pfSense bugtracker: Issueshttps://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162019-10-20T14:04:36ZpfSense bugtracker
Redmine pfSense - Bug #9837 (New): ipv6 is not completely disabled on the interfaceshttps://redmine.pfsense.org/issues/98372019-10-20T14:04:36ZViktor Gurov
<p>When IPv6 Configuration Type is None on Interfaces configuration page, IPv6 link-local addresses still uses<br />You can see OSPFv3 hello packets, can use ipv6 from these interfaces,<br />or, if rules like "IPv4+IPv6" used, can connect to services</p>
<p>to completely disable IPv6 on interfaces, option <strong>ifdisabled</strong> must be used, i.e. "ifconfig vtnet0 inet6 ifdisabled" <br />from ifconfig (8):<br /><pre>
ifdisabled
Set a flag to disable all of IPv6 network communications on the
specified interface. Note that if there are already configured
IPv6 addresses on that interface, all of them are marked as
"tentative" and DAD will be performed when this flag is cleared.
</pre></p>
<p>pfSense 2.5.0.a.20191018.2017</p> pfSense - Bug #9755 (New): package description wrong link https://www.freshports.org/security/ope...https://redmine.pfsense.org/issues/97552019-09-13T05:20:05ZViktor Gurov
<p>Package Dependencies:<br /> openvpn-client-export-2.4.7 - wrong link</p>
<p><a class="external" href="https://www.freshports.org/security/openvpn-client-export">https://www.freshports.org/security/openvpn-client-export</a>:<br />FreshPorts -- Document not found<br />Sorry, but I don't know anything about that.</p>
<p>/security/openvpn-client-export</p>
<p>Perhaps a list of categories or the search page might be helpful.</p> pfSense Packages - Bug #9486 (New): ifindex values used for softflowd are incorrecthttps://redmine.pfsense.org/issues/94862019-04-26T13:16:29ZJesse White
<p>With this patch, we now pass ifIndex values to softflowd for inclusion in the flow packets:<br /> <a class="external" href="https://github.com/pfsense/FreeBSD-ports/pull/501/files#diff-451c93a8b870e13a749022e7ecf64cd6R52">https://github.com/pfsense/FreeBSD-ports/pull/501/files#diff-451c93a8b870e13a749022e7ecf64cd6R52</a></p>
<p>However, the values used are arbitrary and do not line up with the values used by other services on the system such as snmpd:<br /><pre>
ps ax | grep soft
91600 - Ss 0:00.64 /usr/local/sbin/softflowd -i 1:igb1 -n 127.0.0.1:8877 -v 5 -T full -t general=60 -p /var/run/softflowd.igb1.pid -c /var/r
91913 - Is 0:00.00 /usr/local/sbin/softflowd -i 2:igb1.2 -n 127.0.0.1:8877 -v 5 -T full -t general=60 -p /var/run/softflowd.igb1.2.pid -c /v
92156 - Is 0:00.00 /usr/local/sbin/softflowd -i 3:igb1.3 -n 127.0.0.1:8877 -v 5 -T full -t general=60 -p /var/run/softflowd.igb1.3.pid -c /v
92774 - Is 0:00.00 /usr/local/sbin/softflowd -i 4:ovpnc2 -n 127.0.0.1:8877 -v 5 -T full -t general=60 -p /var/run/softflowd.ovpnc2.pid -c /v
93644 - Ss 0:00.69 /usr/local/sbin/softflowd -i 5:igb0 -n 127.0.0.1:8877 -v 5 -T full -t general=60 -p /var/run/softflowd.igb0.pid -c /var/r
93969 - Is 0:00.00 /usr/local/sbin/softflowd -i 6:lo0 -n 127.0.0.1:8877 -v 5 -T full -t general=60 -p /var/run/softflowd.lo0.pid -c /var/run
</pre></p>
<pre>
$ snmpwalk -c public -v 2c 10.1.1.1 IF-MIB::ifDescr
IF-MIB::ifDescr.1 = STRING: igb0
IF-MIB::ifDescr.2 = STRING: igb1
IF-MIB::ifDescr.3 = STRING: enc0
IF-MIB::ifDescr.4 = STRING: lo0
IF-MIB::ifDescr.5 = STRING: pflog0
IF-MIB::ifDescr.6 = STRING: pfsync0
IF-MIB::ifDescr.7 = STRING: igb1.2
IF-MIB::ifDescr.8 = STRING: igb1.3
IF-MIB::ifDescr.9 = STRING: ovpnc2
</pre>
<p>For example igb1.2 is set to ifIndex 2, but it should really be 7.</p>
<p>The proper ifIndex can be retrieved using:<br /> <a class="external" href="https://www.freebsd.org/cgi/man.cgi?query=if_nametoindex&apropos=0&sektion=3&manpath=FreeBSD+11.0-RELEASE&arch=default&format=html">https://www.freebsd.org/cgi/man.cgi?query=if_nametoindex&apropos=0&sektion=3&manpath=FreeBSD+11.0-RELEASE&arch=default&format=html</a></p> pfSense - Bug #9183 (New): OpenVPN Lagg Interface not working after restart or new starthttps://redmine.pfsense.org/issues/91832018-12-08T03:10:03ZAlexander H.alexander.hailfinger@gmail.com
<p>I configured a LAGG Interface with 4 openvpn tap connections with round robin mode.</p>
<p>After a reboot or if i start the pfsense first time the interface is not working well.<br />But if i go to the configuration page and change nothing but press save its working great immediately.</p>
<p>does someone have i workaround how i could press the save button with a cron script until the problem is fixed ?</p>
<p>Regards<br />Alex</p> pfSense - Bug #9140 (New): Unexpected rule can be displayed when looking up filter log entry with...https://redmine.pfsense.org/issues/91402018-11-20T07:48:51ZS P
<p>When using Port aliases, in the firewall log, when clicking on 'action' the triggering port seems to always be the first of the list.</p>
<p>As for the images, the triggering port is the 21, the port shown in 'detail' is 1001<br />the port list goes something like: 1001, 21, ...</p> pfSense Packages - Bug #9012 (New): Captive Portal authentication in Squid Proxy Server does not ...https://redmine.pfsense.org/issues/90122018-10-05T11:25:32ZKevin Chou
<p>Version pfsense 2.4.4-RELEASE (amd64)<br />I have configured Authentication Method to "Captive Portal" in Squid Proxy Server -> Authentication<br />But it does not work, squid cannot get current user and deny access.</p> pfSense - Bug #8464 (New): Wireless USB card does not connect to WiFi automatically after reboot/...https://redmine.pfsense.org/issues/84642018-04-17T03:35:41ZConstantine Kormashev
<p>Wireless USB card on Realtek RTL8192SU chipset in BSS mode does not connect to WiFi until wilreless interface is set to down and after to up state manually. E.g. after device reboot.<br />There is not any problem with forwarding in case device already connected to WiFi, problem happens only after device reboot/halt.<br />Tried with Dlink DWA131 (Realtek RTL8192SU) on 3100 and 2220.<br />During down/up interface there are messages in console:<br /><pre>
rsu0: rsu_join_bss: still scanning! (attempt 0)
rsu0_wlan0: ieee80211_new_state_locked: pending SCAN -> AUTH transition lost
</pre></p> pfSense Packages - Bug #8454 (New): Arpwatch package break email notifications from other sourceshttps://redmine.pfsense.org/issues/84542018-04-12T07:18:20ZYehuda Katz
<p>Arpwatch replaces /usr/sbin/sendmail with a symlink to a PHP script that specifically mentioned Arpwatch in the message subject:<br /><a class="external" href="https://github.com/pfsense/FreeBSD-ports/blob/015971be238550a1f9aa060fe5ed93849c01572e/net-mgmt/pfSense-pkg-arpwatch/files/usr/local/pkg/arpwatch.inc#L217">https://github.com/pfsense/FreeBSD-ports/blob/015971be238550a1f9aa060fe5ed93849c01572e/net-mgmt/pfSense-pkg-arpwatch/files/usr/local/pkg/arpwatch.inc#L217</a></p>
<p>This causes notifications from ACME (run by CRON) to come with subjects like this:</p>
<blockquote>
<p>wall.example.com - Arpwatch Notification : Cron <root@wall> /usr/local/pkg/acme/acme_command.sh "renewall"</p>
</blockquote> pfSense - Bug #8233 (New): NAT reflection back to originating host broken when using FQDN-based I...https://redmine.pfsense.org/issues/82332017-12-22T12:46:33ZChaos215 Bar2
<p>It appears NAT reflection is slightly broken when targeted at an IP alias which is defined via FQDN (rather than IP address). In this case, reflection works from hosts on subnets other than the one that the NAT target is on, but not from the same subnet. Within the same subnet, it appears traffic it redirected to the target host, but the originating IP is not translated.</p>
<p>To put this in context, let's say I have a host ns.example.com at IP 10.0.0.10, and I want to redirect traffic sent to 1.2.3.4 to this host. Let's say I create an alias "NameServer", and create a NAT rule to translate traffic arriving on the WAN interface destined for the address 1.2.3.4, port 53 to "NameServer" port 53, and enable reflection. ("Enable NAT Reflection for 1:1 NAT" and "Enable automatic outbound NAT for Reflection" are enabled and 1.2.3.4 is an IP alias with an outbound NAT rule mapping traffic from "NameServer" to the NAT address 1.2.3.4, FWIW.)</p>
<p>If the alias "NameServer" points at the FQDN ns.example.com (which resolved internally to 10.0.0.10), then I run into this problem. If I make a DNS request to 1.2.3.4 from outside the server's subnet (let's say outside 10.0.0.0/24), everything is fine (even from interfaces other than WAN, so reflection is working… sort of). If I make a request from within the same subnet, I do see a response, but it comes directly from 10.0.0.10, not 1.2.3.4. (i.e. The request packet was clearly redirected to 1.2.3.4, but it doesn't actually seem to have gone through NAT.)</p>
<p>If the alias "NameServer" points at the IP 10.0.0.10, then everything works, and I see several <em>additional</em> translation rules:<br /><pre>
no nat on lagg0 inet proto tcp from 10.0.0.1 to <NameServer> port = domain
no nat on lagg0 inet proto udp from 10.0.0.1 to <NameServer> port = domain
nat on lagg0 inet proto tcp from 10.0.0.0/24 to <NameServer> port = domain -> 10.0.0.1 port 1024:65535
nat on lagg0 inet proto udp from 10.0.0.0/24 to <NameServer> port = domain -> 10.0.0.1 port 1024:65535
</pre></p>
<p>These are in addition to rules of the following form, that exist either way:<br /><pre>
nat on igb1 inet from <NameServer> to any -> 1.2.3.4 static-port
no rdr proto carp all
rdr-anchor "relayd/*" all
rdr-anchor "tftp-proxy/*" all
<Above rules here>
rdr on igb1 inet proto tcp from any to 1.2.3.4 port = domain -> <NameServer> round-robin
rdr on igb1 inet proto udp from any to 1.2.3.4 port = domain -> <NameServer> round-robin
rdr on igb0 inet proto tcp from any to 1.2.3.4 port = domain -> <NameServer> round-robin
rdr on igb0 inet proto udp from any to 1.2.3.4 port = domain -> <NameServer> round-robin
rdr on lagg0 inet proto tcp from any to 1.2.3.4 port = domain -> <NameServer> round-robin
rdr on lagg0 inet proto udp from any to 1.2.3.4 port = domain -> <NameServer> round-robin
</pre></p>
<p>(The DNS server is located on lagg0, on which the router has the IP 10.0.0.1. igb1 is WAN, and igb0 is the regular LAN interface.)</p>
<p>It appears the problem is that pfSense can't resolve the interface the host pointed to by "NameServer" will lie on at the time of rule creation, so is unable to create the necessary NAT rules to allow reflection to work within the same subnet. Perhaps either a new kind of "rdr" style rule that performs NAT when reflecting back out to the same subnet is necessary, or an option to specify an interface in addition to (perhaps connected to) a host alias is needed, to enable creation of these rules.</p> pfSense - Bug #8157 (New): Traffic Graph clutter from time to timehttps://redmine.pfsense.org/issues/81572017-12-03T06:40:58ZIngo-Stefan Schillingischilling@hotmail.com
<p>When traffic is more occasional with (great) peaks the graph clutters. See attached file. This happens since version 2.4 and is here in 2.4.2-RELEASE (amd64) .</p> pfSense - Bug #7857 (New): Interfaces Widget U/I fails to wrap IPV6 addresses when the string is ...https://redmine.pfsense.org/issues/78572017-09-13T03:43:10ZBryan Stenson
<p>Strictly a U/I issue, the widget fails to wrap when the browser window is set small enough to make the string too wide for the box.</p> pfSense - Bug #7648 (New): SPAN ports on an interface renders CARP HA inoperativehttps://redmine.pfsense.org/issues/76482017-06-14T21:05:03ZDavid Van Cleef
<p>When a SPAN port is added to an interface, CARP breaks.</p>
<p>The source address of the CARP announcement, which should be from the IETF VRRP mac range changes to the mac of the physical interface.</p> pfSense - Bug #5091 (Confirmed): In rule creation destination ports fields (from and to) are too...https://redmine.pfsense.org/issues/50912015-09-03T10:43:16ZPierre DOUCETpierre.doucet@sib.fr
<p>Refer to screenshot in attachement.</p>
<p>This could be solved by adding width tag in all.css files for all themes.</p>
<pre>
.formfldalias {
background-color: #990000;
color: #FFFFFF;
width: 300px;
}
</pre> pfSense - Bug #4298 (Assigned): Excessive errors from snmpdhttps://redmine.pfsense.org/issues/42982015-01-26T04:32:43ZHolger Hampel
<p>When accessing snmp from a montitoring system I get many, many errors (logged in the central syslog):</p>
<p>snmpd<sup><a href="#fn95772">95772</a></sup>: could not encode error response</p>
<p>I tried to disable some mibs, but there is no change.</p>
<p>Same monitoring worked in 2.1.5</p> pfSense - Bug #1738 (New): Restore fails when username in backup is not matchinghttps://redmine.pfsense.org/issues/17382011-08-03T01:00:10ZLouis-David Perronldperron@ldasolutions.ca
<p>It's not likely that it will happen to anyone, but the consequences are quite time consuming.</p>
<p>When on the default configuration of today's snapshot, if I import a backup that is using something else as "admin" for web user, then it's almost impossible to properly restore the backup.</p>
<p>After the config upload, my browser gets redirected to interfaces_assign.php, but it mentions:<br />No page assigned to this user! Click here to logout.</p>
<p>If I click logout and then I login into the new user, I get to the install package screen, even if the interfaces are still in the same state as before the restore.</p>