pfSense bugtracker: Issueshttps://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162023-12-04T19:32:00ZpfSense bugtracker
Redmine pfSense - Bug #15063 (Confirmed): vpn_openvpn_server.php: shows last used interface, after changi...https://redmine.pfsense.org/issues/150632023-12-04T19:32:00ZGrischa Zengel
<p>How to reproduce:<br />1. Create openvpn server with interface "WAN" and protocol "UDP on IPv4 only" <br />2. Save config and reopen it<br />3. Change to multihome and save config</p>
<p>Now there is still "WAN" at openVPN overview. It should be "ANY".</p> pfSense Packages - Bug #14805 (Incomplete): when I changed Endpoint ip via webgui, but wiregaurd ...https://redmine.pfsense.org/issues/148052023-09-23T06:33:08Zyon Liuinfo@ipv6china.com
<p>when I changed Endpoint ip via webgui, but the wiregaurd still using old Endpoint ip ruuning.</p> pfSense Packages - Bug #14659 (New): vlan (add/modify/delete) with pfblockerNG installed - all in...https://redmine.pfsense.org/issues/146592023-08-07T21:24:06ZMike Moore
<p>Hard to say if this is a bug per se but its a reproducible problem.</p>
<p>1. create a LAGG with assigned VLANs and those VLANs are assigned interfaces.<br />2. install pfBlockerNG and assign your incoming and outgoing interfaces per usual. Incoming will be WAN and outgoing will be the VLAN interfaces<br />3. If you modify any part of the vlan configuration - change the description or change the vlan.id, this triggers a complete flap of all interfaces. If you have FRR routing neighbors, those neighbors will flap as well.</p>
<p>The workaround is to modify the LAGG during a maintenance window. <br />Changing a VLAN description shouldn't trigger this system-wide outage behavior.</p>
<p>I have found that if you disable the pfBlocker package then the LAGG doesn't bounce and the system operates normally. I traced this issue to pfblocker by removing all packages and installing them one by one and going through the process of vlan modifications. pfBlocker is the only package that triggers this.</p>
<p>system.log file shown when vlan description changed</p>
<p>Aug 7 16:51:17 GAFW kernel: vlan5: changing name to 'lagg0.3'<br />Aug 7 16:51:17 GAFW php-fpm<sup><a href="#fn9054">9054</a></sup>: /interfaces_vlan_edit.php: Gateway, NONE AVAILABLE<br />Aug 7 16:51:17 GAFW check_reload_status<sup><a href="#fn441">441</a></sup>: Restarting IPsec tunnels<br />Aug 7 16:51:17 GAFW check_reload_status<sup><a href="#fn441">441</a></sup>: updating dyndns opt4<br />Aug 7 16:51:17 GAFW php-fpm<sup><a href="#fn9054">9054</a></sup>: /interfaces_vlan_edit.php: Configuration Change: <a class="email" href="mailto:admin@192.168.50.241">admin@192.168.50.241</a> (Local Database Fallback): VLAN interface added<br />Aug 7 16:51:17 GAFW check_reload_status<sup><a href="#fn441">441</a></sup>: Syncing firewall<br />Aug 7 16:51:17 GAFW php-fpm<sup><a href="#fn9054">9054</a></sup>: /interfaces_vlan_edit.php: Beginning configuration backup to <a class="external" href="https://acb.netgate.com/save">https://acb.netgate.com/save</a><br />Aug 7 16:51:21 GAFW arpwatch<sup><a href="#fn39747">39747</a></sup>: bogon 0.0.0.0 da:e2:d7:9b:a5:bc<br />Aug 7 16:51:21 GAFW arpwatch<sup><a href="#fn39747">39747</a></sup>: bogon 0.0.0.0 da:e2:d7:9b:a5:bc<br />Aug 7 16:51:21 GAFW arpwatch<sup><a href="#fn39747">39747</a></sup>: bogon 0.0.0.0 da:e2:d7:9b:a5:bc<br />Aug 7 16:51:33 GAFW php-fpm<sup><a href="#fn1682">1682</a></sup>: /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.<br />Aug 7 16:51:33 GAFW check_reload_status<sup><a href="#fn441">441</a></sup>: Reloading filter<br />Aug 7 16:51:33 GAFW php-fpm<sup><a href="#fn1682">1682</a></sup>: /rc.newipsecdns: Gateway, NONE AVAILABLE<br />Aug 7 16:51:33 GAFW php-fpm<sup><a href="#fn1682">1682</a></sup>: /rc.newipsecdns: Gateway, NONE AVAILABLE<br />Aug 7 16:51:34 GAFW php-fpm<sup><a href="#fn1682">1682</a></sup>: /rc.newipsecdns: Gateway, NONE AVAILABLE<br />Aug 7 16:51:34 GAFW php-fpm<sup><a href="#fn86524">86524</a></sup>: /rc.filter_configure_sync: New alert found: Unresolvable source alias 'pfB_AllowedCountries_v4' for rule 'Allowed countries to VPN'<br />Aug 7 16:51:34 GAFW php-fpm<sup><a href="#fn86524">86524</a></sup>: /rc.filter_configure_sync: New alert found: Unresolvable source alias 'pfB_AllowedCountries_v4' for rule 'NAT Redirct to Jitsi VCB'<br />Aug 7 16:51:34 GAFW php-fpm<sup><a href="#fn86524">86524</a></sup>: /rc.filter_configure_sync: New alert found: Unresolvable destination alias 'pfB_DNS_4_v4' for rule 'Block DoH and External'<br />Aug 7 16:51:34 GAFW php-fpm<sup><a href="#fn86524">86524</a></sup>: /rc.filter_configure_sync: New alert found: Unresolvable destination alias 'pfB_DNS_4_v4' for rule 'Block DoH and External'<br />Aug 7 16:51:40 GAFW vnstatd<sup><a href="#fn49111">49111</a></sup>: Traffic rate for "ipsec4" higher than set maximum 1000 Mbit (20s->2673868800, r4294889635 t4294888716, 64bit:0), syncing.<br />Aug 7 16:51:40 GAFW vnstatd<sup><a href="#fn49111">49111</a></sup>: Traffic rate for "ipsec3" higher than set maximum 1000 Mbit (20s->2673868800, r4294889368 t4294888849, 64bit:0), syncing.<br />Aug 7 16:51:40 GAFW vnstatd<sup><a href="#fn49111">49111</a></sup>: Traffic rate for "ipsec2" higher than set maximum 1000 Mbit (20s->2673868800, r4294894185 t4294821515, 64bit:0), syncing.<br />Aug 7 16:51:49 GAFW php-cgi<sup><a href="#fn99958">99958</a></sup>: notify_monitor.php: Message sent to <a class="email" href="mailto:admin@networkingtitan.com">admin@networkingtitan.com</a>,<a class="email" href="mailto:michmoor@gmail.com">michmoor@gmail.com</a> OK<br />Aug 7 16:52:00 GAFW newsyslog<sup><a href="#fn18417">18417</a></sup>: logfile turned over due to size>500K</p> pfSense - Bug #14479 (New): unbound doing qname-minimisation when enabled in unbound gui.https://redmine.pfsense.org/issues/144792023-06-16T18:46:14ZJohnPoz _
<p>I have not checked 2.7 or 23.05 yet but this came up in a discussion here</p>
<p><a class="external" href="https://forum.netgate.com/post/1110945">https://forum.netgate.com/post/1110945</a></p>
<p>Seems unbound is now doing qname by default.. So if there is no setting in the conf for qname-minimisation it does it. By default this option in 2.6 is not enabled, but since no entry in the .conf file it is being done. With no way to turn it off without placing an entry in the custom box to set it to no.</p>
<p>Logic should be changed to allow for enable/disable qname from the gui. What it defaults doesn't matter really, but with current logic there is no way to actually turn it off.. And gui reads that it is off by default, but it really isn't since unbound defaults to doing it.</p> pfSense Packages - Feature #14147 (New): when you rename an alias the alias reference in pfsense ...https://redmine.pfsense.org/issues/141472023-03-22T07:48:29ZJon Brown
<p>I refer to the rules @ (Firewall --> pfBlockerNG --> IP --> IPv4)</p>
<p>I noticed that when I renamed an alias that the old reference what left in place.</p>
<p>Can it be made that when an alias is renamed that it is updated in the pfblocker Advanced Inbound/Outbound Firewall Rule Settings.</p>
<p><img src="https://redmine.pfsense.org/attachments/download/4822/Advanced-Inbound-Firewall-Rule-Settings.jpg" alt="" /><br /><img src="https://redmine.pfsense.org/attachments/download/4823/Advanced-Outbound-Firewall-Rule-Settings.jpg" alt="" /></p> pfSense Plus - Bug #13497 (Incomplete): unbound process looks like stuck periodicallyhttps://redmine.pfsense.org/issues/134972022-09-16T01:16:46ZYaroslav Semenenko
<p>Hello,</p>
<p>I have Netgate 2100.<br />Unbound service is needed to restart sometimes due to it could not resolve public domain name.</p>
<p>Thanks,<br />Yaroslav</p> pfSense Packages - Bug #13444 (Incomplete): zabbix_proxy : cannot open "/var/log/zabbix-proxy/zab...https://redmine.pfsense.org/issues/134442022-08-25T08:05:31ZSteve Scotter
<p>Hi</p>
<p>I frequently come across this issue when trying to investigate why a Zabbix agent isn't communicating successfully with our Zabbix server.</p>
<p>When I navigate to <a class="external" href="https://pfsense-ip-address/status_logs_packages.php?pkg=Zabbix%20Proxy%205.0">https://pfsense-ip-address/status_logs_packages.php?pkg=Zabbix%20Proxy%205.0</a> I'm presented with the following (truncated) logs</p>
<pre>
Jul 15 03:09:00 queeg500 newsyslog[90148]: logfile turned over due to size>500K
zabbix_proxy [78631]: cannot open "/var/log/zabbix-proxy/zabbix_proxy.log": [13] Permission denied
zabbix_proxy [82116]: cannot open "/var/log/zabbix-proxy/zabbix_proxy.log": [13] Permission denied
*** Above lines repeated 50+ times ***
Jul 15 03:09:00 queeg500 newsyslog[90148]: logfile turned over due to size>500K
...
...
</pre>
<p>Logging appears to have stopped ~40 days ago.</p>
<p>Restarting the Zabbix proxy service (via <a class="external" href="https://pfsense-ip-address/status_services.php#">https://pfsense-ip-address/status_services.php#</a>) gets logging working again, however its a pain because I generally speaking I wanted to see the logs for the past to investigate the problem I'm dealing with at that specific time.</p>
<p>I suspect the issue is related to log rotation and file permissions based on the Permission denied error and that newsyslog is mentioned before and after the logging stops working.</p>
<p>Today, before I restart the service I checked who owned the log file...</p>
<pre>
[2.6.0-RELEASE][root@pfsense-ip-address]/root: ls -l /var/log/zabbix-proxy/
total 106
-rw------- 1 root wheel 80 Jul 15 03:09 zabbix_proxy.log
-rw------- 1 root wheel 29744 Jul 15 03:09 zabbix_proxy.log.0.bz2
-rw------- 1 root wheel 33193 Jun 6 13:47 zabbix_proxy.log.1.bz2
-rw------- 1 root wheel 34871 May 4 09:48 zabbix_proxy.log.2.bz2
</pre>
<p>After I restarted the service I checked again...<br /><pre>
[2.6.0-RELEASE][root@fsense-ip-address]/root: ls -l /var/log/zabbix-proxy/
total 110
-rw------- 1 zabbix zabbix 3218 Aug 25 13:42 zabbix_proxy.log
-rw------- 1 zabbix zabbix 29744 Jul 15 03:09 zabbix_proxy.log.0.bz2
-rw------- 1 zabbix zabbix 33193 Jun 6 13:47 zabbix_proxy.log.1.bz2
-rw------- 1 zabbix zabbix 34871 May 4 09:48 zabbix_proxy.log.2.bz2
</pre></p>
<p>Investigating further I found the contents of `/var/etc/newsyslog.conf.d/zabbix_proxy.log.conf` does indeed set the owner to root</p>
<pre>
# Automatically generated for package Zabbix Proxy 5.0. Do not edit.
/var/log/zabbix-proxy/zabbix_proxy.log root:wheel 600 7 500 * JC
</pre>
<p>I'll try and remember to check tomorrow but I suspect the files will be owned by root again after the (presumably) daily log rotation occurs.</p>
I haven't made any customizations to the pfsense box. The only other plugins installed are
<ul>
<li>open-vm-tools v10.1.0_5,1</li>
<li>openvpn-client-export v1.6_4</li>
<li>zabbix-agent5 v1.0.4_12</li>
<li>zabbix-proxy5 v1.0.4_12</li>
</ul>
<p>I compared `/var/etc/newsyslog.conf.d/zabbix_ <strong>agentd</strong> .log.conf` with `/var/etc/newsyslog.conf.d/zabbix_ <strong>proxy</strong> .log.conf`, both set the owners to root</p>
<p>I then checked the ownership of the agent's log files, to my surprize they're owned by Zabbix. I have <strong>not</strong> restarted the Zabbix <strong>agent</strong> service today</p>
<pre>
ls -l /var/log/zabbix-agent/
total 5
-rw-rw-r-- 1 zabbix zabbix 11450 Aug 15 11:49 zabbix_agentd.log</pre> pfSense Packages - Bug #13432 (Incomplete): ups driver will not starthttps://redmine.pfsense.org/issues/134322022-08-19T14:43:00ZScott Lampertscott@lampert.org
<p>I cannot get a USB-connected UPS to be recognized unless the nut usb driver is started with the "-u root" option.</p>
<p>Without the option:<br /><pre><code class="shell syntaxhl"><span class="nv">$ </span>/usr/local/sbin/upsdrvctl start
Network UPS Tools - UPS driver controller 2.7.4
Network UPS Tools - Generic HID driver 0.41 <span class="o">(</span>2.7.4<span class="o">)</span>
USB communication driver 0.33
No matching HID UPS found
Driver failed to start <span class="o">(</span><span class="nb">exit </span><span class="nv">status</span><span class="o">=</span>1<span class="o">)</span>
</code></pre><br />With the option:<br /><pre><code class="shell syntaxhl"><span class="nv">$ </span>/usr/local/sbin/upsdrvctl <span class="nt">-u</span> root start
Network UPS Tools - UPS driver controller 2.7.4
Network UPS Tools - Generic HID driver 0.41 <span class="o">(</span>2.7.4<span class="o">)</span>
USB communication driver 0.33
Using subdriver: CyberPower HID 0.4
</code></pre></p>
<p>The service script for nut at /usr/local/etc/rc.d/nut.sh does not include the "-u root" option and so it fails to detect any usb connected ups and simple outputs:<br /><pre>
Broadcast Message from root@pfsense
(no tty) at 15:12 EDT...
UPS UPS_NAME_HERE is unavailable
</pre><br />over and over.</p> pfSense Packages - Bug #13141 (New): wrong page squidguard block https://redmine.pfsense.org/issues/131412022-05-09T17:33:52ZRobson Ferreira
<p>when i using squid+squidguard, a few versions before I could use redirect mode external url move.<br />So there i was putting page to redirect and its works.<br />But now when i put page, if i check on squidguard file there are redirect 302, but before wasnt .<br />look the picture</p> pfSense - Bug #12547 (Feedback): unsheduled system reboot/crashhttps://redmine.pfsense.org/issues/125472021-11-28T07:19:02ZEvgeny Korostelev
<p>pfSense Community Edition 2.5.2<br />Try navigate to menu "Diagnostics" -> "Routes" <br />Then system crash/reboot, and after boot have text system dump (attached to report)</p> pfSense - Bug #10833 (New): unbound exits on configuration error when link status flaps on LAN in...https://redmine.pfsense.org/issues/108332020-08-13T23:53:30ZJohn Hood
<p>I have pfSense installed at home on a small, old, core2duo-based machine. It does pretty typical home-router duty; the most obvious-to-me unusual parts of the configuration are that the internal IPv4 network is 198.206.215.0/24 instead of an RFC1918 network address, and I have an IPv6 tunnel to Hurricane Electric.</p>
<p>This week, the 11-year-old unmanaged GbE switch attached to the LAN port got flaky, and started to fail in some way that caused it to blink all lights on the front and stop passing traffic. Logs show link status flapping on the LAN interface. On power-cycling the switch, it would start working again. But DNS service was gone, though restartable at Status/Services/unbound. I found this in resolver.log:</p>
<pre>
Aug 13 20:28:22 router unbound: [27434:0] fatal error: Could not read config file: /unbound.conf. Maybe try unbound -dd, it stays on the commandline to see more errors, or unbound-checkconf
</pre>
<p>I wrote a little monitoring script that does 'pgrep unbound' and 'ifconfig em1' every 10 seconds. That seems to show link flapping between normal:</p>
<pre>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
</pre><br />and no link:<br /><pre>
media: Ethernet autoselect
status: no carrier
</pre>
<p>It also showed two copies of dhcpleases running after the link starts flapping.</p>
<p>Edited/excerpted logs and the monitoring script are attached, the switch starts flapping at Aug 13 20:27:57 in the logs, and I power-cycled the switch about 20:28:45. I restarted unbound at 20:30:36.</p>
<p>I tried reproducing the problem by manually plugging/unplugging the patch cable involved, and was not able to reproduce the problem. Alas, I destroyed the switch by plugging the wrong power supply in, so it's no longer helpful either. So I have no repro. I suspect connecting a FreeBSD box and running a little script that did things with 'ifconfig down' and 'ifconfig up' and 'ifconfig mediaopt <blah>' combined with some randomized short delays would eventually knock unbound over.</p>
<p>I haven't investigated the code at all, but it smells like some kind of race condition in the link-configuration scripts to me.</p> pfSense Packages - Bug #9999 (New): unbound fatal error if System Domain in DNSBL and System Doma...https://redmine.pfsense.org/issues/99992019-12-25T00:22:36ZViktor Gurov
<p>On System / General Setup I have configured <MYHOST> as hostname and mywire.org (dynu.com dyndns provider) as domain <br />and System Domain Local Zone Type is Redirect on Services \ DNS Resolver page</p>
<p>At the same time, I got another host from this domain during the last DNSBL feeds update:<br /><pre>
[2.4.4-RELEASE][root@<MYHOST>.mywire.org]/var/db/pfblockerng: grep -r servici-android-postali *
dnsbl/OpenPhish.txt:local-data: "servici-android-postali.mywire.org 60 IN A 10.10.10.1"
dnsblalias/DNSBL_Phishing:local-data: "servici-android-postali.mywire.org 60 IN A 10.10.10.1"
dnsblorig/OpenPhish.orig:http://servici-android-postali.mywire.org/B.P.O.L/solo.android/securelogin-html2019postepay
[2.4.4-RELEASE][root@<MYHOST>.mywire.org]/var/db/pfblockerng: grep mywire /var/unbound/*
/var/unbound/pfb_dnsbl.conf:local-data: "servici-android-postali.mywire.org 60 IN A 10.10.10.1"
</pre></p>
<p>After that, unbound does not start:<br /><pre>
unbound: [1232:0] warning: duplicate local-zone <MYHOST>.mywire.org.
unbound: [1232:0] warning: duplicate local-zone localhost.mywire.org.
unbound: [1232:0] error: local-data in redirect zone must reside at top of zone, not at servici-android-postali.mywire.org 60 IN A 10.10.10.1
unbound: [1232:0] fatal error: Could not set up local zones
</pre></p>
<p>pfSense 2.4.4-p3, pfBlockerNG-devel 2.2.5_27</p> pfSense - Feature #9226 (New): zfs GUI functionality - alertshttps://redmine.pfsense.org/issues/92262018-12-27T03:28:32Zgavin penney
<p><strong>some</strong> way of seeing the status in GUI, and most importantly, <strong>alerts</strong> for degraded<br />it looks like the dashboard already detects and displays zfs filesystem usage. a line that just shows "online" or "degraded" would be awesome. essentially: zpool status -x )</p>
<p>i'm using mailreport + zpoolstatus -v to send myself an email and then my damn mailbox filters to archive the ones with no error. this is horrid, and mailreport can only do daily, not when a failure occurs.<br />geom detects errors but geom remirrors my disks <strong>constantly</strong>, generating hundreds of alerts in the process</p>
<p>as nice as it would be to have attach/detach/scrub, snapshots and boot environments in the GUI, status/alerts are far more important</p>
<p>if i had the vaguest clue how to actually do so, I'd happily try making a package to add a page like for geom, but i dont even know where to start</p>
<p>I have email alerts set up, but I can't figure out a way to actually use the thing to send outputs from custom scripts, which is crippling to trying to make a cron to do monitoring</p> pfSense - Bug #8419 (New): webgui, when menubar is fixed to the top of the screen, the last items...https://redmine.pfsense.org/issues/84192018-04-02T17:36:14ZPi Ba
<p>webgui, when menubar is fixed to the top of the screen, the last items of long menus cannot be seen/used.</p>
<p>fix: <a class="external" href="https://github.com/pfsense/pfsense/pull/3930">https://github.com/pfsense/pfsense/pull/3930</a></p> pfSense - Bug #6026 (New): webinterface, firewall rules, wrapping of columns or visible (horizont...https://redmine.pfsense.org/issues/60262016-03-24T16:39:33ZPi Ba
<p>with some rulesets the 'action buttons' dont show on the screen, so first need to scroll down, then right, then back up again to delete, or move a rules using the anchors.. which isnt convenient when ruleset is several screens long..</p>
<p>Screenshot attached shows this happening on even the widest possible screen/layout..</p>
<p>The screenshot is made of specific testrules, but i first noticed in a production system where it happens to that action buttons are outside the visible area. And horizontal scroll-bar is at the bottom of the ruleset..</p>