pfSense bugtracker: Issueshttps://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162024-03-12T13:17:13ZpfSense bugtracker
Redmine pfSense Plus - Bug #15332 (New): Kea doesn't start without any logs when upload config with addit...https://redmine.pfsense.org/issues/153322024-03-12T13:17:13Zaleksei prokofiev
<p>If the config has additioan DHCP pool with extra parametrs configured, such default-lease-time or max-lease-time, then KEA won't start with out any logs. To fix that need delete from config those extra option. Or just resave affected pool without any changes, it will lead rewrite config without extra options. <br />For example <br /><pool><br /> <range><br /> <from>192.168.6.2</from><br /> <to>192.168.6.48</to><br /> </range><br /> <descr><![CDATA[NTP Server]]></descr><br /> <defaultleasetime>600</defaultleasetime><br /> <maxleasetime>3600</maxleasetime><br />After resave it will deleted<br /><pool><br /> <range><br /> <from>192.168.6.2</from><br /> <to>192.168.6.48</to><br /> </range><br /> <descr><![CDATA[NTP Server]]></descr><br /> <defaultleasetime></defaultleasetime><br /> <maxleasetime></maxleasetime></p> pfSense Plus - Bug #15262 (New): Captive Portal Has High CPU Interrupts With Large Number of Usershttps://redmine.pfsense.org/issues/152622024-02-15T19:33:29ZKris Phillips
<p>When 700+ Captive Portal users are in use, CPU interrupts will cause high load averages to occur. This can lead to connectivity problems, such as packet loss on WAN uplinks, webConfigurator responsiveness issues, etc.</p>
<p>Tested with a customer who had load averages of 14-16 with Captive Portal on with 1400+ users. Once Captive Portal was turned off, load averages dropped to 0.5.</p>
<p>Load seems higher for Captive Portal when there is significant numbers of users since the transition to pf from ipfw.</p> pfSense Plus - Bug #15157 (Incomplete): Problem in Restore Backuphttps://redmine.pfsense.org/issues/151572024-01-12T23:35:22ZRamon Alonso Costa
<p>I am having the following issue when trying to update the DNS Resolver backup. Below is the file with the error.</p> pfSense Plus - Bug #15126 (New): SG-1100 pfSense+ recovery results in non aligned disk sliceshttps://redmine.pfsense.org/issues/151262023-12-29T03:11:42ZDavid Burnsdavid.burns@dugeem.net
<p>Currently preparing for an upgrade of SG-1100 remote worker fleet.</p>
<p>However after installing the latest SG-1100 recovery image (pfSense-plus-compat-recovery-23.09.1-RELEASE-aarch64.img.gz) it appears that the resulting image restore to SG-1100 eMMC is not aligned:<br />(reference <a class="external" href="https://docs.netgate.com/pfsense/en/latest/solutions/sg-1100/reinstall-pfsense.html">https://docs.netgate.com/pfsense/en/latest/solutions/sg-1100/reinstall-pfsense.html</a>)</p>
<pre>
gpart show mmcsd0
=> 1 15273599 mmcsd0 MBR (7.3G)
1 409600 1 efi (200M)
409601 131072 2 fat32 (64M)
540673 14732927 3 freebsd [active] (7.0G)
</pre>
<p>This is a UFS build. Clearly the FreeBSD slice (starting sector 540673) is not aligned with 4k / 32k / 1M boundary. Non aligned writes may have an impact on eMMC life (depends on write workload of course).</p>
<p>Within the slice the actual UFS partition is at least 8k aligned (although suboptimal given that the UFS2 default block size is 32kB):</p>
<pre>
gpart show mmcsd0s3
=> 0 14732927 mmcsd0s3 BSD (7.0G)
0 16 - free - (8.0K)
16 14732911 1 freebsd-ufs (7.0G)
</pre>
<p>Compare this to a Netgate 7100 (with ZFS):</p>
<pre>
gpart show mmcsd0
40 61071280 mmcsd0 GPT (29G)
40 1024 1 freebsd-boot (512K)
1064 984 - free - (492K)
2048 4194304 2 freebsd-swap (2.0G)
4196352 56872960 3 freebsd-zfs (27G)
61069312 2008 - free - (1.0M)
</pre>
<p>Hopefully image build can be corrected using appropriate <strong><code>gpart add -t freebsd -a 1M ... /dev/mmcsd0</code></strong> argument parameters.</p>
<p>Lastly is the SG-1100 (aarch64) recovery image also used for SG-2100? If so this issue may also impact SG-2100.</p> pfSense Plus - Bug #15017 (Incomplete): DHCP relay CARP status VIP function is not working in pfs...https://redmine.pfsense.org/issues/150172023-11-20T19:51:25ZRobert Karsai
<p>Hello,<br />It seems that after 23.05.1->23.09 upgrade DHCP relay CARP status VIP function is not working properly, DHCP relay agent stays active all times (dhcrelay stays green on the dashboard widget, also pgrep dhcrelay<br />returns running processes in CLI), it will not be stopped when the chosen VIP is in BACKUP status. Not a big deal, there can be two active relay agents in the same network, but this is not how it supposed to work. Strangely this only affects our pfSense+ 23.09 clusters, in pfSense CE 2.7.1 this is not an issue.<br />--<br />BR<br />Robert</p> pfSense Plus - Bug #14968 (New): Google LDAP fail to bindhttps://redmine.pfsense.org/issues/149682023-11-11T13:11:11ZLev Prokofev
<p>Even with a freshly created cert and Bind user login/pass it fails to bind with the message:</p>
<p><em>/system_authservers.php: ERROR! ldap_get_user_ous() could not bind to server.</em></p>
<p>It seems the TLS talk between the client and server went smoothly (packet capture attached)</p>
<p>Ticket for reference #2067635022</p> pfSense Plus - Bug #14894 (New): Password protected console login prompt does not render properly...https://redmine.pfsense.org/issues/148942023-10-18T19:47:24ZJim Pingle
<p>After resolving other console issues with the 4100/6100/8200 in <a class="issue tracker-1 status-3 priority-4 priority-default closed" title="Bug: Serial console output fails to render properly in certain cases on 4100, 6100, and 8200. (Resolved)" href="https://redmine.pfsense.org/issues/13455">#13455</a> a problem remains with the login prompt.</p>
<p>It is not printing a newline before the FreeBSD version string nor is it printing a newline before the password prompt:</p>
<pre>
[...])FreeBSD/amd64 (pfsense.home.arpa) (ttyu0)
login: rootPassword:
Netgate 4100 [...]
</pre>
<p>It should look like this:</p>
<pre>
FreeBSD/amd64 (pfsense.home.arpa) (ttyu0)
login: root
Password:
Netgate 4100 [...]
</pre>
<p>Changing the console type doesn't have any effect, nor does changing various aspects of the TTY (e.g. setting it to <code>xterm</code> or <code>cons25w</code> instead of <code>vt100</code>, or using <code>std</code> instead of <code>3wire</code>).</p> pfSense Plus - Bug #14879 (New): Disabling DNS Rebinding Checks deletes private domains from unbo...https://redmine.pfsense.org/issues/148792023-10-14T12:37:45ZBob Dig
<p>This will make Domain Overrides not work anymore, at least with split DNS. <br />More Details are described here: <a class="external" href="https://forum.netgate.com/topic/183401/disabling-dns-rebinding-checks-does-alter-domain-overrides">https://forum.netgate.com/topic/183401/disabling-dns-rebinding-checks-does-alter-domain-overrides</a> .</p>
<p>Only tested with 23.05.1</p> pfSense Plus - Bug #14778 (Incomplete): /usr/local/www/csrf/csrf-magic.php on line 161 PH...https://redmine.pfsense.org/issues/147782023-09-13T16:04:10ZAndrew Rojek
<p>Got this error message when trying to view a small list of CIDR addresses in Firewall->Aliases.<br />It was followed by a white blank screen and I had to reload the console page to reveal the error message below...</p>
<p>Crash report begins. Anonymous machine information:</p>
<p>arm64<br />14.0-CURRENT<br />FreeBSD 14.0-CURRENT #1 plus-RELENG_23_05_1-n256108-459fc493a87: Wed Jun 28 04:25:15 UTC 2023 root@freebsd:/var/jenkins/workspace/pfSense-Plus-snapshots-23_05_1-main/obj/aarch64/0P4W6joa/var/jenkins/workspace/pfSense-Plus-snapshots-23_05_1-main/source</p>
<p>Crash report details:</p>
<p>PHP Errors:<br />[13-Sep-2023 10:08:16 Europe/London] PHP Fatal error: str_ireplace(): Cannot use output buffering in output buffering display handlers in /usr/local/www/csrf/csrf-magic.php on line 161<br />[13-Sep-2023 10:08:53 Europe/London] PHP Fatal error: str_ireplace(): Cannot use output buffering in output buffering display handlers in /usr/local/www/csrf/csrf-magic.php on line 161</p>
<p>No FreeBSD crash data found.</p>
<p>Thank you.</p> pfSense Plus - Bug #14175 (New): LDAP authentication for SSH failshttps://redmine.pfsense.org/issues/141752023-03-24T12:58:35ZGeorgiy Tyutyunnik
<p>LDAP authentication fails for SSH user authentication via LDAP with error (Invalid credentials).<br />Same user successfully authenticates to GUI.<br />User group with shell access is defined on pfSense and recognized at LDAP login, Shell Authentication Group DN is defined. <br />Logs for successful gui and failed ssh logins are attached.</p> pfSense Plus - Bug #14104 (New): Google LDAP connections still fail even after adding SNI for TLS...https://redmine.pfsense.org/issues/141042023-03-14T03:11:56ZAzamat Khakimyanov
<p>tested on 23.01 and with IPv6</p>
<p>After fixing <a class="external" href="https://redmine.pfsense.org/issues/11626">https://redmine.pfsense.org/issues/11626</a> I see that the LDAP client is sending the SNI header during TLS negotiation ('Client_Hello.png') but Google LDAP connections still fail.</p>
<p>In PCAP I got 'Alert (Level: Fatal, Description: Unknown CA)' so looks like Google LDAP is still replying with a self-signed certificate that will not pass CA validation checks (<a class="external" href="https://support.google.com/a/answer/9190869">https://support.google.com/a/answer/9190869</a>)</p>
<p>Strange part is that I got no error if I run #ldapsearch -H ldaps://ldap.google.com -x -d1</p>
<p><em>ldap_url_parse_ext(ldaps://ldap.google.com)<br />ldap_create<br />ldap_url_parse_ext(ldaps://ldap.google.com:636/??base)<br />ldap_sasl_bind<br />ldap_send_initial_request<br />ldap_new_connection 1 1 0<br />ldap_int_open_connection<br />ldap_connect_to_host: TCP ldap.google.com:636<br />ldap_new_socket: 3<br />ldap_prepare_socket: 3<br />ldap_connect_to_host: Trying 2001:4860:4802:32::3a 636<br />ldap_pvt_connect: fd: 3 tm: -1 async: 0<br />attempting to connect:<br />connect success<br />TLS trace: SSL_connect:before SSL initialization<br />TLS trace: SSL_connect:SSLv3/TLS write client hello<br />TLS trace: SSL_connect:SSLv3/TLS write client hello<br />TLS trace: SSL_connect:SSLv3/TLS read server hello<br />TLS trace: SSL_connect:TLSv1.3 read encrypted extensions<br />TLS trace: SSL_connect:SSLv3/TLS read server certificate request<br />TLS certificate verification: depth: 2, err: 0, subject: /C=US/O=Google Trust Services LLC/CN=GTS Root R1, issuer: /C=US/O=Google Trust Services LLC/CN=GTS Root R1<br />TLS certificate verification: depth: 1, err: 0, subject: /C=US/O=Google Trust Services LLC/CN=GTS CA 1C3, issuer: /C=US/O=Google Trust Services LLC/CN=GTS Root R1<br />TLS certificate verification: depth: 0, err: 0, subject: /CN=ldap.google.com, issuer: /C=US/O=Google Trust Services LLC/CN=GTS CA 1C3<br />TLS trace: SSL_connect:SSLv3/TLS read server certificate<br />TLS trace: SSL_connect:TLSv1.3 read server certificate verify<br />TLS trace: SSL_connect:SSLv3/TLS read finished<br />TLS trace: SSL_connect:SSLv3/TLS write change cipher spec<br />TLS trace: SSL_connect:SSLv3/TLS write client certificate<br />TLS trace: SSL_connect:SSLv3/TLS write finished<br />ldap_open_defconn: successful</em></p> pfSense Plus - Bug #13949 (New): Boot Environments do not seem to cleanly restore the systemhttps://redmine.pfsense.org/issues/139492023-02-12T09:51:54ZYuri Weinstein
<p>I tried and set up 25.01RC and had a minor issue so decided to roll back to 22.05.</p>
<p>To my surprise, after restoring the system back to 22.05, two packages: `ntopng` and `pfBlockerNG-devel` had errors and required reinstalls.</p>
<p>Boot Environments did not cleanly restore the system to the known state!</p>
<p>See more than 1 user reporting this problem => <a class="external" href="https://forum.netgate.com/topic/177764/boot-environments-unexpected-behavior">https://forum.netgate.com/topic/177764/boot-environments-unexpected-behavior</a></p> pfSense Plus - Bug #13569 (New): Restarting an OpenVPN server running on a CARP VIP in an HA clus...https://redmine.pfsense.org/issues/135692022-10-17T03:37:55ZAzamat Khakimyanov
<p>Our customer (Ticket #1161128024) pointed out on possible problem with HA cluster and TCP streams. During troubleshooting customer found out that having OpenVPN Server running on VIP (WAN CARP VIP or IP Alias bundled with WAN CARP VIP) causes this issue: during failover all TCP streams break down.</p>
<p>I was able to reproduce this issue:<br />- HA cluster<br />- OpenVPN Server with WAN CARP VIP as an Interface<br />- downloading process (FreeBSD image) and TCP stream (VLC with Network Stream: <a class="external" href="http://webcam.rhein-taunus-krematorium.de/mjpg/video.mjpg">http://webcam.rhein-taunus-krematorium.de/mjpg/video.mjpg</a>) running on internal host<br />- active RA OpenVPN connection from external host</p>
<p>Putting Primary into Persistent CARP Maintenance mode destroyed both downloading process and TCP stream:<br />- System log on Primary<br /><em>Oct 17 08:08:24 check_reload_status 389 Reloading filter<br />Oct 17 08:08:24 kernel ovpns1: link state changed to DOWN<br />Oct 17 08:08:21 php-fpm 5328 /rc.filter_synchronize: XMLRPC reload data success with <a class="external" href="https://10.10.99.2:443/xmlrpc.php">https://10.10.99.2:443/xmlrpc.php</a> (pfsense.restore_config_section).<br />Oct 17 08:08:21 php-fpm 5328 /rc.filter_synchronize: Beginning XMLRPC sync data to <a class="external" href="https://10.10.99.2:443/xmlrpc.php">https://10.10.99.2:443/xmlrpc.php</a>.<br />Oct 17 08:08:21 php-fpm 5328 /rc.filter_synchronize: XMLRPC versioncheck: 22.7 -- 22.7<br />Oct 17 08:08:21 php-fpm 5328 /rc.filter_synchronize: XMLRPC reload data success with <a class="external" href="https://10.10.99.2:443/xmlrpc.php">https://10.10.99.2:443/xmlrpc.php</a> (pfsense.host_firmware_version).<br />Oct 17 08:08:21 php-fpm 5328 /rc.filter_synchronize: Beginning XMLRPC sync data to <a class="external" href="https://10.10.99.2:443/xmlrpc.php">https://10.10.99.2:443/xmlrpc.php</a>.<br />Oct 17 08:08:21 check_reload_status 389 Carp backup event<br />Oct 17 08:08:21 check_reload_status 389 Carp backup event<br />Oct 17 08:08:21 kernel carp: 3@vtnet1: MASTER -> BACKUP (more frequent advertisement received)<br />Oct 17 08:08:21 kernel carp: 2@vtnet0: MASTER -> BACKUP (more frequent advertisement received)<br />Oct 17 08:08:21 kernel carp: 4@vtnet2: MASTER -> BACKUP (more frequent advertisement received)<br />Oct 17 08:08:21 check_reload_status 389 Carp backup event<br />Oct 17 08:08:20 check_reload_status 389 Syncing firewall<br />Oct 17 08:08:20 php-fpm 5328 /status_carp.php: Configuration Change: <a class="email" href="mailto:admin@192.168.122.1">admin@192.168.122.1</a> (Local Database): Enter CARP maintenance mode</em></p>
<p>- System log on Secondary node<br /><em>Oct 17 08:08:25 php-fpm 359 /rc.start_packages: Restarting/Starting all packages.<br />Oct 17 08:08:24 check_reload_status 389 Starting packages<br />Oct 17 08:08:24 check_reload_status 389 Reloading filter<br />Oct 17 08:08:24 php-fpm 359 /rc.newwanip: Netgate pfSense Plus package system has detected an IP change or dynamic WAN reconnection - -> 172.27.240.1 - Restarting packages.<br />Oct 17 08:08:24 php-fpm 359 /rc.newwanip: rc.newwanip called with empty interface.<br />Oct 17 08:08:24 php-fpm 359 /rc.newwanip: rc.newwanip: on (IP address: 172.27.240.1) (interface: []) (real interface: ovpns1).<br />Oct 17 08:08:24 php-fpm 359 /rc.newwanip: rc.newwanip: Info: starting on ovpns1.<br />Oct 17 08:08:23 check_reload_status 389 rc.newwanip starting ovpns1<br />Oct 17 08:08:23 check_reload_status 389 Reloading filter<br />Oct 17 08:08:23 kernel ovpns1: link state changed to UP<br />Oct 17 08:08:21 check_reload_status 389 Reloading filter<br />Oct 17 08:08:21 check_reload_status 389 Syncing firewall<br />Oct 17 08:08:21 php-fpm 62370 /xmlrpc.php: Configuration Change: (system)@10.10.99.1: Merged in config (staticroutes, gateways, virtualip, system, hasync, aliases, ca, cert, crl, dhcpd, dnshaper, filter, ipsec, nat, openvpn, schedules, shaper, unbound, wol sections) from XMLRPC client.<br />Oct 17 08:08:21 check_reload_status 389 Carp master event<br />Oct 17 08:08:21 check_reload_status 389 Carp master event<br />Oct 17 08:08:21 kernel arp: 10.10.130.1 moved from 00:00:5e:00:01:04 to 52:54:00:33:21:c0 on vtnet2<br />Oct 17 08:08:21 kernel carp: 2@vtnet0: BACKUP -> MASTER (preempting a slower master)<br />Oct 17 08:08:21 kernel carp: 3@vtnet1: BACKUP -> MASTER (preempting a slower master)<br />Oct 17 08:08:21 kernel carp: 4@vtnet2: BACKUP -> MASTER (preempting a slower master)<br />Oct 17 08:08:21 check_reload_status 389 Carp master event</em></p> pfSense Plus - Bug #13074 (New): AES-GCM with SafeXcel on Netgate 2100 causes MBUF overloadhttps://redmine.pfsense.org/issues/130742022-04-19T12:10:00ZChris S
<p>Running IPSec tunnels on a Netgate 2100 with AES-GCM and SafeXcel enabled seem to cause an MBUF overload requiring a reboot to re-establish the tunnel.</p>
<p>First spotted by NOCling in the forums. I was able to reproduce on my own 6100-2100 IPsec setup.</p>
<p><a class="external" href="https://forum.netgate.com/topic/171469/netgate-2100-s2s-aes-gcm-and-safexcel-mbuf-overload">https://forum.netgate.com/topic/171469/netgate-2100-s2s-aes-gcm-and-safexcel-mbuf-overload</a></p> pfSense Plus - Bug #12894 (New): duplicating freshly created certificates through refreshinghttps://redmine.pfsense.org/issues/128942022-03-03T14:30:26ZVan Quach
<p>Version 22.01-Release FreeBSD 12.3-Stable</p>
<p>Bug: After successfully creating a certificate. The certificate gets duplicated by refreshing the page (while the green success notification is shown)</p>
<p>This happend to me with different CA and it doesn't matter what type of certificate it is.</p>