pfSense bugtracker: Issueshttps://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162024-03-11T16:52:27ZpfSense bugtracker
Redmine pfSense - Feature #15331 (New): Client (service) for CloudFlare WARP/WAR+https://redmine.pfsense.org/issues/153312024-03-11T16:52:27ZSergei Shablovsky
<p><strong>On now CloudFlare in fact for a couple of years are fastest and reliable proxy and SDN for most users.</strong><br />(Sometimes magistrale and core borders routing problems that hit Akamai, make a not big touch on CF.)<br />Most of “child problems” as newly and fast growing company HAS GONE AWAY.</p>
<p>And <strong>NUMBER OF POINT OF PERSISTENCE (data centers, servers on colocation) ARE CONSTANTLY GROW!</strong></p>
<p><strong>All this make WARP/WARP+ CloudFlare service more and more wanted not only by most of ordinary users, advanced users, but small and middle private business and government organization.</strong></p>
<p>And as a result, from 2022 more and more ciders try to realize CloudFlare WARP/WARP+ client code for various OSs, especially on which routers/firewalls are based.</p>
<p>Please take a look on <br />thread on pfSense CE<br /><a class="external" href="https://forum.netgate.com/topic/177267/connecting-to-cloudflare-surely-its-possible">https://forum.netgate.com/topic/177267/connecting-to-cloudflare-surely-its-possible</a></p>
<p>thread on CloudFlare</p>
<p><a class="external" href="https://community.cloudflare.com/t/warp-client-for-freebsd-based-firewalls-eg-pfsense-opnsense/426717/1">https://community.cloudflare.com/t/warp-client-for-freebsd-based-firewalls-eg-pfsense-opnsense/426717/1</a></p>
<p>So, the downline of all of this:<br />making CloudFlare WARP/WARP+ client as separate package for pfSense is not so much time and efforts.</p>
<p>If DevTeam make it right now, testing and feedbacks from users within summer (when not so much business workload and negative impact would be minimal) for the next upcoming release (2.7.3-REL) this *adding more value to pfSense” and growing distance from concurrent OPNsense.</p> pfSense Packages - Feature #15300 (New): allow changing the value of "forward" keyhttps://redmine.pfsense.org/issues/153002024-03-01T14:45:45ZAlex Kolesnikpfsenseorg3@temp.spb.ru
<p>Currently, if a Zone Type is Forward, the resulting config contains "forward only;" setting and that cannot be changed even with the custom options set. However, it might be desirable to change the resolving behavior to "forward first;".<br />It would be great if you implemented that feature. Thank you!</p> pfSense Packages - Bug #15296 (New): WAN Interface cannot added to ntopng if offline-packet loss https://redmine.pfsense.org/issues/152962024-02-29T06:58:23ZSergei Shablovsky
<p>Brilliant pfSense DevTeam !</p>
<p>In multi-WAN pfSense configuration WAN interfaces that pfSense decide in “Offline, Packet loss” state CANNOT BE ADDED into ntopng config.</p>
<p>(to adding certain WAN connection (for example if WAN interface come from “Offline, packet loss” state to “Online” state), ntopng need to be disabled, service stopped, ntopng pkg uninstalled (with all data and configs deleted), than hardware rebooting, install ntopng pkg again, and only after that new WAN with “Online” status becomes visible as Interface in ntopng”).</p>
<p>But LAN interfaces ALL would be ADDED as well even some of them are not connected physically. So this bug related only WAN interfaces.</p>
<p>P.S.<br />This is related for WAN DHCP, do not know about WAN STATIC.</p> pfSense - Feature #15221 (New): Make System Tunables table sortablehttps://redmine.pfsense.org/issues/152212024-01-31T19:43:54ZRonald Antonyrcfa+pfsense.org@cubiculum.com
<p>On the System > Advanced page's System Tunables tab, it's really hard to <br />a) find/check values, since they are in no particular order<br />b) compare the settings of two machines, because, again, the values are in no particular order.</p>
<p>Being able to sort them by the Tunable Name is particularly important as it seems the Description of these fields has been changed over the years, so two systems originally set up at different times with different versions of pfSense have different descriptions for the same field, making it even harder to find/compare the values.</p> pfSense Packages - Feature #15218 (New): Allow manual ordering of generated ruleshttps://redmine.pfsense.org/issues/152182024-01-30T19:01:53ZRonald Antonyrcfa+pfsense.org@cubiculum.com
<p>Under Firewall > pfBlockerNG in the IP tab's IP Interface/Rules Configuration section, there's the "Firewall 'Auto' Rule Order" setting.</p>
<p>Whats's needed here is a "manual" option, where new rules are simply appended at the bottom, and the user can then reorder them where they should be on the Firewall Rules setting page.<br />I have a rather specific ordering of my rules, and each time something updates the auto rules, my rule order is messed up, and I must reorder them, which is frankly a major PITA.</p>
<p>In particular I have certain pass rules that MUST always be at first place, but then I want all the blocking and filter rules, and last I want the regular passing rules. e.g. I want spammers filtered before they get passed to the mail server, but I want anti-lockout rules to always pass traffic to my admin software interfaces, no matter what.</p>
<p>So the auto rules must go between pfSense pass rules, and that won't work. To prevent getting potentially locked out, I must use the order "pfSense Pass/Match | pfb_Pass/Match | pfB_Block/Reject | pfSense Block/Reject" auto-order, but my actual order is more like "pfSense Pass/Match | pfSense Block/Reject | pfb_Pass/Match | pfB_Block/Reject | pfSense Pass/Match" where obviously only I know what goes where.</p>
<p>So manual ordering is a key option that should be provided...</p> pfSense Packages - Feature #15056 (New): Feature Request: Donate to Package Maintainer Button https://redmine.pfsense.org/issues/150562023-12-01T20:31:37ZJonathan Lee
<p>Maybe the packages, should have a button so donate button to send some money to maintainers. I recently learned that Snort was built with donated time. I was really confused about this. It kind of confused me.</p> pfSense Packages - Bug #15048 (New): Snort large memory consumption when updatinghttps://redmine.pfsense.org/issues/150482023-11-29T09:47:49ZRicardo ot
<p>Snort since the last updates uses a lot of memory when updating and it has a big impact. Can this be improved?</p>
<p>Thanks,</p>
<p>I have these configurations active for 2 interfaces:<br />Resolve Flowbits. checked.<br />Use IPS Policy. Checked.<br />IPS Policy Selection. Connectivity.<br />All the rulesets (Categories). Checked all</p>
<p>I already changed the PfBlokerng configuration to use "Unbound python mode" and changed the time so that the update is not done at the same time. This has improved PfblockerNg's memory usage.</p>
<p>System log Logs:</p>
<blockquote>
<p>Nov 29 00:48:16 php 46952 [pfBlockerNG] No changes to Firewall rules, skipping Filter Reload<br />Nov 29 00:45:00 php 46952 [pfBlockerNG] Starting cron process.<br />Nov 29 00:25:57 php 85398 [Snort] The Rules update has finished.<br />Nov 29 00:25:57 php 85398 [Snort] Snort has restarted on WANONT with your new set of rules...<br />Nov 29 00:25:45 php 85398 [Snort] Snort START for <abbr title="vmx3">WANONT</abbr>...<br />Nov 29 00:25:44 kernel pid 31736 (snort), jid 0, uid 0: exited on signal 11 (core dumped)<br />Nov 29 00:25:44 snort 31736 * * * Caught Term-Signal<br />Nov 29 00:25:43 php 85398 [Snort] Snort STOP for <abbr title="vmx3">WANONT</abbr>...<br />Nov 29 00:25:42 php 85398 [Snort] Building new sid-msg.map file for WANONT...<br />Nov 29 00:25:42 php 85398 [Snort] Enabling any flowbit-required rules for: WANONT...<br />Nov 29 00:25:42 php 85398 [Snort] Enabling any flowbit-required rules for: WANONT...<br />Nov 29 00:25:41 php 85398 [Snort] Updating rules configuration for: WANONT ...<br />Nov 29 00:25:41 php 85398 [Snort] Snort has restarted on LAN with your new set of rules...<br />Nov 29 00:25:29 kernel pid 29090 (snort), jid 0, uid 0: exited on signal 11 (core dumped)<br />Nov 29 00:25:29 php 85398 [Snort] Snort START for <abbr title="vmx1">LAN</abbr>...<br />Nov 29 00:25:28 snort 29090 *** Caught Term-Signal<br />Nov 29 00:25:27 php 85398 [Snort] Snort STOP for <abbr title="vmx1">LAN</abbr>...<br />Nov 29 00:25:27 php 85398 [Snort] Building new sid-msg.map file for LAN...<br />Nov 29 00:25:27 php 85398 [Snort] Enabling any flowbit-required rules for: LAN...<br />Nov 29 00:25:26 php 85398 [Snort] Enabling any flowbit-required rules for: LAN...<br />Nov 29 00:25:26 php 85398 [Snort] Updating rules configuration for: LAN ...<br />Nov 29 00:25:25 php 85398 [Snort] Building new sid-msg.map file for WAN...<br />Nov 29 00:25:25 php 85398 [Snort] Enabling any flowbit-required rules for: WAN...<br />Nov 29 00:25:25 php 85398 [Snort] Enabling any flowbit-required rules for: WAN...<br />Nov 29 00:25:24 php 85398 [Snort] Updating rules configuration for: WAN ...<br />Nov 29 00:25:24 php 85398 [Snort] Removed 49 obsoleted rules category files.<br />Nov 29 00:25:24 php 85398 [Snort] Hide Deprecated Rules is enabled. Removing obsoleted rules categories.<br />Nov 29 00:25:17 php 85398 [Snort] Feodo Tracker Botnet C2 IP rules were updated...<br />Nov 29 00:25:17 php 85398 [Snort] Feodo Tracker Botnet C2 IP rules file update downloaded successfully.<br />Nov 29 00:25:17 php 85398 [Snort] Emerging Threats Open rules file update downloaded successfully<br />Nov 29 00:25:15 php 85398 [Snort] There is a new set of Emerging Threats Open rules posted. Downloading emerging.rules.tar.gz...<br />Nov 29 00:25:15 php 85398 [Snort] Snort GPLv2 Community Rules file update downloaded successfully<br />Nov 29 00:25:13 php 85398 [Snort] There is a new set of Snort GPLv2 Community Rules posted. Downloading community-rules.tar.gz...<br />Nov 29 00:25:13 php 85398 [Snort] Snort Subscriber rules file update downloaded successfully<br />Nov 29 00:25:04 php 85398 [Snort] There is a new set of Snort Subscriber rules posted. Downloading snortrules-snapshot-29200.tar.gz...</p>
</blockquote> pfSense - Bug #15015 (New): Static routes not workinghttps://redmine.pfsense.org/issues/150152023-11-20T17:53:07ZSilviu Bajenaru
<p>Hello,</p>
<p>This morning I updated to PFSense 2.7.1 from 2.7.0. Now, I just tried to add a dynamic gateway and a static route. Unfortunately, the static route is not being added to the routing table. I restored the VM backup from this morning, before I updated, added the same gateway and static route and it was added to the routing table, and everything works fine.<br />I've set the priority to Urgent since this is quite bad for a router...?</p>
More info about my setup: I've got three sites, let's call them A, B and C. There is an IPSec tunnel between A and B, and one between B and C. Both tunnels are set with Mode VTI. I've assigned the ipsec interfaces and set the gateways and routes:<br />Site A has a gateway set on the IPSec interface and a route for site C that uses that gateway.<br />Site B has two gateways (one for each IPSec tunnel) and the following routes:
<ul>
<li>route to site A via the IPSec interface - gateway - going to site A</li>
<li>route to site B via the IPSec interface - gateway - going to site B<br />Site C has a gateway set on the IPSec interface and a route for site A that uses that gateway.<br />Site A was updated this morning to PFSense 2.7.1, while Site C is running 2.7.0.<br />Site A DOES NOT have the static routes added to the routing table.<br />Site C does have the static routes added to the routing table.</li>
</ul>
<p>Once I reverted Site A to 2.7.0, I did the same config again and the routes were added to the routing table.</p>
<p>Thank you.</p> pfSense Packages - Todo #14971 (New): Add text about the limit to use only Network type alias for...https://redmine.pfsense.org/issues/149712023-11-11T21:45:43ZWolfgang Thegreat
<p>Hello,</p>
<p>At the UI path of pfBlockerNG > IP > IPv4 > edit of a table object > the section of "Advanced Inbound Firewall Rule Settings" > "Custom Destination" - I tried to add an Alias object I already had, but he auto-complete didn't work nor forcing the full exact name and saving.</p>
<p>Searching around I found this post<br /><a class="external" href="https://forum.netgate.com/topic/178444/advanced-inbound-firewall-rule-settings-custom-destination-only-takes-alias-of-typ-network/2">https://forum.netgate.com/topic/178444/advanced-inbound-firewall-rule-settings-custom-destination-only-takes-alias-of-typ-network/2</a></p>
<p>Which solved my issue.<br />This field of "Custom Destination" probably accept only alias objects of a type of "Network".</p>
<p>It was a frustrating exercise...</p>
<p>Pleassse - Add to the text below this field - a prominent warning that this field only accepts Network type alias objects (god knows why).<br />It will save many users.</p>
<p>Thank you!</p> pfSense Packages - Feature #14941 (New): add directdomains list in GUIhttps://redmine.pfsense.org/issues/149412023-11-03T09:46:08ZClaude-Axel Piller
<p>Is it possible to add directly in the GUI a directdomains category like whitelist or blacklist ...<br />this directdomains won't use the proxy and can access directly to internet.<br />Some apps like vrchat don't work with proxy.<br />thanks</p> pfSense Packages - Feature #14838 (New): Full support for AdBlock-style listshttps://redmine.pfsense.org/issues/148382023-10-04T21:57:19ZAndre Braitandrebrait@gmail.com
<p>The AdBlock syntax allows for both blacklisting and whitelisting, as well as using wildcards and sometimes plain regular expressions. Many popular lists make use of such features. Currently, pfBlockerNG only supports parsing simple non-wildcard blacklist entries, as long as they obey the format `^[|]{2}.*[^]$`.</p>
<p>Support can be improved, especially for the Python mode.</p>
<ul>
<li>Unbound mode:
<ul>
<li>Whitelist entries with wildcards (limited)
<ul>
<li>Using grep with regexes to rule out entries from the blacklists</li>
</ul>
</li>
</ul>
</li>
<li>Python mode
<ul>
<li>Blacklist entries with wildcard support
<ul>
<li>Requires filtering 100% inside Python</li>
</ul>
</li>
<li>Whitelist entries with wildcard support
<ul>
<li>Probably better and easier if done 100% inside Python</li>
<li>Default "re" engine might be too slow, better to import "regex"</li>
</ul></li>
</ul></li>
</ul>
<p>References: <br />1. <a class="external" href="https://help.adblockplus.org/hc/en-us/articles/360062733293-How-to-write-filters">https://help.adblockplus.org/hc/en-us/articles/360062733293-How-to-write-filters</a><br />2. <a class="external" href="https://adguard.com/kb/general/ad-filtering/create-own-filters/">https://adguard.com/kb/general/ad-filtering/create-own-filters/</a></p>
<p>Some of it is already implemented in this PR: <a class="external" href="https://github.com/pfsense/FreeBSD-ports/pull/1302">https://github.com/pfsense/FreeBSD-ports/pull/1302</a></p> pfSense Packages - Regression #14764 (New): HAProxy local syslog not workinghttps://redmine.pfsense.org/issues/147642023-09-09T19:08:28ZMichael Vincent
<p>HAProxy package v0.63_1</p>
<p>Setting the syslog host to <code>/var/run/log</code> in the HAProxy settings doesn't produce any entries in the pfSense system logs.</p>
<p>Following the suggestion in <a href="https://serverfault.com/a/1141223" class="external">this post</a> fixes the issue by making syslogd listen to a UDP socket:</p>
<ol>
<li>Edit <code>/etc/defaults/rc.conf</code> (Diagnostics -> Edit File).</li>
<li>Change <code>syslogd_flags="-s"</code> to <code>syslogd_flags="-s -b localhost -C"</code></li>
<li>Restart the syslogd service (Status -> Services).</li>
</ol>
<p>They also reference this forum post with more details:<br /><a class="external" href="https://forums.freebsd.org/threads/haproxy-not-logging.76876/#post-477067">https://forums.freebsd.org/threads/haproxy-not-logging.76876/#post-477067</a></p> pfSense - Bug #14741 (New): PHP error in DNS Forwarder host overrides when the language is set to...https://redmine.pfsense.org/issues/147412023-09-02T10:26:29ZNicolas PISTER
<p>A PHP error occur when a user try to add or modify Host Override in DNS Forwarder module</p>
<pre>
amd64
14.0-CURRENT
FreeBSD 14.0-CURRENT #1 RELENG_2_7_0-n255866-686c8d3c1f0: Wed Jun 28 04:21:19 UTC 2023 root@freebsd:/var/jenkins/workspace/pfSense-CE-snapshots-2_7_0-main/obj/amd64/LwYAddCr/var/jenkins/workspace/pfSense-CE-snapshots-2_7_0-main/sources/FreeBSD-src-REL
Crash report details:
PHP Errors:
[02-Sep-2023 11:55:24 Europe/Paris] PHP Fatal error: Uncaught ValueError: Unknown format specifier "p" in /usr/local/www/classes/Form/Input.class.php:127
Stack trace:
#0 /usr/local/www/classes/Form/Input.class.php(127): sprintf('Nom de domaine ...', '<br />')
#1 /usr/local/www/services_dnsmasq_edit.php(85): Form_Input->setHelp('Domain of the h...', '<br />')
#2 {main}
thrown in /usr/local/www/classes/Form/Input.class.php on line 127
[02-Sep-2023 11:58:37 Europe/Paris] PHP Fatal error: Uncaught ValueError: Unknown format specifier "p" in /usr/local/www/classes/Form/Input.class.php:127
Stack trace:
#0 /usr/local/www/classes/Form/Input.class.php(127): sprintf('Nom de domaine ...', '<br />')
#1 /usr/local/www/services_dnsmasq_edit.php(85): Form_Input->setHelp('Domain of the h...', '<br />')
#2 {main}
thrown in /usr/local/www/classes/Form/Input.class.php on line 127
[02-Sep-2023 11:58:46 Europe/Paris] PHP Fatal error: Uncaught ValueError: Unknown format specifier "p" in /usr/local/www/classes/Form/Input.class.php:127
Stack trace:
#0 /usr/local/www/classes/Form/Input.class.php(127): sprintf('Nom de domaine ...', '<br />')
#1 /usr/local/www/services_dnsmasq_edit.php(85): Form_Input->setHelp('Domain of the h...', '<br />')
#2 {main}
thrown in /usr/local/www/classes/Form/Input.class.php on line 127
</pre>
<p>I think it come from a french translation file because when i use original language, everithing works.</p> pfSense Packages - Bug #13544 (New): SquidGuard either denying everything or proxying everythinghttps://redmine.pfsense.org/issues/135442022-10-05T01:40:03ZJimmy Michaelson
<p>Hey,</p>
<p>I truly doubt this is a configuration issue as I've tried all the possible combinations.</p>
<p>Relevant images and config:</p>
<p><a class="external" href="https://forum.netgate.com/topic/175057/10-btc-bounty-squid-proxy-whitelist-per-source-ip/6">https://forum.netgate.com/topic/175057/10-btc-bounty-squid-proxy-whitelist-per-source-ip/6</a></p>
<p>FYI: The bounty has been bumped to $20 and is also valid here.</p> pfSense - Bug #9295 (New): IPv6 PD does not work with PPPOE (Server & Client)https://redmine.pfsense.org/issues/92952019-01-29T11:51:01ZDirk Steingäßer
<p>Hi,</p>
<p>as encountering DHCPv6 with Prefix delegation does not work together with PPPOE Server vice versa it is not possible to get a prefix with an interface where the IPv4 Uplink is PPPOE.</p>