pfSense bugtracker: Issueshttps://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162024-03-28T09:25:13ZpfSense bugtracker
Redmine pfSense - Bug #15366 (New): Ethernet rules are not blocking the ARP inside the bridgehttps://redmine.pfsense.org/issues/153662024-03-28T09:25:13ZLev Prokofev
<p>Configuration:</p>
<p>1)IX2 and DMZ interfaces are bridged (192.168.168.0/24)<br />2)Filtering enabled on members of the bridge<br /> net.link.bridge.pfil_member=1 <br /> net.link.bridge.pfil_bridge=0<br />3)The ethernet rules are set to not pass the ARP from any to any, of the members of the bridge.<br /><img src="https://redmine.pfsense.org/attachments/download/5988/clipboard-202403281317-ukct1.png" alt="" /><br />Result:</p>
<p>PC1 (192.168.168.12) requested the ARP for PC2 (192.168.168.10) and received the reply, but didn't receive an ARP reply from the gateway, so the rules cut traffic from the interface of pfSense but not inside the bridge broadcast.</p>
<p><img src="https://redmine.pfsense.org/attachments/download/5989/clipboard-202403281323-c06p2.png" alt="" /></p>
<p>tested on</p>
<pre>
23.09.1-RELEASE (amd64)
built on Wed Dec 20 21:27:00 MSK 2023
FreeBSD 14.0-CURRENT
</pre> pfSense - Bug #15362 (New): Config upgrade error with empty gateway interval tags.https://redmine.pfsense.org/issues/153622024-03-26T19:12:31ZSteve Wheeler
<p>Upgrading an old config that has set but empty gateway interval tags throws a php error.<br />For example a config containing:<br /><pre>
<gateway_item>
<interface>wan</interface>
<gateway>1.2.3.4</gateway>
<name>wan_gateway</name>
<weight/>
<interval/>
<descr><![CDATA[gw1]]></descr>
<defaultgw/>
</gateway_item>
</pre></p>
<p>Will hit:<br /><pre>
Fatal error: Uncaught TypeError: Unsupported operand types: string * int in /etc/inc/upgrade_config.inc:4169
Stack trace:
#0 /etc/inc/config.lib.inc(519): upgrade_130_to_131()
#1 /etc/rc.bootup(140): convert_config()
#2 {main}
thrown in /etc/inc/upgrade_config.inc on line 4169
PHP ERROR: Type: 1, File: /etc/inc/upgrade_config.inc, Line: 4169, Message: Uncaught TypeError: Unsupported operand types: string * int in /etc/inc/upgrade_config.inc:4169
Stack trace:
#0 /etc/inc/config.lib.inc(519): upgrade_130_to_131()
#1 /etc/rc.bootup(140): convert_config()
#2 {main}
</pre></p> pfSense Plus - Bug #15361 (New): Error in virtual IP aliases when using IPv6 "network" / "broadca...https://redmine.pfsense.org/issues/153612024-03-25T09:20:00ZMathis Cavalli
<p>There is no network address in IPv6, nor broadcasts like IPv4<br />When adding / editing an IP alias and putting there an address like fd00::/64 it shows the following error : "The network address cannot be used for this VIP" <br />It happened on my pfSense+ box but it seems the CE 2.7.2 is also affected.</p> pfSense - Bug #15353 (New): Crashes Every ~8-12 Hours in New 2.7.2 Install with Unbound, Suricata...https://redmine.pfsense.org/issues/153532024-03-21T06:41:37ZDevin Dawson
<p>After reading some FreeBSD posts, it appears that this bug is potentially triggered by high CPU load. This occurs for me particularly during reloading or updating pfblockerNG, even though it's not consistently reproducible. I've attempted some mitigations such as disabling promiscuous mode in Suricata and restricting its use to the WAN interface, which seems to reduce the frequency of the issue but does not eliminate it entirely. Previously, running pfblockerNG in python mode alongside Suricata on both LAN and WAN interfaces resulted in the bug occurring more frequently.</p>
<p>The crash tends to happen approximately every 8 hours or so and appears to be related to two other FreeBSD issues:</p>
<pre><code>FreeBSD Commit "vm: Fix racy checks for swap objects" - <a class="external" href="https://cgit.freebsd.org/src/commit/?id=e123264e4dc394602f9fed2f0376204b5998d815">https://cgit.freebsd.org/src/commit/?id=e123264e4dc394602f9fed2f0376204b5998d815</a><br /> FreeBSD Bug Report "panic: vm_page_free_prep: freeing mapped page" - <a class="external" href="https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=261707">https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=261707</a>"</code></pre>
<p>Further investigation and possible collaboration with the FreeBSD community may be necessary to address this issue effectively.</p>
<pre><code class="shell syntaxhl">Intel<span class="o">(</span>R<span class="o">)</span> Pentium<span class="o">(</span>R<span class="o">)</span> CPU G3250 @ 3.20GHz
2 CPUs: 1 package<span class="o">(</span>s<span class="o">)</span> x 2 core<span class="o">(</span>s<span class="o">)</span>
AES-NI CPU Crypto: No
QAT Crypto: No
Kernel PTI Enabled
MDS Mitigation VERW
</code></pre>
<pre><code class="shell syntaxhl">amd64
14.0-CURRENT
FreeBSD 14.0-CURRENT amd64 1400094 <span class="c">#1 RELENG_2_7_2-n255948-8d2b56da39c: Wed Dec 6 20:45:47 UTC 2023 root@freebsd:/var/jenkins/workspace/pfSense-CE-snapshots-2_7_2-main/obj/amd64/StdASW5b/var/jenkins/workspace/pfSense-CE-snapshots-2_7_2-main/sources/F</span>
Filename: /var/crash/textdump.tar.0
ddb.txt
db:0:kdb.enter.default> show registers
cs 0x20
ds 0x3b
es 0x3b
fs 0x13
gs 0x1b
ss 0
rax 0x12
rcx 0xffffffff81451bc8
rdx 0xffffffff844195ff
rbx 0x100
rsp 0xfffffe00f5272780
rbp 0xfffffe00f5272780
rsi 0xfffffe00f52721f0
rdi 0xffffffff82d3f3d8 vt_conswindow+0x10
r8 0x10
r9 0x10
r10 0xf
r11 0x10
r12 0
r13 0x2
r14 0xffffffff813d55bb
r15 0xfffffe00f54e6e40
rip 0xffffffff80d32342 kdb_enter+0x32
rflags 0x82
kdb_enter+0x32: movq <span class="nv">$0</span>,0x234a4c3<span class="o">(</span>%rip<span class="o">)</span>
db:0:kdb.enter.default> run lockinfo
db:1:lockinfo> show locks
No such <span class="nb">command</span><span class="p">;</span> use <span class="s2">"help"</span> to list available commands
db:1:lockinfo> show alllocks
No such <span class="nb">command</span><span class="p">;</span> use <span class="s2">"help"</span> to list available commands
db:1:lockinfo> show lockedvnods
Locked vnodes
db:0:kdb.enter.default> show pcpu
cpuid <span class="o">=</span> 1
dynamic pcpu <span class="o">=</span> 0xfffffe009af25f80
curthread <span class="o">=</span> 0xfffffe00f54e6e40: pid 27610 tid 100715 critnest 1 <span class="s2">"unbound-control"</span>
curpcb <span class="o">=</span> 0xfffffe00f54e7360
fpcurthread <span class="o">=</span> 0xfffffe00f54e6e40: pid 27610 <span class="s2">"unbound-control"</span>
idlethread <span class="o">=</span> 0xfffffe001de1ec80: tid 100004 <span class="s2">"idle: cpu1"</span>
self <span class="o">=</span> 0xffffffff84011000
curpmap <span class="o">=</span> 0xfffff803a5a05ad0
tssp <span class="o">=</span> 0xffffffff84011384
rsp0 <span class="o">=</span> 0xfffffe00f5273000
kcr3 <span class="o">=</span> 0x800000008aefd67f
ucr3 <span class="o">=</span> 0x8000000271748e7f
scr3 <span class="o">=</span> 0x271748e7f
gs32p <span class="o">=</span> 0xffffffff84011404
ldt <span class="o">=</span> 0xffffffff84011444
tss <span class="o">=</span> 0xffffffff84011434
curvnet <span class="o">=</span> 0
db:0:kdb.enter.default> bt
Tracing pid 27610 tid 100715 td 0xfffffe00f54e6e40
kdb_enter<span class="o">()</span> at kdb_enter+0x32/frame 0xfffffe00f5272780
vpanic<span class="o">()</span> at vpanic+0x163/frame 0xfffffe00f52728b0
panic<span class="o">()</span> at panic+0x43/frame 0xfffffe00f5272910
trap_fatal<span class="o">()</span> at trap_fatal+0x40c/frame 0xfffffe00f5272970
trap_pfault<span class="o">()</span> at trap_pfault+0x4f/frame 0xfffffe00f52729d0
calltrap<span class="o">()</span> at calltrap+0x8/frame 0xfffffe00f52729d0
<span class="nt">---</span> <span class="nb">trap </span>0xc, rip <span class="o">=</span> 0xffffffff8127ee47, rsp <span class="o">=</span> 0xfffffe00f5272aa0, rbp <span class="o">=</span> 0xfffffe00f5272ac0 <span class="nt">---</span>
free_pv_entry<span class="o">()</span> at free_pv_entry+0x47/frame 0xfffffe00f5272ac0
pmap_pv_promote_pde<span class="o">()</span> at pmap_pv_promote_pde+0x14e/frame 0xfffffe00f5272b00
pmap_promote_pde<span class="o">()</span> at pmap_promote_pde+0x2fa/frame 0xfffffe00f5272b80
pmap_enter<span class="o">()</span> at pmap_enter+0xe8f/frame 0xfffffe00f5272c50
vm_fault<span class="o">()</span> at vm_fault+0xbf4/frame 0xfffffe00f5272d60
vm_fault_trap<span class="o">()</span> at vm_fault_trap+0x6b/frame 0xfffffe00f5272db0
trap_pfault<span class="o">()</span> at trap_pfault+0x1d9/frame 0xfffffe00f5272e10
<span class="nb">trap</span><span class="o">()</span> at <span class="nb">trap</span>+0x442/frame 0xfffffe00f5272f30
calltrap<span class="o">()</span> at calltrap+0x8/frame 0xfffffe00f5272f30
<span class="nt">---</span> <span class="nb">trap </span>0xc, rip <span class="o">=</span> 0x82784d8d0, rsp <span class="o">=</span> 0x820a9f758, rbp <span class="o">=</span> 0x820a9f940 <span class="nt">---</span>
</code></pre> pfSense Plus - Bug #15332 (New): Kea doesn't start without any logs when upload config with addit...https://redmine.pfsense.org/issues/153322024-03-12T13:17:13Zaleksei prokofiev
<p>If the config has additioan DHCP pool with extra parametrs configured, such default-lease-time or max-lease-time, then KEA won't start with out any logs. To fix that need delete from config those extra option. Or just resave affected pool without any changes, it will lead rewrite config without extra options. <br />For example <br /><pool><br /> <range><br /> <from>192.168.6.2</from><br /> <to>192.168.6.48</to><br /> </range><br /> <descr><![CDATA[NTP Server]]></descr><br /> <defaultleasetime>600</defaultleasetime><br /> <maxleasetime>3600</maxleasetime><br />After resave it will deleted<br /><pool><br /> <range><br /> <from>192.168.6.2</from><br /> <to>192.168.6.48</to><br /> </range><br /> <descr><![CDATA[NTP Server]]></descr><br /> <defaultleasetime></defaultleasetime><br /> <maxleasetime></maxleasetime></p> pfSense Plus - Bug #15303 (New): dpinger service does not always switch from Pending to Onlinehttps://redmine.pfsense.org/issues/153032024-03-02T17:07:07ZKris Phillips
<p>There are several situations where dpinger will not detect a gateway that is available when it should, forcing a restart of the dpinger service to "trigger" it to recheck.</p>
<p>Known situations, but there may be more:</p>
<p>1. Adding a new VTI tunnel as an interface<br />2. A release/renew of an IPv6 gateway (IPv4 gateway will show up, but IPv6 will not until a dpinger restart)<br />3. Adding an OpenVPN client/server as an interface</p>
<p>Related documentation redmine: <a class="external" href="https://redmine.pfsense.org/issues/15230">https://redmine.pfsense.org/issues/15230</a></p> pfSense Packages - Bug #15296 (New): WAN Interface cannot added to ntopng if offline-packet loss https://redmine.pfsense.org/issues/152962024-02-29T06:58:23ZSergei Shablovsky
<p>Brilliant pfSense DevTeam !</p>
<p>In multi-WAN pfSense configuration WAN interfaces that pfSense decide in “Offline, Packet loss” state CANNOT BE ADDED into ntopng config.</p>
<p>(to adding certain WAN connection (for example if WAN interface come from “Offline, packet loss” state to “Online” state), ntopng need to be disabled, service stopped, ntopng pkg uninstalled (with all data and configs deleted), than hardware rebooting, install ntopng pkg again, and only after that new WAN with “Online” status becomes visible as Interface in ntopng”).</p>
<p>But LAN interfaces ALL would be ADDED as well even some of them are not connected physically. So this bug related only WAN interfaces.</p>
<p>P.S.<br />This is related for WAN DHCP, do not know about WAN STATIC.</p> pfSense Packages - Bug #15292 (New): Certificate renewal with 'dns_inwx.sh' not working: Error ad...https://redmine.pfsense.org/issues/152922024-02-26T09:51:00ZLorenzo Marroccoli
<p>Hello,</p>
<p>we use Acme-package to obtain a wildcard certificate for our domain. It has always worked well. <br />Lately, the renewal process failed, as dns_inwx.sh is no longer able to add the necessary TXT-record via the API of the DNS provider INWX.<br />It started failing about five days ago and since then it failed once a day within the cron-scheduled-job. I tried manual renewal via GUI as well, same result.</p>
<p>The relevant log file is attached. (the domain has been redacted in the logs to somedomain.com)</p> pfSense - Bug #15291 (New): Error on Traffic Shaper 0% Bandwidthhttps://redmine.pfsense.org/issues/152912024-02-26T09:35:21ZPavan K
<p>Link to post on pfSense Forum: <br /><a class="external" href="https://forum.netgate.com/topic/186137/error-on-traffic-shaper-0-bandwidth?_=1708915183963">https://forum.netgate.com/topic/186137/error-on-traffic-shaper-0-bandwidth?_=1708915183963</a></p>
<p>Backstory:<br />recently we migrated from pfSense 2.4.x to 2.7.2 which was a direct update. Everything worked fine etc the traffic shaping feature.</p>
<p>Following is the error:<br />There were error(s) loading the rules: pfctl: the sum of the child<br />bandwidth (1200000000) higher than parent "root_igc4" (1000000000) -<br />The line in question reads [0]: @ 2024-01-31 16:45:05</p>
<p>Following is our configuration:<br />Name → FAIRQ_7<br />Priority→ 7<br />Scheduler Option → Random Early detection in and out<br />Bandwidth → None</p>
<p>Add new Queue(Default)<br />Enable<br />Name → qFAIRQ_2(Default)<br />Priority→ 2<br />Scheduler Option → Default<br />Bandwidth → None</p>
<p>Add new Queue(ACK)<br />Enable<br />Name → qACK_6<br />Priority→ 6<br />Scheduler Option → Random Early detection in and out<br />Bandwidth → None</p>
<p>According to the configuration the Bandwidth on Queue(ACK) should be 0% which was migrated off from 2.4.x but on 2.7.2 it's not letting us save 0% bandwidth for some reason.</p>
<p>And due to this new rules which are created are not taking effect it's only after we disable and enable the Traffic Shaper completely the rule is effective.</p> pfSense - Bug #15287 (New): hw.ix.unsupported_sfp=1 parameter for ix driver not workinghttps://redmine.pfsense.org/issues/152872024-02-23T09:29:33ZEric Chaubert
<p>When using ix driver with an Intel 82599ES chipset the driver seem not to support anymore the hw.ix.unsupported_sfp=1 even if configured in the loader.conf files.</p>
<p>On top of that when enumerating the pic numbers if the drivers fails on one interface it uses the same interface id for the next one. This creates a physical to logical binding of the psi slots that changes between boot sequences weather there is an initialisation error on one pci device which is not the expected behaviour,</p>
<p>Reading through the various message boards it looks like a regression as it was reported to work on previous releases.</p>
<p>Drivers, configs, logs and trace information attached to this bug report as files.</p>
<p>Firmware versin: dev.ix.0.fw_version: eTrack 0x800004e1 PHY FW V65535</p> pfSense Plus - Bug #15262 (New): Captive Portal Has High CPU Interrupts With Large Number of Usershttps://redmine.pfsense.org/issues/152622024-02-15T19:33:29ZKris Phillips
<p>When 700+ Captive Portal users are in use, CPU interrupts will cause high load averages to occur. This can lead to connectivity problems, such as packet loss on WAN uplinks, webConfigurator responsiveness issues, etc.</p>
<p>Tested with a customer who had load averages of 14-16 with Captive Portal on with 1400+ users. Once Captive Portal was turned off, load averages dropped to 0.5.</p>
<p>Load seems higher for Captive Portal when there is significant numbers of users since the transition to pf from ipfw.</p> pfSense - Bug #15258 (New): DynDNS for Gandi no longer workshttps://redmine.pfsense.org/issues/152582024-02-14T18:01:39ZMatthew Drury
<p>In August 2023 Gandi changed how authentication works with their API. Now you need to use Personal Access Tokens and a new Authentication header in HTTP updates/calls.</p>
<p>If attempting to use the PATs in pfSense now, the log shows a 403 Authentication error, Permission Denied.</p> pfSense Packages - Bug #15229 (New): ACME DNS-Selfhost verification issueshttps://redmine.pfsense.org/issues/152292024-02-03T07:50:08ZSTefan Graf
<p>When using Selfhost.de DNS verification and entering the requested information the renewal is not working.<br />To make it work the following amendments are required:</p>
<p>1. Update /usr/local/pkg/acme/acme.inc - line 1317</p>
<pre><code class="php syntaxhl"><span class="nv">$acme_domain_validation_method</span><span class="p">[</span><span class="s1">'dns_selfhost'</span><span class="p">]</span> <span class="o">=</span> <span class="k">array</span><span class="p">(</span><span class="s1">'name'</span> <span class="o">=></span> <span class="s2">"DNS-Selfhost"</span><span class="p">,</span>
<span class="s1">'fields'</span> <span class="o">=></span> <span class="k">array</span><span class="p">(</span>
<span class="s1">'SELFHOSTDNS_USERNAME'</span> <span class="o">=></span> <span class="k">array</span><span class="p">(</span><span class="s1">'name'</span> <span class="o">=></span> <span class="s2">"selfhostdns_username"</span><span class="p">,</span> <span class="s1">'columnheader'</span> <span class="o">=></span> <span class="s2">"Username (customer number - not email address or DynDNS account)"</span><span class="p">,</span> <span class="s1">'type'</span> <span class="o">=></span> <span class="s2">"textbox"</span><span class="p">,</span>
<span class="s1">'description'</span> <span class="o">=></span> <span class="s2">"Username"</span>
<span class="p">),</span>
<span class="s1">'SELFHOSTDNS_PASSWORD'</span> <span class="o">=></span> <span class="k">array</span><span class="p">(</span><span class="s1">'name'</span> <span class="o">=></span> <span class="s2">"selfhostdns_password"</span><span class="p">,</span> <span class="s1">'columnheader'</span> <span class="o">=></span> <span class="s2">"Password"</span><span class="p">,</span> <span class="s1">'type'</span> <span class="o">=></span> <span class="s2">"password"</span><span class="p">,</span>
<span class="s1">'description'</span> <span class="o">=></span> <span class="s2">"Password"</span>
<span class="p">),</span>
<span class="s1">'SELFHOSTDNS_MAP'</span> <span class="o">=></span> <span class="k">array</span><span class="p">(</span><span class="s1">'name'</span> <span class="o">=></span> <span class="s2">"selfhostdns_map"</span><span class="p">,</span> <span class="s1">'columnheader'</span> <span class="o">=></span> <span class="s2">"RecordID (found in brackets when editing the record)"</span><span class="p">,</span> <span class="s1">'type'</span> <span class="o">=></span> <span class="s2">"textbox"</span><span class="p">,</span>
<span class="s1">'description'</span> <span class="o">=></span> <span class="s2">"SELFHOSTDNS_MAP"</span>
<span class="p">)</span>
<span class="p">));</span>
</code></pre>
<p>2. Additional the password requires additional conversion to not break the URL syntax.<br /> For example the letter '#' needs to be converted to '%23'</p> pfSense - Bug #15216 (New): captive portal zone name conflicts with existing interface namehttps://redmine.pfsense.org/issues/152162024-01-30T15:47:21ZGeorgiy Tyutyunnik
<p>Customer reports intermittent issues with captive portal on HA cluster.<br />Connectivity between nodes in this VLAN interface breaks periodically, client traffic gets dropped.<br />The issue seems to be linked with the captive portal zone having the same name as its parent interface. Recreating the same zone with a different name fixes the issue.<br />config for the parent interface, CARP VIP and zone are attached.</p> pfSense Plus - Bug #15202 (New): Add Option for Network Portion of Subnet "Wildcard" for IPv6 Ruleshttps://redmine.pfsense.org/issues/152022024-01-27T22:28:27ZKris Phillips
<p>Filtering hosts with IPv6 is extremely difficult when utilizing an upstream provider that is providing a Prefix Delegation via DHCPv6 because the Prefix Delegation can change, which invalidates existing rules.</p>
<p>If there was a way to detect the interface PD for firewall rules, similar to how the DHCPv6 server currently detects the delegated prefix, users could assign rules based on only the host portion of the subnet and have the firewall filter rule automatically fill in the delegated prefix network ID portion before feeding it to pf.</p>
<p>This solves the following two scenarios:</p>
<p>1. A static DHCPv6 lease is assigned, but the delegated prefix changes<br />2. Clients configured via SLAAC typically will have the same host portion of an address, regardless of the network portion discovered by RAs, unless they are utilizing privacy extensions.</p>
<p>Obviously, this won't help in cases where SLAAC is used with RFC4941, but in many cases when creating rules like this it's possible to disable privacy extensions optionally in most operating systems.</p>