pfSense bugtracker: Issueshttps://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162024-01-13T23:54:32ZpfSense bugtracker
Redmine pfSense - Bug #15162 (Confirmed): Wrong string in “MAC address”https://redmine.pfsense.org/issues/151622024-01-13T23:54:32ZSergei Shablovsky
<p>Hi, brilliant pfSense stuff!</p>
<p>Wrong string in “ <strong>MAC address</strong> ” txt entry field in “ <strong>Services / Wake-on-LAN / Edit</strong> ” when press on “ <strong>+* ” in “ *Actions</strong> ” column in “ <strong>Diagnostics / ARP Table</strong> ” page in WebGUI.</p> pfSense - Bug #15067 (Feedback): Secondary node attempts to delete the ``admins`` group when sync...https://redmine.pfsense.org/issues/150672023-12-05T20:40:48ZCraig Coonrad
<p>Version: 23.09-RELEASE</p>
<p>Error message:</p>
<pre>
Dec 5 20:37:30 fw102.local php-fpm[77756]: /xmlrpc.php: The command '/usr/sbin/pw groupdel -g 'admins'' returned exit code '64', the output was 'pw: Bad id 'admins': invalid'
</pre> pfSense - Bug #14936 (Feedback): radvd service shows as stopped in services list when it should b...https://redmine.pfsense.org/issues/149362023-11-01T15:03:21ZJim Pingle
<p>The <code>is_radvd_enabled()</code> function in <code>pfsense-utils.inc</code> appears to incorrectly interpret the state of the radvd service in some cases.</p>
<p>For example I have a system with WAN DHCP6, LAN Track6 to WAN, but on LAN I have DHCPv6 disabled and RA disabled. When configured in this way, the radvd service is shown in the services list, but is listed as stopped. The <code>radvd.conf</code> file only contains the header, which is expected since there are no interfaces with RA enabled.</p> pfSense Packages - Bug #14200 (New): WireGuard reply-to without NAThttps://redmine.pfsense.org/issues/142002023-03-29T10:02:59ZCarrnell Tech
<p>I have discovered that the WireGuard package requires the interface to have the gateway set for the reply-to rules to function as expected. However, this also creates an undesired auto NAT rules that need to be manually disabled in order to use the reply-to rules effectively.</p>
<p>I have posted all the detail and the road for my discovery on the forums and a great amount of detail along with it:<br /><a class="external" href="https://forum.netgate.com/topic/178908/wan-to-wireguard-to-lan-reply-to-bug">https://forum.netgate.com/topic/178908/wan-to-wireguard-to-lan-reply-to-bug</a></p>
My hope is that one of the following fix ideas could be implemented:
<ul>
<li>Could add verbiage on the interface or package GUI to indicate that these steps are required for true reply-to packets to function.</li>
<li>Add some sort of check box to prevent the auto added NAT rules for WireGuard interfaces, or, a check box that adds reply-to rules without the need for gateway to be filled.</li>
<li>Or, if possible, change the WireGuard package in such a way that it treats the WireGuard interface with reply-to rules with or without the gateway being set in the interface.</li>
</ul>
<p>To give you more of an idea of why I had more trouble with this particular part than anything previous is that I was migrating away from OpenVPN to WireGuard. Where OpenVPN functioned as desired without the gateway being set, I did not think to read the interface documentation mostly because the verbiage only mentions the need for it being set for internet access type scenarios, of which, I overlooked thinking it was unnecessary. On my testing environment, it was not until I started changing what I thought were unnecessary checkbox and dropdowns that I discovered the gateway was needed, I then started to read the documentation for it, which lead me to my final conclusion.</p>
<p>Appreciate your time!<br />Thank you!</p> pfSense Packages - Bug #14146 (New): Small Typo in 'Advanced Outbound firewall rule settings' war...https://redmine.pfsense.org/issues/141462023-03-22T07:36:44ZJon Brown
<p>When creating an IPv4 outbound permit rule (Firewall --> pfBlockerNG --> Ip --> IPv4) and you leave the <b>Custom Protocol</b> on any you get the following error:</p>
<pre>
Settings: Protocol setting cannot be set to 'Default' with Advanced Outbound firewall rule settings.
</pre>
<p><img src="https://redmine.pfsense.org/attachments/download/4819/pfblocker-with-any-error-message.jpg" alt="" /></p>
<p>There is a typo where it is saying it cannot be left on 'Default', there is not default protocol. This should read as follows:</p>
<pre>
Settings: Protocol setting cannot be set to 'Any' with Advanced Outbound firewall rule settings.
</pre>
<p>I have swapped <strong>default</strong> for <strong>any</strong></p> pfSense - Bug #13110 (New): changing CARP VIP address does not update outbound NAT interface IPhttps://redmine.pfsense.org/issues/131102022-04-30T13:19:52Z→ luckman212luke.hamburg@gmail.com
<p>In my testing, on a 2 node HA cluster running 22.05.a.20220426.1313, if you change the Virtual IP, it is properly synced to the backup node, but the manual outbound NAT rule is not updated, so things break slightly. I am not sure if this is by design, but since you are selecting the IP by interface name, it seems like it would intuitively work the way other aliases work and "follow" changes to the chosen named VIP.</p> pfSense Packages - Bug #11490 (New): Service Watchdog - Impacts Reboots and Package Updateshttps://redmine.pfsense.org/issues/114902021-02-21T01:11:28ZA S
<p>All - wasn't quite sure which to attribute this to as its a package, but is impacting standard operation.</p>
Synopsis:
<ul>
<li>When upgrading a package where the upgrade must stop the service, the Service Watchdog is restarting the service before the upgrade of the package completes. Appears to completely stall some updates where the update process takes some time to run with the service stopped.</li>
<li>Upon reboot, while reviewing syslog - the Service Watchdog is starting services <b>before</b> pfSense [itself] normally starts a given service. Suspect that this could cause services to start in an abnormal order and potentially create dependency issues.</li>
</ul>
<p>Noticed this upon trying to assess a recent issue and watching syslog information where virtually every process upon reboot was started <strong>first</strong> by the Service Watchdog and when the system starting of that same process occurred - the system initiated startup failed.</p> pfSense Packages - Bug #11000 (New): haproxy deprecated trick suggestedhttps://redmine.pfsense.org/issues/110002020-10-22T17:51:10ZManuel Piovan
<p>haproxy-devel<br />under backend<br />the description for "Http check version" say:<br /><pre><code class="php syntaxhl"><span class="nc">Defaults</span> <span class="n">to</span> <span class="s2">"HTTP/1.0"</span> <span class="k">if</span> <span class="n">left</span> <span class="n">blank</span><span class="mf">.</span> <span class="nc">Note</span> <span class="n">that</span> <span class="n">the</span> <span class="nc">Host</span> <span class="n">field</span> <span class="n">is</span> <span class="n">mandatory</span> <span class="n">in</span> <span class="no">HTTP</span><span class="o">/</span><span class="mf">1.1</span><span class="p">,</span> <span class="k">and</span> <span class="k">as</span> <span class="n">a</span> <span class="n">trick</span><span class="p">,</span> <span class="n">it</span> <span class="n">is</span> <span class="n">possible</span> <span class="n">to</span> <span class="n">pass</span> <span class="n">it</span> <span class="n">after</span> <span class="s2">"</span><span class="se">\r\n</span><span class="s2">"</span> <span class="n">following</span> <span class="n">the</span> <span class="n">version</span> <span class="n">string</span> <span class="n">like</span> <span class="n">this</span><span class="o">:</span>
<span class="no">HTTP</span><span class="o">/</span><span class="mf">1.1</span><span class="err">\</span><span class="n">r\nHost</span><span class="o">:</span><span class="err">\</span> <span class="n">www</span>
</code></pre><br />but this lead to a Warning</p>
<pre><code class="php syntaxhl"><span class="p">[</span><span class="no">WARNING</span><span class="p">]</span> <span class="mi">296</span><span class="o">/</span><span class="mo">00442</span><span class="mi">8</span> <span class="p">(</span><span class="mi">78254</span><span class="p">)</span> <span class="o">:</span> <span class="n">parsing</span> <span class="p">[</span><span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">haproxy</span><span class="o">/</span><span class="n">haproxy</span><span class="mf">.</span><span class="n">cfg</span><span class="o">:</span><span class="mi">67</span><span class="p">]</span><span class="o">:</span> <span class="s1">'option httpchk'</span> <span class="o">:</span> <span class="n">hiding</span> <span class="n">headers</span> <span class="k">or</span> <span class="n">body</span> <span class="n">at</span> <span class="n">the</span> <span class="n">end</span> <span class="n">of</span> <span class="n">the</span> <span class="n">version</span> <span class="n">string</span> <span class="n">is</span> <span class="n">deprecated</span><span class="mf">.</span> <span class="nc">Please</span><span class="p">,</span> <span class="n">consider</span> <span class="n">to</span> <span class="kn">use</span> <span class="s1">'http-check send'</span> <span class="n">directive</span> <span class="n">instead</span><span class="mf">.</span>
</code></pre> pfSense - Bug #9837 (New): ipv6 is not completely disabled on the interfaceshttps://redmine.pfsense.org/issues/98372019-10-20T14:04:36ZViktor Gurov
<p>When IPv6 Configuration Type is None on Interfaces configuration page, IPv6 link-local addresses still uses<br />You can see OSPFv3 hello packets, can use ipv6 from these interfaces,<br />or, if rules like "IPv4+IPv6" used, can connect to services</p>
<p>to completely disable IPv6 on interfaces, option <strong>ifdisabled</strong> must be used, i.e. "ifconfig vtnet0 inet6 ifdisabled" <br />from ifconfig (8):<br /><pre>
ifdisabled
Set a flag to disable all of IPv6 network communications on the
specified interface. Note that if there are already configured
IPv6 addresses on that interface, all of them are marked as
"tentative" and DAD will be performed when this flag is cleared.
</pre></p>
<p>pfSense 2.5.0.a.20191018.2017</p> pfSense - Bug #9755 (New): package description wrong link https://www.freshports.org/security/ope...https://redmine.pfsense.org/issues/97552019-09-13T05:20:05ZViktor Gurov
<p>Package Dependencies:<br /> openvpn-client-export-2.4.7 - wrong link</p>
<p><a class="external" href="https://www.freshports.org/security/openvpn-client-export">https://www.freshports.org/security/openvpn-client-export</a>:<br />FreshPorts -- Document not found<br />Sorry, but I don't know anything about that.</p>
<p>/security/openvpn-client-export</p>
<p>Perhaps a list of categories or the search page might be helpful.</p> pfSense Packages - Bug #9486 (New): ifindex values used for softflowd are incorrecthttps://redmine.pfsense.org/issues/94862019-04-26T13:16:29ZJesse White
<p>With this patch, we now pass ifIndex values to softflowd for inclusion in the flow packets:<br /> <a class="external" href="https://github.com/pfsense/FreeBSD-ports/pull/501/files#diff-451c93a8b870e13a749022e7ecf64cd6R52">https://github.com/pfsense/FreeBSD-ports/pull/501/files#diff-451c93a8b870e13a749022e7ecf64cd6R52</a></p>
<p>However, the values used are arbitrary and do not line up with the values used by other services on the system such as snmpd:<br /><pre>
ps ax | grep soft
91600 - Ss 0:00.64 /usr/local/sbin/softflowd -i 1:igb1 -n 127.0.0.1:8877 -v 5 -T full -t general=60 -p /var/run/softflowd.igb1.pid -c /var/r
91913 - Is 0:00.00 /usr/local/sbin/softflowd -i 2:igb1.2 -n 127.0.0.1:8877 -v 5 -T full -t general=60 -p /var/run/softflowd.igb1.2.pid -c /v
92156 - Is 0:00.00 /usr/local/sbin/softflowd -i 3:igb1.3 -n 127.0.0.1:8877 -v 5 -T full -t general=60 -p /var/run/softflowd.igb1.3.pid -c /v
92774 - Is 0:00.00 /usr/local/sbin/softflowd -i 4:ovpnc2 -n 127.0.0.1:8877 -v 5 -T full -t general=60 -p /var/run/softflowd.ovpnc2.pid -c /v
93644 - Ss 0:00.69 /usr/local/sbin/softflowd -i 5:igb0 -n 127.0.0.1:8877 -v 5 -T full -t general=60 -p /var/run/softflowd.igb0.pid -c /var/r
93969 - Is 0:00.00 /usr/local/sbin/softflowd -i 6:lo0 -n 127.0.0.1:8877 -v 5 -T full -t general=60 -p /var/run/softflowd.lo0.pid -c /var/run
</pre></p>
<pre>
$ snmpwalk -c public -v 2c 10.1.1.1 IF-MIB::ifDescr
IF-MIB::ifDescr.1 = STRING: igb0
IF-MIB::ifDescr.2 = STRING: igb1
IF-MIB::ifDescr.3 = STRING: enc0
IF-MIB::ifDescr.4 = STRING: lo0
IF-MIB::ifDescr.5 = STRING: pflog0
IF-MIB::ifDescr.6 = STRING: pfsync0
IF-MIB::ifDescr.7 = STRING: igb1.2
IF-MIB::ifDescr.8 = STRING: igb1.3
IF-MIB::ifDescr.9 = STRING: ovpnc2
</pre>
<p>For example igb1.2 is set to ifIndex 2, but it should really be 7.</p>
<p>The proper ifIndex can be retrieved using:<br /> <a class="external" href="https://www.freebsd.org/cgi/man.cgi?query=if_nametoindex&apropos=0&sektion=3&manpath=FreeBSD+11.0-RELEASE&arch=default&format=html">https://www.freebsd.org/cgi/man.cgi?query=if_nametoindex&apropos=0&sektion=3&manpath=FreeBSD+11.0-RELEASE&arch=default&format=html</a></p> pfSense - Bug #9140 (New): Unexpected rule can be displayed when looking up filter log entry with...https://redmine.pfsense.org/issues/91402018-11-20T07:48:51ZS P
<p>When using Port aliases, in the firewall log, when clicking on 'action' the triggering port seems to always be the first of the list.</p>
<p>As for the images, the triggering port is the 21, the port shown in 'detail' is 1001<br />the port list goes something like: 1001, 21, ...</p> pfSense - Bug #8464 (New): Wireless USB card does not connect to WiFi automatically after reboot/...https://redmine.pfsense.org/issues/84642018-04-17T03:35:41ZConstantine Kormashev
<p>Wireless USB card on Realtek RTL8192SU chipset in BSS mode does not connect to WiFi until wilreless interface is set to down and after to up state manually. E.g. after device reboot.<br />There is not any problem with forwarding in case device already connected to WiFi, problem happens only after device reboot/halt.<br />Tried with Dlink DWA131 (Realtek RTL8192SU) on 3100 and 2220.<br />During down/up interface there are messages in console:<br /><pre>
rsu0: rsu_join_bss: still scanning! (attempt 0)
rsu0_wlan0: ieee80211_new_state_locked: pending SCAN -> AUTH transition lost
</pre></p> pfSense - Bug #8157 (New): Traffic Graph clutter from time to timehttps://redmine.pfsense.org/issues/81572017-12-03T06:40:58ZIngo-Stefan Schillingischilling@hotmail.com
<p>When traffic is more occasional with (great) peaks the graph clutters. See attached file. This happens since version 2.4 and is here in 2.4.2-RELEASE (amd64) .</p> pfSense - Bug #7648 (New): SPAN ports on an interface renders CARP HA inoperativehttps://redmine.pfsense.org/issues/76482017-06-14T21:05:03ZDavid Van Cleef
<p>When a SPAN port is added to an interface, CARP breaks.</p>
<p>The source address of the CARP announcement, which should be from the IETF VRRP mac range changes to the mac of the physical interface.</p>