pfSense bugtracker: Issueshttps://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162024-03-18T20:37:19ZpfSense bugtracker
Redmine pfSense - Bug #15349 (New): 1:1 NAT rule for subnet always uses full subnet rangehttps://redmine.pfsense.org/issues/153492024-03-18T20:37:19ZYehuda Katz
<p>Creating a 1:1 NAT rule for something like <code>10.0.0.5/28 -> 10.1.0.7/28</code> will actually create the proper rules for the entire <code>/24</code> subnet.</p>
<p>Output from <code>pfctl -s nat</code>:</p>
<pre>
[2.7.2-RELEASE][admin@pfSense.home.arpa]/root: pfctl -s nat | grep 10.0
binat on vtnet0 inet from 10.1.0.0/28 to any -> 10.0.0.0/28
</pre>
<p>This is probably the correct behavior, but may not be what people expect and does not appear to be documented.<br />It would probably make sense for the web interface to reject this kind of rule and require the subnet be specified properly by the first IP in the range.</p> pfSense - Feature #15348 (New): Block out PSK when viewing Phase 1 IPsec configurationhttps://redmine.pfsense.org/issues/153482024-03-18T14:31:12ZMike Moore
<p>When filling out a PSK in the phase 1 proposal section, the PSK really should be entered in obfuscated with the option in the WebUI to show the password.<br />Entering a password in clear text so anyone shoulder surfing can see it is a security issue.</p> pfSense - Bug #15347 (New): OpenVPN Multiple WAN Asymmetric Routinghttps://redmine.pfsense.org/issues/153472024-03-16T22:12:32ZTimo M
<p>Using OpenVPN in multi-wan / failover environment (a OpenVPN interface has been created and is used by the OpenVPN server). WAN1 is Tier 1 and WAN2 is Tier 2. To be able to access OpenVPN server through both WAN1 and WAN2, I used the port forward method to bind the OpenVPN server to localhost and forward traffic from both WAN1 and WAN2 to it as described in the documentation:</p>
<p><a class="external" href="https://docs.netgate.com/pfsense/en/latest/multiwan/openvpn.html#bind-to-localhost-and-setup-port-forwards">https://docs.netgate.com/pfsense/en/latest/multiwan/openvpn.html#bind-to-localhost-and-setup-port-forwards</a></p>
<p>FreeRADIUS is used as the authentication backend for OpenVPN (to be able to use 2FA). When connecting through WAN2 (which is on Tier 2) traffic appears to exit back out WAN1 after the RADIUS authentication completes leading to asymmetric routing. I see the following in the logs from FreeRADIUS:</p>
<p><code>(0) Login OK: [user_id] (from client pfsenseclient port 1194 cli *WAN1_IP* :1194)</code></p>
<p>I can confirm that the connection to the OpenVPN server was indeed made through WAN2 by looking firewall states / traffic. Is this a bug, or is thus configuration (OpenVPN server with FreeRADIUS authentication) not supported (e.g. the <code>reply-to</code> functionality does not work properly)? Thanks in advance.</p> pfSense Docs - Correction #15345 (New): Advanced options -- fix typohttps://redmine.pfsense.org/issues/153452024-03-16T19:46:36ZCraig Coonrad
<p>URL: <a class="external" href="https://docs.netgate.com/pfsense/en/latest/config/advanced-firewall-nat.html#advanced-options">https://docs.netgate.com/pfsense/en/latest/config/advanced-firewall-nat.html#advanced-options</a></p>
<blockquote>
<p>Tip: While this option control the global default</p>
</blockquote>
<p>to</p>
<blockquote>
<p>Tip: While this option controls the global default</p>
</blockquote> pfSense Docs - Correction #15344 (New): Interface Bound States -- fix typohttps://redmine.pfsense.org/issues/153442024-03-16T19:40:53ZCraig Coonrad
<p>URL: <a class="external" href="https://docs.netgate.com/pfsense/en/latest/config/advanced-firewall-nat.html#interface-bound-states">https://docs.netgate.com/pfsense/en/latest/config/advanced-firewall-nat.html#interface-bound-states</a></p>
<blockquote>
<p>If a packet attempts to takes an path</p>
</blockquote>
<p>Think that should be:</p>
<blockquote>
<p>If a packet attempts to takes a path</p>
</blockquote> pfSense - Bug #15343 (New): DHCP host names for Windows 10/11 hosts have "." at the endhttps://redmine.pfsense.org/issues/153432024-03-15T16:50:34ZDaryl Morse
<p>Since changing to Kea DHCP, DHCP host names for Windows 10 and Windows 11 hosts are being created with a "." at the end.</p>
<p>This does not happen for types of hosts.</p>
<p>This does not affect DHCPv6.</p> pfSense - Bug #15341 (New): PHP errors in ``xmlrpc.php`` during configuration synchronization con...https://redmine.pfsense.org/issues/153412024-03-15T15:35:41ZChristopher Cope
<pre>
[15-Mar-2024 09:50:55 America/Chicago] PHP Fatal error: Uncaught TypeError: Cannot access offset of type string on string in /usr/local/www/xmlrpc.php:718
Stack trace:
#0 /usr/local/www/xmlrpc.php(638): pfsense_xmlrpc_server->filter_configure(false, false)
#1 /usr/local/share/pear/XML/RPC2/Server/CallHandler/Instance.php(141): pfsense_xmlrpc_server->restore_config_section(Array, 900)
#2 /usr/local/share/pear/XML/RPC2/Backend/Php/Server.php(135): XML_RPC2_Server_Callhandler_Instance->__call('pfsense.restore...', Array)
#3 /usr/local/share/pear/XML/RPC2/Backend/Php/Server.php(99): XML_RPC2_Backend_Php_Server->getResponse()
#4 /usr/local/www/xmlrpc.php(987): XML_RPC2_Backend_Php_Server->handleCall()
</pre>
<p>The error is being hit on<br /><pre>
23.09.1-RELEASE (amd64)
built on Wed Dec 20 13:27:00 EST 2023
FreeBSD 14.0-CURRENT
</pre></p>
<p>This seems to a similar issue to <a class="external" href="https://redmine.pfsense.org/issues/14034">https://redmine.pfsense.org/issues/14034</a> but this has to do with OpenVPN tags. I'll get a merge request together this week.</p> pfSense Plus - Feature #15306 (New): Change Gateway Status from Pending to Unavailablehttps://redmine.pfsense.org/issues/153062024-03-03T01:25:28ZKris Phillips
<p>Per customer statement and request, gateway statuses of "Pending" are confusing as a state for gateways that do not exist yet due to dynamic allocation. Something like a state of "Unavailable" may be more appropriate wording.</p> pfSense Packages - Bug #15296 (New): WAN Interface cannot added to ntopng if offline-packet loss https://redmine.pfsense.org/issues/152962024-02-29T06:58:23ZSergei Shablovsky
<p>Brilliant pfSense DevTeam !</p>
<p>In multi-WAN pfSense configuration WAN interfaces that pfSense decide in “Offline, Packet loss” state CANNOT BE ADDED into ntopng config.</p>
<p>(to adding certain WAN connection (for example if WAN interface come from “Offline, packet loss” state to “Online” state), ntopng need to be disabled, service stopped, ntopng pkg uninstalled (with all data and configs deleted), than hardware rebooting, install ntopng pkg again, and only after that new WAN with “Online” status becomes visible as Interface in ntopng”).</p>
<p>But LAN interfaces ALL would be ADDED as well even some of them are not connected physically. So this bug related only WAN interfaces.</p>
<p>P.S.<br />This is related for WAN DHCP, do not know about WAN STATIC.</p> pfSense Plus - Feature #15295 (New): State Filter Rule ID needs clarificationhttps://redmine.pfsense.org/issues/152952024-02-28T23:38:28ZMike Moore
<p>Not sure if this is a feature request but this isn't a bug.</p>
<p>See the forum post for details - <a class="external" href="https://forum.netgate.com/topic/186429/no-states-show-up-when-filtering-by-trackerid/5?_=1709161373761">https://forum.netgate.com/topic/186429/no-states-show-up-when-filtering-by-trackerid/5?_=1709161373761</a></p>
<p>Searching for states under Diagnostics/States/States and if you filter by Rule ID I mistakingly thought this meant TrackerID. The RuleID shows up if you hover over the state's entry of the firewall rule in the GUI and look at the bottom of the WebUI url and it will show what the corresponding ruleID is.</p>
<p>This doesnt make much sense considering if I search the firewall log in the WebUI and if i filter by "Rule Tracker ID" I can submit the TrackerID there and im able to narrow down my search whereas if i filter in the states screen nothing matches Rule ID because it's specifically looking for a number that the system generates for the Rule but there is no place in the UI to even know what that rule number could or would be.</p>
<p>The solution would be to either:<br />1. Fix the State filter so that it can filter by tracker ID instead of Rule ID<br />2. OR update documentation to inform users of the best place to find the rule ID.</p> pfSense - Bug #15110 (New): pfSense hangs when rebootinghttps://redmine.pfsense.org/issues/151102023-12-21T16:09:41ZDanilo Zrenjanin
<p>Start the reboot from the GUI:<br /><pre>
Enter an option: pflog0: promiscuous mode disabled
Waiting (max 60 seconds) for system process `vnlru' to stop... done
Waiting (max 60 seconds) for system process `syncer' to stop...
Syncing disks, vnodes remaining... 0 0 0 0 0 0 done
All buffers synced.
Uptime: 3m20s
Khelp module "ertt" can't unload until its refcount drops from 1 to 0.
uhub0: detached
</pre><br />At this point, it hangs. Noticed on a Netgate 6100 with 23.09.1.</p> pfSense - Bug #13624 (New): Only one alias in local network of OpenVPN Server works in 2.6.0https://redmine.pfsense.org/issues/136242022-11-02T11:55:36ZFlorian Bat
<p>Issue <a class="issue tracker-2 status-3 priority-4 priority-default closed" title="Feature: Support aliases in OpenVPN local/remote/tunnel network fields (Resolved)" href="https://redmine.pfsense.org/issues/2668">#2668</a> implemented the possibility to have host/network aliases in the OpenVPN local/remote/tunnel network fields.</p>
<p>When using host aliases in the local network field, it seems only the hosts of the very first alias are pushed to the client as local network. all other aliases seem to be ignored.</p>
<p><strong>Example:</strong><br />Let's say I have 3 host alias lists (named alias1, alias2 and alias3) with 2 hosts defined in each alias.</p>
<p>Using this as "local network" in the OpenVPN Server definition only pushes the ips of the <strong>alias1</strong> list.</p>
<pre><code class="html syntaxhl">alias1, alias2, alias3
</code></pre>
<p>This only pushes the hosts of <strong>alias2</strong>:</p>
<pre><code class="html syntaxhl">alias2, alias3, alias1
</code></pre>
<p>And this would push the two hosts of <strong>alias1</strong> plus the <strong>192.168.1.0/24</strong> and <strong>192.168.2.0/24</strong> networks as local networks.</p>
<pre><code class="html syntaxhl">alias1, alias2, 192.168.1.0/24, alias3, 192.168.2.0/24
</code></pre>
<p>I am using<br />2.6.0-RELEASE (amd64)<br />built on Mon Jan 31 19:57:53 UTC 2022<br />FreeBSD 12.3-STABLE</p> pfSense - Feature #13227 (New): Enable IPSec Virtual IP Pool assignment by Radius for Mobile User...https://redmine.pfsense.org/issues/132272022-05-27T10:09:22ZTue Madsen
<p>Currently you cannot create additional Virtual IP Pools to assign mobile users IP addresses from, if you are using EAP-Radius as the authentication source.<br />This prohibits using different firewall rules for different groups of users.<br />Everyone is treated the same, unless you specifically assign a static IP to a specific user from Radius via framed-ip-address - which is NOT scalable.</p>
<p>But all the logic is enabled in strongswan, and the GUI settings to swanctl.conf scripts already has enabled the groups features in strongswan, so it will accept the "Class" attribute from Radius as a groups identifier.</p>
<p>There just needs to be a way to create a groups identifier in the GUI with an attached IP Pool that is written correctly to the config files.</p>
<p>By hacking /etc/inc/ipsec.inc I have enabled this by asking the "preshared secrets" GUI part to write an EAP Shared secret as a "groups" in the remote section instead of an "id".<br />All I did is the following edit in /etc/inc/ipsec.inc":<br />Locate the major section called: "/***f ipsec/ipsec_setup_userpools" about halfway into the file.<br />Locate the line: "$scconf['connections'][$upconn]['remote']['id'] = $clientid;" <br />Change it to "$scconf['connections'][$upconn]['remote']['groups'] = $clientid;"</p>
<p>Once that is done, if you enable "group authentication" on your mobile clients settings, groups identifiers returned with the "Class" attribute is respected, and the user is assigned an IP from the custom pool. Default users are still assigned IPs from the default mobile warrior pool if the Radius return the group(s) name selected in the mobile clients setup.</p>
<p>A very quick fix to this issue would be to add a new "Groups" tab in IPsec where you can add a group identifier and the IP Pool to use for that group. It can use most of the same script parts from "/***f ipsec/ipsec_setup_userpools" in ipsec.inc - it just needs to create the line in the remote part of swanctl.conf with 'groups' instead of 'id'.</p> pfSense - Bug #12747 (New): System log is filled by sshguardhttps://redmine.pfsense.org/issues/127472022-02-01T08:47:15ZSteve Wheeler
<p>sshguard has to restart when he logs are rotated in 2.6 in order to monitor the current file. When it does so it logs the service restart.<br />In an even moderately busy firewall this can produce a lot of log entries to the point it starts to hide other more important logs.<br />It appears to restart whenever any log is rotated, is that actually required?</p>
<p>For example on a test system where an IPSec tunnel is configured but never connects the ipsec log rotates frequently resulting in a system log:<br /><pre>
Jan 31 00:25:00 sshguard 29496 Exiting on signal.
Jan 31 00:25:00 sshguard 9940 Now monitoring attacks.
Jan 31 03:17:00 sshguard 9940 Exiting on signal.
Jan 31 03:17:00 sshguard 60321 Now monitoring attacks.
Jan 31 06:09:00 sshguard 60321 Exiting on signal.
Jan 31 06:09:00 sshguard 83661 Now monitoring attacks.
Jan 31 09:01:00 sshguard 83661 Exiting on signal.
Jan 31 09:01:00 sshguard 93166 Now monitoring attacks.
Jan 31 11:53:00 sshguard 93166 Exiting on signal.
Jan 31 11:53:00 sshguard 94019 Now monitoring attacks.
</pre></p>
<p>It's possible to mitigate this to some extent by increasing the log file size reducing the rotation frequency.</p> pfSense - Feature #9293 (New): Provide WebUI message (banner) prior to loginhttps://redmine.pfsense.org/issues/92932019-01-29T06:18:56ZRyan Haraschak
<p>While trying to deploy in govt environments, they have security guidelines (STIGs) we're required to follow. Some, as trivial as they seem, include displaying banners before logging in. I've been able to modify the html\php to meet this requirement, however, as expected, the changes are lost after an update.</p>
<p>Would it be possible to add a text entry field on the general settings page that provides a persistent webui login banner?</p>
<p>Here's an example from the <a href="https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2018-03-01/finding/V-38593" class="external">DoD RHEL STIGs</a>:</p>
<pre>
You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
</pre>