list of categories or the search page might be helpful.</p> pfSense Packages - Bug #9486 (New): ifindex values used for softflowd are incorrecthttps://redmine.pfsense.org/issues/94862019-04-26T13:16:29ZJesse White
<p>With this patch, we now pass ifIndex values to softflowd for inclusion in the flow packets:<br /> <a class="external" href="https://github.com/pfsense/FreeBSD-ports/pull/501/files#diff-451c93a8b870e13a749022e7ecf64cd6R52">https://github.com/pfsense/FreeBSD-ports/pull/501/files#diff-451c93a8b870e13a749022e7ecf64cd6R52</a></p>
<p>However, the values used are arbitrary and do not line up with the values used by other services on the system such as snmpd:<br /><pre>
ps ax | grep soft
91600 - Ss 0:00.64 /usr/local/sbin/softflowd -i 1:igb1 -n 127.0.0.1:8877 -v 5 -T full -t general=60 -p /var/run/softflowd.igb1.pid -c /var/r
91913 - Is 0:00.00 /usr/local/sbin/softflowd -i 2:igb1.2 -n 127.0.0.1:8877 -v 5 -T full -t general=60 -p /var/run/softflowd.igb1.2.pid -c /v
92156 - Is 0:00.00 /usr/local/sbin/softflowd -i 3:igb1.3 -n 127.0.0.1:8877 -v 5 -T full -t general=60 -p /var/run/softflowd.igb1.3.pid -c /v
92774 - Is 0:00.00 /usr/local/sbin/softflowd -i 4:ovpnc2 -n 127.0.0.1:8877 -v 5 -T full -t general=60 -p /var/run/softflowd.ovpnc2.pid -c /v
93644 - Ss 0:00.69 /usr/local/sbin/softflowd -i 5:igb0 -n 127.0.0.1:8877 -v 5 -T full -t general=60 -p /var/run/softflowd.igb0.pid -c /var/r
93969 - Is 0:00.00 /usr/local/sbin/softflowd -i 6:lo0 -n 127.0.0.1:8877 -v 5 -T full -t general=60 -p /var/run/softflowd.lo0.pid -c /var/run
</pre></p>
<pre>
$ snmpwalk -c public -v 2c 10.1.1.1 IF-MIB::ifDescr
IF-MIB::ifDescr.1 = STRING: igb0
IF-MIB::ifDescr.2 = STRING: igb1
IF-MIB::ifDescr.3 = STRING: enc0
IF-MIB::ifDescr.4 = STRING: lo0
IF-MIB::ifDescr.5 = STRING: pflog0
IF-MIB::ifDescr.6 = STRING: pfsync0
IF-MIB::ifDescr.7 = STRING: igb1.2
IF-MIB::ifDescr.8 = STRING: igb1.3
IF-MIB::ifDescr.9 = STRING: ovpnc2
</pre>
<p>For example igb1.2 is set to ifIndex 2, but it should really be 7.</p>
<p>The proper ifIndex can be retrieved using:<br /> <a class="external" href="https://www.freebsd.org/cgi/man.cgi?query=if_nametoindex&apropos=0&sektion=3&manpath=FreeBSD+11.0-RELEASE&arch=default&format=html">https://www.freebsd.org/cgi/man.cgi?query=if_nametoindex&apropos=0&sektion=3&manpath=FreeBSD+11.0-RELEASE&arch=default&format=html</a></p> pfSense - Bug #8464 (New): Wireless USB card does not connect to WiFi automatically after reboot/...https://redmine.pfsense.org/issues/84642018-04-17T03:35:41ZConstantine Kormashev
<p>Wireless USB card on Realtek RTL8192SU chipset in BSS mode does not connect to WiFi until wilreless interface is set to down and after to up state manually. E.g. after device reboot.<br />There is not any problem with forwarding in case device already connected to WiFi, problem happens only after device reboot/halt.<br />Tried with Dlink DWA131 (Realtek RTL8192SU) on 3100 and 2220.<br />During down/up interface there are messages in console:<br /><pre>
rsu0: rsu_join_bss: still scanning! (attempt 0)
rsu0_wlan0: ieee80211_new_state_locked: pending SCAN -> AUTH transition lost
</pre></p> pfSense - Feature #7934 (New): format support phone# for international usehttps://redmine.pfsense.org/issues/79342017-10-12T16:10:20ZAdam Thompsonathompso@athompso.net
<p>In the new 2.4.0 release, the Netgate Services and Support dashboard gadget shows the phone# to call. (Good idea, btw!)<br />So that international users know where to call, the phone# should include the country code as "+1".<br />ITU-standard formatting is "+1 (512) 900-2546", but I guess "+1-512-900-2546" would also be recognized by pretty much everyone.<br />You have people in Brazil - check to see which format they would normally expect to see.<br />The important part is the "+" followed by "1", not the punctuation.</p>