pfSense bugtracker: Issueshttps://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162024-03-25T09:20:00ZpfSense bugtracker
Redmine pfSense Plus - Bug #15361 (New): Error in virtual IP aliases when using IPv6 "network" / "broadca...https://redmine.pfsense.org/issues/153612024-03-25T09:20:00ZMathis Cavalli
<p>There is no network address in IPv6, nor broadcasts like IPv4<br />When adding / editing an IP alias and putting there an address like fd00::/64 it shows the following error : "The network address cannot be used for this VIP" <br />It happened on my pfSense+ box but it seems the CE 2.7.2 is also affected.</p> pfSense Plus - Bug #15332 (New): Kea doesn't start without any logs when upload config with addit...https://redmine.pfsense.org/issues/153322024-03-12T13:17:13Zaleksei prokofiev
<p>If the config has additioan DHCP pool with extra parametrs configured, such default-lease-time or max-lease-time, then KEA won't start with out any logs. To fix that need delete from config those extra option. Or just resave affected pool without any changes, it will lead rewrite config without extra options. <br />For example <br /><pool><br /> <range><br /> <from>192.168.6.2</from><br /> <to>192.168.6.48</to><br /> </range><br /> <descr><![CDATA[NTP Server]]></descr><br /> <defaultleasetime>600</defaultleasetime><br /> <maxleasetime>3600</maxleasetime><br />After resave it will deleted<br /><pool><br /> <range><br /> <from>192.168.6.2</from><br /> <to>192.168.6.48</to><br /> </range><br /> <descr><![CDATA[NTP Server]]></descr><br /> <defaultleasetime></defaultleasetime><br /> <maxleasetime></maxleasetime></p> pfSense Plus - Bug #15316 (Confirmed): OpenVPN Clients with Gateway Group Interface on DHCP Exits...https://redmine.pfsense.org/issues/153162024-03-06T17:08:29ZKris Phillips
<p>By default with DHCP gateways, they are not populated into the config as <gateway_item>, but can be present in a <gateway_group>. Because of this, when assigning a gateway group to an OpenVPN client that has an interface go down in the current, active tier, OpenVPN will not properly fail over. Instead, it will hang for a long time, produce errors stating that it's "unable to bind" to the interface (because it's unplugged and the gateway disappears), give an error about being unable to delete a route, and then exits on "Error 1".</p>
<p>If you go into each gateway item under System --> Routing, edit the gateway items without making any changes, save, and apply, the gateways will become present in the config.xml, they'll show as "Pending" in gateway statuses (rather than disappearing entirely), and OpenVPN will fail over as expected.</p>
<p>Either we should be adding a <gateway_item> for each gateway that is present in a <gateway_group> or we should fix OpenVPN so that it doesn't bomb out when a gateway disappears rather than transitioning to Pending.</p> pfSense Plus - Bug #15303 (New): dpinger service does not always switch from Pending to Onlinehttps://redmine.pfsense.org/issues/153032024-03-02T17:07:07ZKris Phillips
<p>There are several situations where dpinger will not detect a gateway that is available when it should, forcing a restart of the dpinger service to "trigger" it to recheck.</p>
<p>Known situations, but there may be more:</p>
<p>1. Adding a new VTI tunnel as an interface<br />2. A release/renew of an IPv6 gateway (IPv4 gateway will show up, but IPv6 will not until a dpinger restart)<br />3. Adding an OpenVPN client/server as an interface</p>
<p>Related documentation redmine: <a class="external" href="https://redmine.pfsense.org/issues/15230">https://redmine.pfsense.org/issues/15230</a></p> pfSense Plus - Bug #15262 (New): Captive Portal Has High CPU Interrupts With Large Number of Usershttps://redmine.pfsense.org/issues/152622024-02-15T19:33:29ZKris Phillips
<p>When 700+ Captive Portal users are in use, CPU interrupts will cause high load averages to occur. This can lead to connectivity problems, such as packet loss on WAN uplinks, webConfigurator responsiveness issues, etc.</p>
<p>Tested with a customer who had load averages of 14-16 with Captive Portal on with 1400+ users. Once Captive Portal was turned off, load averages dropped to 0.5.</p>
<p>Load seems higher for Captive Portal when there is significant numbers of users since the transition to pf from ipfw.</p> pfSense Plus - Bug #15202 (New): Add Option for Network Portion of Subnet "Wildcard" for IPv6 Ruleshttps://redmine.pfsense.org/issues/152022024-01-27T22:28:27ZKris Phillips
<p>Filtering hosts with IPv6 is extremely difficult when utilizing an upstream provider that is providing a Prefix Delegation via DHCPv6 because the Prefix Delegation can change, which invalidates existing rules.</p>
<p>If there was a way to detect the interface PD for firewall rules, similar to how the DHCPv6 server currently detects the delegated prefix, users could assign rules based on only the host portion of the subnet and have the firewall filter rule automatically fill in the delegated prefix network ID portion before feeding it to pf.</p>
<p>This solves the following two scenarios:</p>
<p>1. A static DHCPv6 lease is assigned, but the delegated prefix changes<br />2. Clients configured via SLAAC typically will have the same host portion of an address, regardless of the network portion discovered by RAs, unless they are utilizing privacy extensions.</p>
<p>Obviously, this won't help in cases where SLAAC is used with RFC4941, but in many cases when creating rules like this it's possible to disable privacy extensions optionally in most operating systems.</p> pfSense Plus - Bug #15196 (Confirmed): AWS ena interfaces can become unstable/stop respondinghttps://redmine.pfsense.org/issues/151962024-01-27T01:01:22ZKris Phillips
<p>On AMD Epyc hardware in AWS, pfSense Plus ena interfaces can lose their IP addressing and then stop responding entirely.</p>
<p>The following log messages are present when this occurs:</p>
<p>Jan 16 18:34:35 np-aws-001 kernel: ena0: <ENA adapter> mem 0x80404000-0x80407fff at device 5.0 on pci0<br />Jan 16 18:34:35 np-aws-001 kernel: ena0: Elastic Network Adapter (ENA)ena v2.6.2<br />Jan 16 18:34:35 np-aws-001 kernel: ena0: Unable to allocate LLQ bar resource. LLQ mode won't be used.<br />Jan 16 18:34:35 np-aws-001 kernel: ena0: ena_com_validate_version() [TID:100000]: ENA device version: 0.10<br />Jan 16 18:34:35 np-aws-001 kernel: ena0: ena_com_validate_version() [TID:100000]: ENA controller version: 0.0.1 implementation version 1<br />Jan 16 18:34:35 np-aws-001 kernel: ena0: LLQ is not supported. Fallback to host mode policy.<br />Jan 16 18:34:35 np-aws-001 kernel: ena0: Ethernet address: 06:ba:32:98:fd:07<br />Jan 16 18:34:35 np-aws-001 kernel: ena0: [nm] netmap attach<br />Jan 16 18:34:35 np-aws-001 kernel: ena0: netmap queues/slots: TX 2/1024, RX 2/1024</p>
<p>and</p>
<p>Jan 19 03:49:07 kernel ena0: Found a Tx that wasn't completed on time, qid 1, index 925. 180522704 usecs have passed since last cleanup. Missing Tx timeout value 5000 msecs.<br />Jan 19 03:49:07 kernel ena0: Found a Tx that wasn't completed on time, qid 1, index 924. 179482704 usecs have passed since last cleanup. Missing Tx timeout value 5000 msecs.<br />Jan 19 03:49:07 kernel ena0: Found a Tx that wasn't completed on time, qid 1, index 923. 178472704 usecs have passed since last cleanup. Missing Tx timeout value 5000 msecs.<br />Jan 19 03:48:54 kernel ena0: Found a Tx that wasn't completed on time, qid 1, index 922. 167002704 usecs have passed since last cleanup. Missing Tx timeout value 5000 msecs.</p> pfSense Plus - Bug #15157 (Incomplete): Problem in Restore Backuphttps://redmine.pfsense.org/issues/151572024-01-12T23:35:22ZRamon Alonso Costa
<p>I am having the following issue when trying to update the DNS Resolver backup. Below is the file with the error.</p> pfSense Plus - Bug #15126 (New): SG-1100 pfSense+ recovery results in non aligned disk sliceshttps://redmine.pfsense.org/issues/151262023-12-29T03:11:42ZDavid Burnsdavid.burns@dugeem.net
<p>Currently preparing for an upgrade of SG-1100 remote worker fleet.</p>
<p>However after installing the latest SG-1100 recovery image (pfSense-plus-compat-recovery-23.09.1-RELEASE-aarch64.img.gz) it appears that the resulting image restore to SG-1100 eMMC is not aligned:<br />(reference <a class="external" href="https://docs.netgate.com/pfsense/en/latest/solutions/sg-1100/reinstall-pfsense.html">https://docs.netgate.com/pfsense/en/latest/solutions/sg-1100/reinstall-pfsense.html</a>)</p>
<pre>
gpart show mmcsd0
=> 1 15273599 mmcsd0 MBR (7.3G)
1 409600 1 efi (200M)
409601 131072 2 fat32 (64M)
540673 14732927 3 freebsd [active] (7.0G)
</pre>
<p>This is a UFS build. Clearly the FreeBSD slice (starting sector 540673) is not aligned with 4k / 32k / 1M boundary. Non aligned writes may have an impact on eMMC life (depends on write workload of course).</p>
<p>Within the slice the actual UFS partition is at least 8k aligned (although suboptimal given that the UFS2 default block size is 32kB):</p>
<pre>
gpart show mmcsd0s3
=> 0 14732927 mmcsd0s3 BSD (7.0G)
0 16 - free - (8.0K)
16 14732911 1 freebsd-ufs (7.0G)
</pre>
<p>Compare this to a Netgate 7100 (with ZFS):</p>
<pre>
gpart show mmcsd0
40 61071280 mmcsd0 GPT (29G)
40 1024 1 freebsd-boot (512K)
1064 984 - free - (492K)
2048 4194304 2 freebsd-swap (2.0G)
4196352 56872960 3 freebsd-zfs (27G)
61069312 2008 - free - (1.0M)
</pre>
<p>Hopefully image build can be corrected using appropriate <strong><code>gpart add -t freebsd -a 1M ... /dev/mmcsd0</code></strong> argument parameters.</p>
<p>Lastly is the SG-1100 (aarch64) recovery image also used for SG-2100? If so this issue may also impact SG-2100.</p> pfSense Plus - Bug #15104 (New): Layer 2 experimental Firewall/Rules/Ethernet: new broadcast doma...https://redmine.pfsense.org/issues/151042023-12-18T22:48:09ZJonathan Lee
<p>Layer 2 broadcast domain in 23.05.01 would separate compex card from the LAN RJ45 ports. It no longer separates the layer 2 broadcast domains in 23.09.01</p>
<p>Ref: <a class="external" href="https://forum.netgate.com/topic/184894/ethernet-rules-on-two-networks">https://forum.netgate.com/topic/184894/ethernet-rules-on-two-networks</a></p>
<p>23.09.01 requires intra interface communication for layer 2 and in 23.05.01 it did not. I run guest wifi on the compex card(OPT1) so the secure side or <abbr title="WLAN">LAN</abbr> now is prone to arp broadcast storms as it no longer has separate broadcast domains.</p>
<p>Both interfaces have NAT access outbound without talking to each other but in 23.09.01 it is now required for the layer 2 to have interface to interface traffic.</p> pfSense Plus - Bug #15036 (Confirmed): Traffic Shaper Wizard Dedicated generates errorhttps://redmine.pfsense.org/issues/150362023-11-27T05:56:41ZAzamat Khakimyanov
<p>I can reproduce it on 23.01, 23.05_1 and 23.09</p>
<p>All the time I run <strong>Traffic Shaper Wizard Dedicated</strong> with HFSC queueing I got this message<br />__ There were error(s) loading the rules: pfctl: linkshare sc exceeds parent's sc - The line in question reads [0]:</p>
<p>Running <strong>Traffic Shaper Wizard Dedicated</strong> with PRIQ/CBQ queueing and running <strong>Traffic Shaper Wizard Multi All</strong> with HFSC queueing work normal (without any error message)</p>
<p>It might be the same issue as <a class="external" href="https://redmine.pfsense.org/issues/2308">https://redmine.pfsense.org/issues/2308</a>, which is 11y old.</p> pfSense Plus - Bug #15017 (Incomplete): DHCP relay CARP status VIP function is not working in pfs...https://redmine.pfsense.org/issues/150172023-11-20T19:51:25ZRobert Karsai
<p>Hello,<br />It seems that after 23.05.1->23.09 upgrade DHCP relay CARP status VIP function is not working properly, DHCP relay agent stays active all times (dhcrelay stays green on the dashboard widget, also pgrep dhcrelay<br />returns running processes in CLI), it will not be stopped when the chosen VIP is in BACKUP status. Not a big deal, there can be two active relay agents in the same network, but this is not how it supposed to work. Strangely this only affects our pfSense+ 23.09 clusters, in pfSense CE 2.7.1 this is not an issue.<br />--<br />BR<br />Robert</p> pfSense Plus - Bug #14401 (New): Changing from Switchport to Discrete Interface in VGA/Serial Con...https://redmine.pfsense.org/issues/144012023-05-21T02:29:00ZKris Phillips
<p>If you have an interface on a switchport device, like the 7100, and reassign the interface to a discrete interface like an igb interface using the VGA or Serial console, the Status --> Dashboard and Status --> Interfaces pages will continue to use the old switchport monitor setting until you save and apply the interface, thus always showing the port as down after moving the cable. Since the Interfaces --> WAN/LAN/OPT/etc selection does not show a port monitor setting if it's using a discrete interface, there is no way to eliminate it without just saving the interface and applying.</p> pfSense Plus - Bug #12894 (New): duplicating freshly created certificates through refreshinghttps://redmine.pfsense.org/issues/128942022-03-03T14:30:26ZVan Quach
<p>Version 22.01-Release FreeBSD 12.3-Stable</p>
<p>Bug: After successfully creating a certificate. The certificate gets duplicated by refreshing the page (while the green success notification is shown)</p>
<p>This happend to me with different CA and it doesn't matter what type of certificate it is.</p> pfSense Plus - Bug #12759 (New): Proprietary packages link to non-existant or non-public github p...https://redmine.pfsense.org/issues/127592022-02-05T19:22:11ZKris Phillips
<p>When clicking on the version number to view the code for packages like openvpn-import and aws-wizard, these link to a non-existant Github page (or one that is private). We should probably add a way to just remove these links on proprietary packages for pfSense Plus.</p>
<p>For example, aws-wizard links to <a class="external" href="https://github.com/pfsense/FreeBSD-ports/commits/devel/net/pfSense-pkg-aws-wizard">https://github.com/pfsense/FreeBSD-ports/commits/devel/net/pfSense-pkg-aws-wizard</a> which is an invalid path.</p>