pfSense bugtracker: Issueshttps://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162023-12-17T03:04:21ZpfSense bugtracker
Redmine pfSense Packages - Bug #15100 (New): Tailscale IPv6 Exit Node uses first LAN interface when WAN i...https://redmine.pfsense.org/issues/151002023-12-17T03:04:21ZKris Phillips
<p>When Tailscale on pfSense Plus is being used as an exit node for IPv6 connectivity and the WAN interface is set to "Only request an IPv6 prefix, do not request an IPv6 address", it will use the first sequential LAN interface's IPv6 address for outbound connectivity instead. We should probably add an option to Tailscale to select which interface for WAN connectivity is used for the NAT address for IPv4 and IPv6 for outbound connectivity, because this resulted in my internal, secure work VLAN address being used when I had routing policies in Tailscale to only allow access to my home VLAN instead (due to the fact that the work VLAN was the first sequential LAN). Not being able to choose the interface that is used for NAT on the exit node could lead to certain situations where access to resources that shouldn't be is possible under certain circumstances.</p> pfSense - Bug #15098 (New): Wireguard crashes on boot if PPPoE is the default gatewayhttps://redmine.pfsense.org/issues/150982023-12-15T20:06:02ZOskar Stroka
<p>This only seems to happen after a fresh boot, and only if any PPPoE connection is the default gateway. <br />Even the service watchdog can't bring wireguard back up. <br />The workaround is to go to "Status" - "Interfaces", disconnect the PPPoE line and enable it again. <br />After that wireguard will start without a problem.<br />I've only noticed this issue after moving to newer / better hardware.</p> pfSense Packages - Feature #14863 (New): WireGuard suppport for aliaseshttps://redmine.pfsense.org/issues/148632023-10-11T07:53:52ZBob Dig
<p>Allow to use aliases in "Allowed IPs" in the WireGuard Peer config. That would match with the general ability to use aliases for static routes in pfSense, see <a class="external" href="https://forum.netgate.com/topic/183339/feature-request-support-for-aliases">https://forum.netgate.com/topic/183339/feature-request-support-for-aliases</a>.</p> pfSense - Bug #14613 (New): Incorrect wireguard control panel status managementhttps://redmine.pfsense.org/issues/146132023-07-26T14:59:29Zhao zhang
<p><img src="https://redmine.pfsense.org/attachments/download/5201/clipboard-202307262256-rlh8k.png" alt="" /><br />Wireguard can still be clicked on to start while in the boot state and is unresponsive when clicked on, making wireguard uncontrollable.<br />pfsense2.7<br />pfSense-pkg-WireGuard 0.2.0_2</p> pfSense Packages - Todo #14333 (New): Reduce config writeshttps://redmine.pfsense.org/issues/143332023-05-01T15:28:11ZMarcos M
<p>When the service is started, multiple config writes are performed. System logs (reversed) show:<br /><pre>
May 1 09:12:32 check_reload_status 1213 Reloading filter
May 1 09:12:31 check_reload_status 1213 Syncing firewall
May 1 09:12:31 php_wg 15988 /usr/local/pkg/wireguard/includes/wg_service.inc: Configuration Change: (system): [pfSense-pkg-WireGuard] Applied package default settings as necessary.
May 1 09:12:31 php_wg 15988 /usr/local/pkg/wireguard/includes/wg_service.inc: Configuration Change: (system): [pfSense-pkg-WireGuard] Installed Unbound ACL group (WireGuard).
May 1 09:12:30 php_wg 15988 /usr/local/pkg/wireguard/includes/wg_service.inc: Configuration Change: (system): [pfSense-pkg-WireGuard] De-installed Unbound ACL group (WireGuard).
May 1 09:12:30 php_wg 15988 /usr/local/pkg/wireguard/includes/wg_service.inc: Configuration Change: (system): [pfSense-pkg-WireGuard] Installed interface group (WireGuard).
May 1 09:12:30 php_wg 15988 /usr/local/pkg/wireguard/includes/wg_service.inc: Configuration Change: (system): [pfSense-pkg-WireGuard] De-installed interface group (WireGuard).
May 1 09:12:30 check_reload_status 1213 Syncing firewall
May 1 09:12:30 php_wg 15988 /usr/local/pkg/wireguard/includes/wg_service.inc: Configuration Change: (system): [pfSense-pkg-WireGuard] Installed earlyshellcmd(s).
May 1 09:12:30 check_reload_status 1213 Syncing firewall
May 1 09:12:30 php_wg 15988 /usr/local/pkg/wireguard/includes/wg_service.inc: Configuration Change: (system): [pfSense-pkg-WireGuard] De-installed earlyshellcmd(s).
May 1 09:12:29 kernel tun_wg0: link state changed to UP
May 1 09:12:29 kernel wg0: changing name to 'tun_wg0'
May 1 09:12:28 check_reload_status 1213 Syncing firewall
May 1 09:12:28 php_wg 15988 /usr/local/pkg/wireguard/includes/wg_service.inc: Configuration Change: (system): [pfSense-pkg-WireGuard] Applied package default settings as necessary.
May 1 09:12:28 php_wg 15988 /usr/local/pkg/wireguard/includes/wg_service.inc: Configuration Change: (system): [pfSense-pkg-WireGuard] Installed Unbound ACL group (WireGuard).
May 1 09:12:28 php_wg 15988 /usr/local/pkg/wireguard/includes/wg_service.inc: Configuration Change: (system): [pfSense-pkg-WireGuard] De-installed Unbound ACL group (WireGuard).
May 1 09:12:28 php_wg 15988 /usr/local/pkg/wireguard/includes/wg_service.inc: Configuration Change: (system): [pfSense-pkg-WireGuard] Installed interface group (WireGuard).
May 1 09:12:28 php_wg 15988 /usr/local/pkg/wireguard/includes/wg_service.inc: Configuration Change: (system): [pfSense-pkg-WireGuard] De-installed interface group (WireGuard).
May 1 09:12:27 check_reload_status 1213 Syncing firewall
May 1 09:12:27 php_wg 15988 /usr/local/pkg/wireguard/includes/wg_service.inc: Configuration Change: (system): [pfSense-pkg-WireGuard] Installed earlyshellcmd(s).
May 1 09:12:27 check_reload_status 1213 Syncing firewall
May 1 09:12:27 php_wg 15988 /usr/local/pkg/wireguard/includes/wg_service.inc: Configuration Change: (system): [pfSense-pkg-WireGuard] De-installed earlyshellcmd(s).
May 1 09:12:26 php-fpm 4806 /status_services.php: The command '/usr/local/etc/rc.d/wireguardd stop' returned exit code '1', the output was ''
May 1 09:12:17 kernel tun_wg0: link state changed to DOWN
</pre></p>
<p>This leads to 4 new config history entries. Since this happens any time packages are restarted (e.g. due to WAN events), it adds up quickly. The issue is compounded when ACB is enabled and set to back up on config changes rather than a schedule.</p>
<p>Additionally, it seems there may be an error here:</p>
<blockquote>
<p>May 1 09:12:26 php-fpm 4806 /status_services.php: The command '/usr/local/etc/rc.d/wireguardd stop' returned exit code '1', the output was ''</p>
</blockquote> pfSense Packages - Feature #13474 (New): Don't set ListenPort in wireguardhttps://redmine.pfsense.org/issues/134742022-09-06T19:08:51ZFlole Systems
<p>Currently it is not possible to not set the ListenPort setting for wireguard. I suggest to use the special value 0 as a port and then mentioning that setting it to 0 disables this.</p> pfSense Packages - Bug #13405 (New): Wireguard: The webgui becomes excessively slow to respond wi...https://redmine.pfsense.org/issues/134052022-08-11T09:12:04ZSteve Wheeler
<p>Webgui pages that include data from Wireguard can become very slow to respond with a large number of elements present (peers/tunnels).</p>
<p>Code that parses the output of 'wg show all dump' creates a delay.</p>
<p>For example we see delays of ~10s opening the Wireguard status page with 80 peers defined on a 6100.</p>
<p>This affects the peers, tunnels and status pages. And to a lesser extent the dashboard when the Wireguard widget is disaplayed.</p> pfSense Packages - Feature #13096 (Feedback): Improve robustness of Snort Rules Update Log size l...https://redmine.pfsense.org/issues/130962022-04-25T09:47:09ZBill Meeks
<p>Change the code for truncating the Snort Rules Update Log file when it exceeds the maximum configured size to be more robust by dropping the use of <em>unlink()</em> and use the method used in the Suricata package instead.</p> pfSense Packages - Bug #13095 (Feedback): Snort VRT change in Shared Object Rules path name resul...https://redmine.pfsense.org/issues/130952022-04-25T09:43:25ZBill Meeks
<p>Apparently the Snort Vulnerability Research Team recently altered part of the path name inside the Snort Rules Update archive. This results in failure of the Snort package code to properly extract and copy the Shared Object (SO) rules when performing the periodic rules update. A portion of the long directory path in the archive was changed from "x86_64" to "x86-64" (replaced the underscore with a dash).</p> pfSense Packages - Bug #12979 (Pull Request Review): Snort Rules Update Process Using Deprecated ...https://redmine.pfsense.org/issues/129792022-03-23T14:23:01ZBill Meeks
<p>Beginning around the first of March 2022, the Snort rules update package from the Snort VRT changed the subdirectory name for the precompiled Shared Object (SO) rules, in the archive, from "FreeBSD-12" to "FreeBSD-13". The Snort rules update code in the GUI parses the current FreeBSD version from the operating system, so since pfSense is still on FreeBSD 12.3, this results in the rules update code searching for a non-existent "FreeBSD-12" subdirectory in the archive when unpacking it. Until such time as pfSense moves to FreeBSD-13, this logic needs to be changed and the subdirectory name hard-coded to "FreeBSD-13".</p> pfSense Packages - Bug #12924 (New): DNS Resolver WireGuard ACL Inconsistencyhttps://redmine.pfsense.org/issues/129242022-03-09T10:59:57ZKevin Mychal Ong
<p>Initially, I had two pfsense nodes connected via the WireGuard package. My tunnel network was 10.0.3.0/30 for p2p. I then added another pfsense node to make the topology hub and spoke. Naturally, I had to make my tunnel network larger, so I changed the WG interface subnets to /29 instead and proceeded with adding the third node. Everything is working properly except for the fact that the Unbound ACL that's created by WireGuard on the first two nodes did not change from /30 to /29. It says in the description not to touch those but I manually changed them to /29 instead just to make things consistent. However, after restarting the pfsense box, it just goes back to /30.</p> pfSense Packages - Bug #12760 (New): Link-local addresses disallowed on Wireguard interfaceshttps://redmine.pfsense.org/issues/127602022-02-06T00:46:58ZAlex Chang-Lam
<p>Wireguard supports link-local IPv6, however adding a static link-local to interfaces is not allowed, even for interfaces of type tun_wg.</p>
<p>This is particularly necessary for dn42.</p> pfSense Docs - Todo #12756 (New): Add information on correct MTU to use with WireGuardhttps://redmine.pfsense.org/issues/127562022-02-04T08:51:57ZViktor Gurov
<p><strong>Page:</strong> <a class="external" href="https://docs.netgate.com/pfsense/en/latest/recipes/wireguard-ra.html">https://docs.netgate.com/pfsense/en/latest/recipes/wireguard-ra.html</a></p>
<p><strong>Feedback:</strong></p>
<p>In all four Wireguard configuration recepies, there is no mention of changing the MTU and MSS values</p> pfSense - Todo #10199 (New): Improve Spanish translation interfacehttps://redmine.pfsense.org/issues/101992020-01-22T09:20:34ZAluisco Miguel Ricardo MastrapapfSense - Feature #9293 (New): Provide WebUI message (banner) prior to loginhttps://redmine.pfsense.org/issues/92932019-01-29T06:18:56ZRyan Haraschak
<p>While trying to deploy in govt environments, they have security guidelines (STIGs) we're required to follow. Some, as trivial as they seem, include displaying banners before logging in. I've been able to modify the html\php to meet this requirement, however, as expected, the changes are lost after an update.</p>
<p>Would it be possible to add a text entry field on the general settings page that provides a persistent webui login banner?</p>
<p>Here's an example from the <a href="https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2018-03-01/finding/V-38593" class="external">DoD RHEL STIGs</a>:</p>
<pre>
You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
</pre>