pfSense bugtracker: Issueshttps://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162024-03-05T19:53:06ZpfSense bugtracker
Redmine pfSense Packages - Bug #15313 (Confirmed): Zabbix server 6.4.12 requires Zabbix proxies to be ver...https://redmine.pfsense.org/issues/153132024-03-05T19:53:06ZAndrew Almond
<p>There seems to be a bug/change with Zabbix server and Zabbix proxy where both need to be running 6.4.12.<br />If the versions don't match, then the proxy is unable to receive configuration changes from the server and shows this message in the log:</p>
<pre>
cannot process received configuration data from server at "192.168.1.8": unexpected field "httptest.status"
</pre>
<p>There are 3 bug reports with Zabbix about this issue:<br /><a class="external" href="https://support.zabbix.com/browse/ZBX-24162">https://support.zabbix.com/browse/ZBX-24162</a><br /><a class="external" href="https://support.zabbix.com/browse/ZBX-24161">https://support.zabbix.com/browse/ZBX-24161</a><br /><a class="external" href="https://support.zabbix.com/browse/ZBX-23232">https://support.zabbix.com/browse/ZBX-23232</a></p>
<p>It looks like this issue was addressed in Zabbix 6.4.12:<br /><a class="external" href="https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/28b3672d114">https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/28b3672d114</a></p>
<p>We are running 23.05.1 and the package manager installs Zabbix 6.4.1 (revision 546e284fd7c).<br />Would it be possible to have the Zabbix proxy and agent packages updated to 6.4.12?</p>
<p>It looks like the packages were updated to 6.4.8 for pfSense 23.09, so even upgrading to that will not solve the issue.<br /><a class="external" href="https://redmine.pfsense.org/issues/14913">https://redmine.pfsense.org/issues/14913</a></p> pfSense Packages - Bug #15296 (New): WAN Interface cannot added to ntopng if offline-packet loss https://redmine.pfsense.org/issues/152962024-02-29T06:58:23ZSergei Shablovsky
<p>Brilliant pfSense DevTeam !</p>
<p>In multi-WAN pfSense configuration WAN interfaces that pfSense decide in “Offline, Packet loss” state CANNOT BE ADDED into ntopng config.</p>
<p>(to adding certain WAN connection (for example if WAN interface come from “Offline, packet loss” state to “Online” state), ntopng need to be disabled, service stopped, ntopng pkg uninstalled (with all data and configs deleted), than hardware rebooting, install ntopng pkg again, and only after that new WAN with “Online” status becomes visible as Interface in ntopng”).</p>
<p>But LAN interfaces ALL would be ADDED as well even some of them are not connected physically. So this bug related only WAN interfaces.</p>
<p>P.S.<br />This is related for WAN DHCP, do not know about WAN STATIC.</p> pfSense Packages - Bug #15274 (Incomplete): HAProxy Configuration Changes Require pfSense Reboot ...https://redmine.pfsense.org/issues/152742024-02-20T21:51:14ZZachary Cohen
<p>As originally reported here (<a class="external" href="https://forum.netgate.com/topic/172972/haproxy-config-changes-not-loaded-pfsense-restart-needed">https://forum.netgate.com/topic/172972/haproxy-config-changes-not-loaded-pfsense-restart-needed</a>), changes made to the HAProxy configuration require a reboot to take effect.</p>
<p>I'm consistently able to reproduce this issue when adding new backends.</p>
<p>When browsing to the new backend, I receive a 503 - "no server is available to handle this request". After rebooting, it works as expected.</p>
<p>Other users have been able to validate that this issue was present starting with pfSense 2.6.0 and HAProxy version haproxy-devel 0.62.10.</p>
<p>While I was able to replicate that issue starting on that version, I'm currently replicating it in pfSense 2.7.2-RELEASE (amd64) and haproxy-devel 0.63_2.</p> pfSense Packages - Bug #15131 (Incomplete): OpenVPN client export issues with iPhone and IPV6 con...https://redmine.pfsense.org/issues/151312024-01-02T18:38:40ZJonathan Lee
<p>I have researched and found an issue within the OpenVPN's client export config file for iPhones (OpenVPN Connect (iOS/Android))</p>
<p>it exports with udp4 listed and this does not work with iPhones because of ipv6 in the config (.ovpn) file and must be changed to udp for iOS iPhones to work with OpenVPN and pfSense.</p>
<p>That is the only adaption needed to fix this issue.</p> pfSense Packages - Bug #15048 (New): Snort large memory consumption when updatinghttps://redmine.pfsense.org/issues/150482023-11-29T09:47:49ZRicardo ot
<p>Snort since the last updates uses a lot of memory when updating and it has a big impact. Can this be improved?</p>
<p>Thanks,</p>
<p>I have these configurations active for 2 interfaces:<br />Resolve Flowbits. checked.<br />Use IPS Policy. Checked.<br />IPS Policy Selection. Connectivity.<br />All the rulesets (Categories). Checked all</p>
<p>I already changed the PfBlokerng configuration to use "Unbound python mode" and changed the time so that the update is not done at the same time. This has improved PfblockerNg's memory usage.</p>
<p>System log Logs:</p>
<blockquote>
<p>Nov 29 00:48:16 php 46952 [pfBlockerNG] No changes to Firewall rules, skipping Filter Reload<br />Nov 29 00:45:00 php 46952 [pfBlockerNG] Starting cron process.<br />Nov 29 00:25:57 php 85398 [Snort] The Rules update has finished.<br />Nov 29 00:25:57 php 85398 [Snort] Snort has restarted on WANONT with your new set of rules...<br />Nov 29 00:25:45 php 85398 [Snort] Snort START for <abbr title="vmx3">WANONT</abbr>...<br />Nov 29 00:25:44 kernel pid 31736 (snort), jid 0, uid 0: exited on signal 11 (core dumped)<br />Nov 29 00:25:44 snort 31736 * * * Caught Term-Signal<br />Nov 29 00:25:43 php 85398 [Snort] Snort STOP for <abbr title="vmx3">WANONT</abbr>...<br />Nov 29 00:25:42 php 85398 [Snort] Building new sid-msg.map file for WANONT...<br />Nov 29 00:25:42 php 85398 [Snort] Enabling any flowbit-required rules for: WANONT...<br />Nov 29 00:25:42 php 85398 [Snort] Enabling any flowbit-required rules for: WANONT...<br />Nov 29 00:25:41 php 85398 [Snort] Updating rules configuration for: WANONT ...<br />Nov 29 00:25:41 php 85398 [Snort] Snort has restarted on LAN with your new set of rules...<br />Nov 29 00:25:29 kernel pid 29090 (snort), jid 0, uid 0: exited on signal 11 (core dumped)<br />Nov 29 00:25:29 php 85398 [Snort] Snort START for <abbr title="vmx1">LAN</abbr>...<br />Nov 29 00:25:28 snort 29090 *** Caught Term-Signal<br />Nov 29 00:25:27 php 85398 [Snort] Snort STOP for <abbr title="vmx1">LAN</abbr>...<br />Nov 29 00:25:27 php 85398 [Snort] Building new sid-msg.map file for LAN...<br />Nov 29 00:25:27 php 85398 [Snort] Enabling any flowbit-required rules for: LAN...<br />Nov 29 00:25:26 php 85398 [Snort] Enabling any flowbit-required rules for: LAN...<br />Nov 29 00:25:26 php 85398 [Snort] Updating rules configuration for: LAN ...<br />Nov 29 00:25:25 php 85398 [Snort] Building new sid-msg.map file for WAN...<br />Nov 29 00:25:25 php 85398 [Snort] Enabling any flowbit-required rules for: WAN...<br />Nov 29 00:25:25 php 85398 [Snort] Enabling any flowbit-required rules for: WAN...<br />Nov 29 00:25:24 php 85398 [Snort] Updating rules configuration for: WAN ...<br />Nov 29 00:25:24 php 85398 [Snort] Removed 49 obsoleted rules category files.<br />Nov 29 00:25:24 php 85398 [Snort] Hide Deprecated Rules is enabled. Removing obsoleted rules categories.<br />Nov 29 00:25:17 php 85398 [Snort] Feodo Tracker Botnet C2 IP rules were updated...<br />Nov 29 00:25:17 php 85398 [Snort] Feodo Tracker Botnet C2 IP rules file update downloaded successfully.<br />Nov 29 00:25:17 php 85398 [Snort] Emerging Threats Open rules file update downloaded successfully<br />Nov 29 00:25:15 php 85398 [Snort] There is a new set of Emerging Threats Open rules posted. Downloading emerging.rules.tar.gz...<br />Nov 29 00:25:15 php 85398 [Snort] Snort GPLv2 Community Rules file update downloaded successfully<br />Nov 29 00:25:13 php 85398 [Snort] There is a new set of Snort GPLv2 Community Rules posted. Downloading community-rules.tar.gz...<br />Nov 29 00:25:13 php 85398 [Snort] Snort Subscriber rules file update downloaded successfully<br />Nov 29 00:25:04 php 85398 [Snort] There is a new set of Snort Subscriber rules posted. Downloading snortrules-snapshot-29200.tar.gz...</p>
</blockquote> pfSense - Bug #15015 (New): Static routes not workinghttps://redmine.pfsense.org/issues/150152023-11-20T17:53:07ZSilviu Bajenaru
<p>Hello,</p>
<p>This morning I updated to PFSense 2.7.1 from 2.7.0. Now, I just tried to add a dynamic gateway and a static route. Unfortunately, the static route is not being added to the routing table. I restored the VM backup from this morning, before I updated, added the same gateway and static route and it was added to the routing table, and everything works fine.<br />I've set the priority to Urgent since this is quite bad for a router...?</p>
More info about my setup: I've got three sites, let's call them A, B and C. There is an IPSec tunnel between A and B, and one between B and C. Both tunnels are set with Mode VTI. I've assigned the ipsec interfaces and set the gateways and routes:<br />Site A has a gateway set on the IPSec interface and a route for site C that uses that gateway.<br />Site B has two gateways (one for each IPSec tunnel) and the following routes:
<ul>
<li>route to site A via the IPSec interface - gateway - going to site A</li>
<li>route to site B via the IPSec interface - gateway - going to site B<br />Site C has a gateway set on the IPSec interface and a route for site A that uses that gateway.<br />Site A was updated this morning to PFSense 2.7.1, while Site C is running 2.7.0.<br />Site A DOES NOT have the static routes added to the routing table.<br />Site C does have the static routes added to the routing table.</li>
</ul>
<p>Once I reverted Site A to 2.7.0, I did the same config again and the routes were added to the routing table.</p>
<p>Thank you.</p> pfSense - Bug #14741 (New): PHP error in DNS Forwarder host overrides when the language is set to...https://redmine.pfsense.org/issues/147412023-09-02T10:26:29ZNicolas PISTER
<p>A PHP error occur when a user try to add or modify Host Override in DNS Forwarder module</p>
<pre>
amd64
14.0-CURRENT
FreeBSD 14.0-CURRENT #1 RELENG_2_7_0-n255866-686c8d3c1f0: Wed Jun 28 04:21:19 UTC 2023 root@freebsd:/var/jenkins/workspace/pfSense-CE-snapshots-2_7_0-main/obj/amd64/LwYAddCr/var/jenkins/workspace/pfSense-CE-snapshots-2_7_0-main/sources/FreeBSD-src-REL
Crash report details:
PHP Errors:
[02-Sep-2023 11:55:24 Europe/Paris] PHP Fatal error: Uncaught ValueError: Unknown format specifier "p" in /usr/local/www/classes/Form/Input.class.php:127
Stack trace:
#0 /usr/local/www/classes/Form/Input.class.php(127): sprintf('Nom de domaine ...', '<br />')
#1 /usr/local/www/services_dnsmasq_edit.php(85): Form_Input->setHelp('Domain of the h...', '<br />')
#2 {main}
thrown in /usr/local/www/classes/Form/Input.class.php on line 127
[02-Sep-2023 11:58:37 Europe/Paris] PHP Fatal error: Uncaught ValueError: Unknown format specifier "p" in /usr/local/www/classes/Form/Input.class.php:127
Stack trace:
#0 /usr/local/www/classes/Form/Input.class.php(127): sprintf('Nom de domaine ...', '<br />')
#1 /usr/local/www/services_dnsmasq_edit.php(85): Form_Input->setHelp('Domain of the h...', '<br />')
#2 {main}
thrown in /usr/local/www/classes/Form/Input.class.php on line 127
[02-Sep-2023 11:58:46 Europe/Paris] PHP Fatal error: Uncaught ValueError: Unknown format specifier "p" in /usr/local/www/classes/Form/Input.class.php:127
Stack trace:
#0 /usr/local/www/classes/Form/Input.class.php(127): sprintf('Nom de domaine ...', '<br />')
#1 /usr/local/www/services_dnsmasq_edit.php(85): Form_Input->setHelp('Domain of the h...', '<br />')
#2 {main}
thrown in /usr/local/www/classes/Form/Input.class.php on line 127
</pre>
<p>I think it come from a french translation file because when i use original language, everithing works.</p> pfSense Packages - Bug #14510 (New): match rpki invalid What is actually executed is match rpki v...https://redmine.pfsense.org/issues/145102023-06-26T22:03:58Zyon Liuinfo@ipv6china.com
<p>when i setup match rpki invalid for deny, then actually executed is match rpki valid for deny.</p>
<p>please your check and fix it.</p> pfSense - Bug #14397 (New): DHCPv4 client (dhclient) does not use 802.1p Priority tagging on DHCP...https://redmine.pfsense.org/issues/143972023-05-19T14:52:52ZTue Madsen
<p>Some ISPs using VLANs for service, require DHCPv4/v6 Frames to be 802.1p priority tagged. <br />pfSense has the option to do this by either:<br />- Setting VLAN priority tagging in the Interface DHCP options (if you are not using Advanced configuration or a predefined configuration file)<br />- If using advanced configuration: By adding “vlan-pcp x” in the advanced modifier options.</p>
<p>BUG:<br />This priority setting in only used in DISCOVER and RELEASE frames sent by dhclient - NOT in RENEW or REBIND.</p>
<p>This is now causing major problems in France where Orange (Major ISP) has upgraded to also requiring the RENEW frames to be properly VLAN Priority tagged.<br />This causes the uplink to stop working when a renew is due. (About once a day)</p>
<p>I don’t know if the issue is the same in DHCPv6</p>
<p>The issue was patched in OPNsense about a month ago, and they decided to drop the advanced options overwrite of the VLAN priority setting in interface DHCP options. <br />Instead they let the user choose if VLAN priority should be used via the interface DHCP VLAN Priority setting already available. <br />If selected it would - apart from adding “vlan-pcp x” to the dhclient config - also set the priority tag in the builtin pffilter rule that passes Interface DHCP client traffic. This adds the tag to RENEW and REBIND frames.</p>
<p>The issue occurs because dhclient uses a bfg interface for DISCOVER and RELEASE - thus respecting the vlan-pcp settings. But for RENEW it uses a simple socket, and that causes it not to be tagged correctly. In pfSense you cannot create a floating match rule to manually tag the traffic that has higher priority than the builtin pass quick rule for the interface DHCP client.</p> pfSense Packages - Bug #14390 (New): Squid: SECURITY ALERT: Host header forgery detectedhttps://redmine.pfsense.org/issues/143902023-05-16T09:19:15ZSimon Byrnand
<p>In Squid version 3.2 in 2012 a "fix" for a potential security vulnerability involving host header forgery was added, this is described briefly here:</p>
<p><a class="external" href="https://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery">https://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery</a></p>
<p>It is also mentioned in the documentation for the host_verify_strict squid option below, which references CVE-2009-0801:</p>
<p><a class="external" href="http://www.squid-cache.org/Doc/config/host_verify_strict/">http://www.squid-cache.org/Doc/config/host_verify_strict/</a></p>
<p>In essence, when transparent interception is used Squid will obtain the SNI for https or host header for http, do a DNS lookup on this hostname enumerating the IP addresses returned, then double check the destination IP address of the intercepted packet is one of those returned from the DNS request.</p>
<p>If it's not, the request fails and returns an HTTP/409 error to the client, which shows up as a "NONE/409" in the squid access.log.</p>
<p>While this extra check is well intentioned, probably seemed like the right thing to do in 2012 and no doubt does address CVE-2009-0801, today in 2023 it has massive collateral damage and makes transparent proxying almost unusable for many large services that use CDN's, as it causes frequent but intermittent connection failures for many CDN based services.</p>
<p>The issue here is one of DNS coherency. As I've discovered when looking into this in detail in the last week CDN service DNS records have <ins>extremely</ins> short TTL times of around 10 or 20 seconds typically. After that TTL expires you will more often than not get a completely disjoint set of different IP addresses returned than what you got just 20-30 seconds earlier.</p>
<p>A couple of examples I'm working with which can be queried multiple times over a couple of minutes with dig returning different results are:</p>
<p>res.cdn.office.net<br />uk.ng.msg.teams.microsoft.com</p>
<p>These are both used by Office 365 / Microsoft Teams, however this issue of very short TTL times and disjointed IP address response sets seems to be pervasive in large CDN infrastructure as of 2023.</p>
<p>The end result is intermittent http/https query failures returning HTTP/409. In my testing in the last few days Microsoft Teams on iOS is very susceptible to this problem and is basically unusable as it will work for a while then just fail to connect to the servers or be able to start a video call due to Squid returning HTTP/409 errors to it.</p>
<p>Ensuring DNS coherency between clients and proxy server (by forcing clients and proxy server to use the same DNS server - which I already do) does help on regular websites with long TTL's, or websites whose IP address result set is consistent, and is essential to getting transparent proxying working, however it does <ins>not</ins> help this issue with CDN's. :(</p>
<p>Here is what I think is happening in the specific instance of the Teams client, however the same basic scenario can apply to other client software as well.</p>
<p>The Teams app performs a DNS lookup on uk.ng.msg.teams.microsoft.com and gets multiple IP addresses returned. It chooses one and makes an https query to the server using this IP address. Squid intercepts this transparently, reads the SNI, does its own DNS lookup from the same DNS server, gets the same response, verifies that the IP address of the destination packets match the DNS records and everything works fine.</p>
<p>A couple of minutes later Teams makes a new https request to the same hostname <ins>using an internally cached (within the application) copy of the IP address</ins> - Squid performs another DNS lookup on the hostname as the extremely short TTL has already expired, however this time the IP addresses returned are completely different so the request fails with an HTTP/409 error. This breaks the client.</p>
<p>TTL on DNS records only mandates how long a DNS server or OS level resolver can cache the result for, it <ins>cannot</ins> prevent an application choosing to continue to use the same IP address for longer than the TTL. It would be perfectly reasonable for an HTTPS connection to stay open for an hour for example even if the DNS record has a TTL of 10 seconds. Absent the transparent proxy there is no issue because the server IP's remain valid for long periods of time (probably days/weeks) even though the DNS records are constantly rotating every 10-60 seconds or so.</p>
<p>From my perspective, the transparent mode is mostly useless now due to the combination of this original 2012 patch (which to be fair is a Squid patch not anything specific to PFSense) and the ubiquitous use of CDN's with extremely low DNS record TTL's and disjoint result sets that are constantly cycling IP addresses in and out of the results.</p>
<p>This issue has been discussed in the PFSense forum before:</p>
<p><a class="external" href="https://forum.netgate.com/topic/159364/squid-squidguard-none-409-and-dns-issue">https://forum.netgate.com/topic/159364/squid-squidguard-none-409-and-dns-issue</a></p>
<p>However the only outcomes were workarounds such as explicit client proxy settings or use of WPAD, both of which only admit that transparent proxying is broken. I make use of both of these where possible but there are still many cases where this is not possible.</p>
<p>The only true solution to get transparent mode working reliably again seems to be to walk back the "fix" applied back in Squid 3.2 and accept that theoretical exploit could be used, however without doing so we basically have to give up on transparent proxying altogether.</p>
<p>Patching this out has been discussed in a couple of places that I've found, here is one:</p>
<p><a class="external" href="https://github.com/NethServer/dev/issues/5348">https://github.com/NethServer/dev/issues/5348</a></p>
<p>To reproduce and monitor this issue is fairly easy:</p>
<p>Set up Squid in PFSense with transparent proxying enabled. Enable additional debug logging by adding <ins>debug_options ALL,1 rotate=7</ins> to Advanced Features -> Custom Options (Before Auth) then try using apps such as Microsoft Office apps that make heavy use of CDN's, making sure that the client has no proxy setting.</p>
<p>In /var/squid/logs/cache.log if the problem occurs you will see entries like:</p>
<p><code><br />2023/05/16 10:16:08 kid1| SECURITY ALERT: Host header forgery detected on local=3.227.250.226:443 remote=10.2.132.38:50635 FD 526 flags=33 (local IP does not match any domain IP)<br />2023/05/16 10:16:08 kid1| SECURITY ALERT: on URL: kinesis.us-east-1.amazonaws.com:443<br />2023/05/16 10:16:08 kid1| SECURITY ALERT: Host header forgery detected on local=3.227.250.226:443 remote=10.2.132.38:50636 FD 526 flags=33 (local IP does not match any domain IP)<br />2023/05/16 10:16:08 kid1| SECURITY ALERT: on URL: kinesis.us-east-1.amazonaws.com:443<br />2023/05/16 10:16:09 kid1| SECURITY ALERT: Host header forgery detected on local=17.253.29.208:443 remote=10.2.133.96:62179 FD 526 flags=33 (local IP does not match any domain IP)<br />2023/05/16 10:16:09 kid1| SECURITY ALERT: on URL: app-site-association.cdn-apple.com:443<br />2023/05/16 10:16:09 kid1| SECURITY ALERT: Host header forgery detected on local=3.227.250.226:443 remote=10.2.132.38:50637 FD 526 flags=33 (local IP does not match any domain IP)<br />2023/05/16 10:16:09 kid1| SECURITY ALERT: on URL: kinesis.us-east-1.amazonaws.com:443<br /></code></p>
<p>These log entries show both the host name that was requested by the client and the "local" IP address that the client was trying to connect to, if you do multiple DNS lookups of the hostname over a couple of minutes you will find that sometimes it returns the IP address, sometimes it does not.</p>
<p>While I appreciate this issue is an upstream issue I think it very unlikely that the Squid maintainers would accept a patch to walk back the change that was made in 2012, however I would argue that the transparent mode is barely usable due to this issue, so hopefully you would consider a patch to address this.</p>
<p>Regards,<br />Simon</p> pfSense Plus - Bug #14175 (New): LDAP authentication for SSH failshttps://redmine.pfsense.org/issues/141752023-03-24T12:58:35ZGeorgiy Tyutyunnik
<p>LDAP authentication fails for SSH user authentication via LDAP with error (Invalid credentials).<br />Same user successfully authenticates to GUI.<br />User group with shell access is defined on pfSense and recognized at LDAP login, Shell Authentication Group DN is defined. <br />Logs for successful gui and failed ssh logins are attached.</p> pfSense Packages - Bug #13544 (New): SquidGuard either denying everything or proxying everythinghttps://redmine.pfsense.org/issues/135442022-10-05T01:40:03ZJimmy Michaelson
<p>Hey,</p>
<p>I truly doubt this is a configuration issue as I've tried all the possible combinations.</p>
<p>Relevant images and config:</p>
<p><a class="external" href="https://forum.netgate.com/topic/175057/10-btc-bounty-squid-proxy-whitelist-per-source-ip/6">https://forum.netgate.com/topic/175057/10-btc-bounty-squid-proxy-whitelist-per-source-ip/6</a></p>
<p>FYI: The bounty has been bumped to $20 and is also valid here.</p> pfSense Packages - Bug #13214 (Pull Request Review): AttributeError: 'NoneType' object has no att...https://redmine.pfsense.org/issues/132142022-05-25T02:51:39ZIan Grindley
<p>After installing Prometheus node_exporter error messages appeared containing the following:</p>
<p>Arpwatch Notification : Cron <root@pfsense> /usr/bin/nice -n20 /usr/local/share/pfSense-pkg-node_exporter/interface-collector.py -</p>
<p>X-Cron-Env: <SHELL=/bin/sh><br />X-Cron-Env: <PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin><br />X-Cron-Env: <HOME=/root><br />X-Cron-Env: <LOGNAME=root><br />X-Cron-Env: <USER=root></p>
<p>Traceback (most recent call last):<br /> File "/usr/local/share/pfSense-pkg-node_exporter/interface-collector.py", line 29, in <module><br /> descr = elem.find('descr').text<br />AttributeError: 'NoneType' object has no attribute 'text'</p> pfSense - Bug #9295 (New): IPv6 PD does not work with PPPOE (Server & Client)https://redmine.pfsense.org/issues/92952019-01-29T11:51:01ZDirk Steingäßer
<p>Hi,</p>
<p>as encountering DHCPv6 with Prefix delegation does not work together with PPPOE Server vice versa it is not possible to get a prefix with an interface where the IPv4 Uplink is PPPOE.</p> pfSense - Bug #9123 (Feedback): Adding/configuring vlan on ixl-devices causes aq_add_macvlan err ...https://redmine.pfsense.org/issues/91232018-11-15T10:50:14ZSebastian Deuerling
<p>The actual vlan addition/configuring process is triggering error "aq_add_macvlan err -53, aq_error 14" on ixl-devices.<br />Configuring vlans seems to work nevertheless, but saving interface configurations with vlans takes a lot of time.<br />In our setup (two igb-interfaces, two ix-interfaces, two ixl-interfaces; 25 vlans on failover-lagg of ixl0 and igb0) saving changes on interface configuration lasts around about 20 to 30 minutes. After that pfSense seems to freeze. After reboot all vlans are working.<br />But booting also takes a lof of time. Around 5 minutes in step "Configuring VLANS...".<br />Our hardware: SYS-5018D-FN4T (Supermicro Intel Xeon D-1541 system) and X710DA2BLK (Intel X710-DA2 Dual-SFP+-PCIe-Addon-cards).<br />Further information here: <a class="external" href="https://forum.netgate.com/topic/136201/new-version-2-4-4-interface-error-aq_add_macvlan-err-53-aq_error-14/14">https://forum.netgate.com/topic/136201/new-version-2-4-4-interface-error-aq_add_macvlan-err-53-aq_error-14/14</a></p>