pfSense bugtracker: Issueshttps://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162024-03-18T20:37:19ZpfSense bugtracker
Redmine pfSense - Bug #15349 (New): 1:1 NAT rule for subnet always uses full subnet rangehttps://redmine.pfsense.org/issues/153492024-03-18T20:37:19ZYehuda Katz
<p>Creating a 1:1 NAT rule for something like <code>10.0.0.5/28 -> 10.1.0.7/28</code> will actually create the proper rules for the entire <code>/24</code> subnet.</p>
<p>Output from <code>pfctl -s nat</code>:</p>
<pre>
[2.7.2-RELEASE][admin@pfSense.home.arpa]/root: pfctl -s nat | grep 10.0
binat on vtnet0 inet from 10.1.0.0/28 to any -> 10.0.0.0/28
</pre>
<p>This is probably the correct behavior, but may not be what people expect and does not appear to be documented.<br />It would probably make sense for the web interface to reject this kind of rule and require the subnet be specified properly by the first IP in the range.</p> pfSense - Bug #15347 (New): OpenVPN Multiple WAN Asymmetric Routinghttps://redmine.pfsense.org/issues/153472024-03-16T22:12:32ZTimo M
<p>Using OpenVPN in multi-wan / failover environment (a OpenVPN interface has been created and is used by the OpenVPN server). WAN1 is Tier 1 and WAN2 is Tier 2. To be able to access OpenVPN server through both WAN1 and WAN2, I used the port forward method to bind the OpenVPN server to localhost and forward traffic from both WAN1 and WAN2 to it as described in the documentation:</p>
<p><a class="external" href="https://docs.netgate.com/pfsense/en/latest/multiwan/openvpn.html#bind-to-localhost-and-setup-port-forwards">https://docs.netgate.com/pfsense/en/latest/multiwan/openvpn.html#bind-to-localhost-and-setup-port-forwards</a></p>
<p>FreeRADIUS is used as the authentication backend for OpenVPN (to be able to use 2FA). When connecting through WAN2 (which is on Tier 2) traffic appears to exit back out WAN1 after the RADIUS authentication completes leading to asymmetric routing. I see the following in the logs from FreeRADIUS:</p>
<p><code>(0) Login OK: [user_id] (from client pfsenseclient port 1194 cli *WAN1_IP* :1194)</code></p>
<p>I can confirm that the connection to the OpenVPN server was indeed made through WAN2 by looking firewall states / traffic. Is this a bug, or is thus configuration (OpenVPN server with FreeRADIUS authentication) not supported (e.g. the <code>reply-to</code> functionality does not work properly)? Thanks in advance.</p> pfSense - Bug #15346 (Confirmed): Port Forward Add Unassociated Filter Rule Not Workinghttps://redmine.pfsense.org/issues/153462024-03-16T21:51:40ZTimo M
<p>Upon creating a port forward entry on pfSense Plus 23.09.1 and choosing the "Add unassociated filter rule" option under Filter Rule Association, no firewall rule was actually created. Next time I checked the port forward Filter Rule Association setting on the rule that was created, it had been automatically set to "None". The documentation seems to indicate that a rule should still be created even when the unassociated option is chosen.</p>
<p><a class="external" href="https://docs.netgate.com/pfsense/en/latest/nat/port-forwards.html#port-forward-settings">https://docs.netgate.com/pfsense/en/latest/nat/port-forwards.html#port-forward-settings</a></p> pfSense - Bug #15343 (New): DHCP host names for Windows 10/11 hosts have "." at the endhttps://redmine.pfsense.org/issues/153432024-03-15T16:50:34ZDaryl Morse
<p>Since changing to Kea DHCP, DHCP host names for Windows 10 and Windows 11 hosts are being created with a "." at the end.</p>
<p>This does not happen for types of hosts.</p>
<p>This does not affect DHCPv6.</p> pfSense - Bug #15341 (New): PHP errors in ``xmlrpc.php`` during configuration synchronization con...https://redmine.pfsense.org/issues/153412024-03-15T15:35:41ZChristopher Cope
<pre>
[15-Mar-2024 09:50:55 America/Chicago] PHP Fatal error: Uncaught TypeError: Cannot access offset of type string on string in /usr/local/www/xmlrpc.php:718
Stack trace:
#0 /usr/local/www/xmlrpc.php(638): pfsense_xmlrpc_server->filter_configure(false, false)
#1 /usr/local/share/pear/XML/RPC2/Server/CallHandler/Instance.php(141): pfsense_xmlrpc_server->restore_config_section(Array, 900)
#2 /usr/local/share/pear/XML/RPC2/Backend/Php/Server.php(135): XML_RPC2_Server_Callhandler_Instance->__call('pfsense.restore...', Array)
#3 /usr/local/share/pear/XML/RPC2/Backend/Php/Server.php(99): XML_RPC2_Backend_Php_Server->getResponse()
#4 /usr/local/www/xmlrpc.php(987): XML_RPC2_Backend_Php_Server->handleCall()
</pre>
<p>The error is being hit on<br /><pre>
23.09.1-RELEASE (amd64)
built on Wed Dec 20 13:27:00 EST 2023
FreeBSD 14.0-CURRENT
</pre></p>
<p>This seems to a similar issue to <a class="external" href="https://redmine.pfsense.org/issues/14034">https://redmine.pfsense.org/issues/14034</a> but this has to do with OpenVPN tags. I'll get a merge request together this week.</p> pfSense Packages - Bug #15334 (Confirmed): Interface Description not updated properly when add/cr...https://redmine.pfsense.org/issues/153342024-03-12T15:37:02ZSergei Shablovsky
<p><strong>Brilliant pfSense DevTeam!</strong></p>
<p><strong>WHERE</strong><br />in <strong>Services / Suricata</strong> package<br />on <strong>Interfaces</strong></p>
<p><strong>ISSUE</strong><br />Interface <strong>Description</strong> not updated properly in <strong>General Settings / Description</strong> when add/creating new interface in Suricata (by pressing “+” button at the right):</p>
<p>When page first time loaded, the Description field are pre-filled by Inreface name (taked from Interfaces / General Configurateion page from Description field).</p>
<p><strong>AFTER ANOTHER INTERFACE from drop-down list SELECTED , the DESCRIPTION PRE-FILLED BY BSD INTERFACE NAME (LAN, WAN, OPT1, OPT2,…)</strong> and not the Inreface name (taked from Interfaces / General Configurateion page from Description field).</p>
<p>P.S.<br />Also would be good after first page loading AUTOMATICALLY take focus and select all text in Description field to eliminate User interaction and improve overall User’s UI experience.</p> pfSense Packages - Bug #15333 (Confirmed): Interface Description not updated properly when add/cr...https://redmine.pfsense.org/issues/153332024-03-12T15:30:46ZSergei Shablovsky
<p><strong>Brilliant pfSense DevTeam!</strong></p>
<p><strong>WHERE</strong><br />in <strong>Services / Suricata</strong> package<br />on <strong>Interfaces</strong></p>
<p><strong>ISSUE</strong><br />Interface <strong>Description</strong> not updated properly in <strong>General Settings / Description</strong> when add/creating new interface in Suricata (by pressing “+” button at the right):</p>
<p>When page first time loaded, the Description field are pre-filled by Inreface name (taked from Interfaces / General Configurateion page from Description field).</p>
<p><strong>AFTER ANOTHER INTERFACE</strong> from drop-down list <strong>SELECTED</strong> , the <strong>DESCRIPTION PRE-FILLDE BY BSD INTERFACE NAME (LAN, WAN, OPT1, OPT2,…)</strong> and not the Inreface name (taked from Interfaces / General Configurateion page from Description field).</p>
<p>P.S.<br />Also would be good after first page loading AUTOMATICALLY take focus and select all text in Description field.</p> pfSense Plus - Bug #15332 (New): Kea doesn't start without any logs when upload config with addit...https://redmine.pfsense.org/issues/153322024-03-12T13:17:13Zaleksei prokofiev
<p>If the config has additioan DHCP pool with extra parametrs configured, such default-lease-time or max-lease-time, then KEA won't start with out any logs. To fix that need delete from config those extra option. Or just resave affected pool without any changes, it will lead rewrite config without extra options. <br />For example <br /><pool><br /> <range><br /> <from>192.168.6.2</from><br /> <to>192.168.6.48</to><br /> </range><br /> <descr><![CDATA[NTP Server]]></descr><br /> <defaultleasetime>600</defaultleasetime><br /> <maxleasetime>3600</maxleasetime><br />After resave it will deleted<br /><pool><br /> <range><br /> <from>192.168.6.2</from><br /> <to>192.168.6.48</to><br /> </range><br /> <descr><![CDATA[NTP Server]]></descr><br /> <defaultleasetime></defaultleasetime><br /> <maxleasetime></maxleasetime></p> pfSense - Bug #15328 (New): Kea DHCP corrupts existing leases when a new DHCP pool is addedhttps://redmine.pfsense.org/issues/153282024-03-10T23:09:39ZTom Lane
<p>I set up a couple of DHCP pools for VLANs on a new Netgate 4200 (running pfsense+ 23.09.1), which is replacing an EdgeRouter-X that had been serving DHCP to the same clients. That went fine, and I watched several of the existing VLAN clients re-acquire their existing addresses from the new server. Then I added another DHCP pool attached directly to the PORT2LAN interface. That completely confused matters for existing leases: the server actively rejected attempts to renew those leases and gave out addresses of its own choosing. Now I am seeing two different entries in the DHCP Leases status page for the same MAC address, which surely should not happen. Digging in the DHCP log entries, it looks like when the server was restarted because of the pool addition, all the lease reloads failed with complaints like</p>
<p><code>Mar 10 16:09:18 kea-dhcp4 39285 WARN [kea-dhcp4.dhcpsrv.0x401b3c12000] DHCPSRV_LEASE_SANITY_FAIL The lease 10.0.20.41 with subnet-id 2 failed subnet-id checks (the lease should have subnet-id 3).<br /></code><br />10.0.20.41 is still shown (though as "down") in the Leases page, but there's also an entry for that client with its forcibly-assigned new IP address.</p>
<p>This isn't a fatal problem, assuming that the server manages to keep re-issuing these newly-chosen addresses, but it's mildly annoying. I'm not sure if there will be any outright conflicts as the remaining clients try to renew their leases.</p> pfSense - Bug #15317 (Confirmed): IPsec widget does not show mobile clients with IP addresses ass...https://redmine.pfsense.org/issues/153172024-03-07T14:17:46ZChristopher de Haas
<p>The front page IPsec widget does not show mobile clients on the Mobile tab when connected clients get an IP assigned from RADIUS</p> pfSense Plus - Bug #15316 (New): OpenVPN Clients with Gateway Group Interface on DHCP Exits on Er...https://redmine.pfsense.org/issues/153162024-03-06T17:08:29ZKris Phillips
<p>By default with DHCP gateways, they are not populated into the config as <gateway_item>, but can be present in a <gateway_group>. Because of this, when assigning a gateway group to an OpenVPN client that has an interface go down in the current, active tier, OpenVPN will not properly fail over. Instead, it will hang for a long time, produce errors stating that it's "unable to bind" to the interface (because it's unplugged and the gateway disappears), give an error about being unable to delete a route, and then exits on "Error 1".</p>
<p>If you go into each gateway item under System --> Routing, edit the gateway items without making any changes, save, and apply, the gateways will become present in the config.xml, they'll show as "Pending" in gateway statuses (rather than disappearing entirely), and OpenVPN will fail over as expected.</p>
<p>Either we should be adding a <gateway_item> for each gateway that is present in a <gateway_group> or we should fix OpenVPN so that it doesn't bomb out when a gateway disappears rather than transitioning to Pending.</p> pfSense Packages - Bug #15313 (Confirmed): Zabbix server 6.4.12 requires Zabbix proxies to be ver...https://redmine.pfsense.org/issues/153132024-03-05T19:53:06ZAndrew Almond
<p>There seems to be a bug/change with Zabbix server and Zabbix proxy where both need to be running 6.4.12.<br />If the versions don't match, then the proxy is unable to receive configuration changes from the server and shows this message in the log:</p>
<pre>
cannot process received configuration data from server at "192.168.1.8": unexpected field "httptest.status"
</pre>
<p>There are 3 bug reports with Zabbix about this issue:<br /><a class="external" href="https://support.zabbix.com/browse/ZBX-24162">https://support.zabbix.com/browse/ZBX-24162</a><br /><a class="external" href="https://support.zabbix.com/browse/ZBX-24161">https://support.zabbix.com/browse/ZBX-24161</a><br /><a class="external" href="https://support.zabbix.com/browse/ZBX-23232">https://support.zabbix.com/browse/ZBX-23232</a></p>
<p>It looks like this issue was addressed in Zabbix 6.4.12:<br /><a class="external" href="https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/28b3672d114">https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/28b3672d114</a></p>
<p>We are running 23.05.1 and the package manager installs Zabbix 6.4.1 (revision 546e284fd7c).<br />Would it be possible to have the Zabbix proxy and agent packages updated to 6.4.12?</p>
<p>It looks like the packages were updated to 6.4.8 for pfSense 23.09, so even upgrading to that will not solve the issue.<br /><a class="external" href="https://redmine.pfsense.org/issues/14913">https://redmine.pfsense.org/issues/14913</a></p> pfSense Plus - Bug #15303 (New): dpinger service does not always switch from Pending to Onlinehttps://redmine.pfsense.org/issues/153032024-03-02T17:07:07ZKris Phillips
<p>There are several situations where dpinger will not detect a gateway that is available when it should, forcing a restart of the dpinger service to "trigger" it to recheck.</p>
<p>Known situations, but there may be more:</p>
<p>1. Adding a new VTI tunnel as an interface<br />2. A release/renew of an IPv6 gateway (IPv4 gateway will show up, but IPv6 will not until a dpinger restart)<br />3. Adding an OpenVPN client/server as an interface</p>
<p>Related documentation redmine: <a class="external" href="https://redmine.pfsense.org/issues/15230">https://redmine.pfsense.org/issues/15230</a></p> pfSense - Bug #15299 (Feedback): Old auto-added MAC addresses are not pruned for non-concurrent C...https://redmine.pfsense.org/issues/152992024-02-29T23:25:55ZRoddy Roddy
<p>Hi guys! Could anyone help me to fix this issue, please?</p>
<p>Crash report begins. Anonymous machine information:</p>
<p>amd64<br />14.0-CURRENT<br />FreeBSD 14.0-CURRENT amd64 1400094 #1 RELENG_2_7_2-n255948-8d2b56da39c: Wed Dec 6 20:45:47 UTC 2023 root@freebsd:/var/jenkins/workspace/pfSense-CE-snapshots-2_7_2-main/obj/amd64/StdASW5b/var/jenkins/workspace/pfSense-CE-snapshots-2_7_2-main/sources/F</p>
<p>Crash report details:</p>
<p>PHP Errors:<br />[29-Feb-2024 20:07:27 America/Sao_Paulo] PHP Fatal error: Uncaught TypeError: Cannot access offset of type string on string in /etc/inc/captiveportal.inc:1084<br />Stack trace:<br />#0 /etc/inc/captiveportal.inc(826): captiveportal_ether_delete_entry('7a:59:3f:e8:28:...', 'auth')<br />#1 /etc/inc/captiveportal.inc(797): captiveportal_prune_old_automac()<br /><a class="issue tracker-1 status-3 priority-4 priority-default closed parent" title="Bug: Gateway not added when switching from DHCP to static (Resolved)" href="https://redmine.pfsense.org/issues/2">#2</a> /etc/rc.prunecaptiveportal(56): captiveportal_prune_old()<br /><a class="issue tracker-1 status-3 priority-4 priority-default closed" title="Bug: VPN negation rules not added in 2.0 (Resolved)" href="https://redmine.pfsense.org/issues/3">#3</a> {main}<br /> thrown in /etc/inc/captiveportal.inc on line 1084</p> pfSense Packages - Bug #15296 (New): WAN Interface cannot added to ntopng if offline-packet loss https://redmine.pfsense.org/issues/152962024-02-29T06:58:23ZSergei Shablovsky
<p>Brilliant pfSense DevTeam !</p>
<p>In multi-WAN pfSense configuration WAN interfaces that pfSense decide in “Offline, Packet loss” state CANNOT BE ADDED into ntopng config.</p>
<p>(to adding certain WAN connection (for example if WAN interface come from “Offline, packet loss” state to “Online” state), ntopng need to be disabled, service stopped, ntopng pkg uninstalled (with all data and configs deleted), than hardware rebooting, install ntopng pkg again, and only after that new WAN with “Online” status becomes visible as Interface in ntopng”).</p>
<p>But LAN interfaces ALL would be ADDED as well even some of them are not connected physically. So this bug related only WAN interfaces.</p>
<p>P.S.<br />This is related for WAN DHCP, do not know about WAN STATIC.</p>