pfSense bugtracker: Issueshttps://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162024-03-05T19:53:06ZpfSense bugtracker
Redmine pfSense Packages - Bug #15313 (Confirmed): Zabbix server 6.4.12 requires Zabbix proxies to be ver...https://redmine.pfsense.org/issues/153132024-03-05T19:53:06ZAndrew Almond
<p>There seems to be a bug/change with Zabbix server and Zabbix proxy where both need to be running 6.4.12.<br />If the versions don't match, then the proxy is unable to receive configuration changes from the server and shows this message in the log:</p>
<pre>
cannot process received configuration data from server at "192.168.1.8": unexpected field "httptest.status"
</pre>
<p>There are 3 bug reports with Zabbix about this issue:<br /><a class="external" href="https://support.zabbix.com/browse/ZBX-24162">https://support.zabbix.com/browse/ZBX-24162</a><br /><a class="external" href="https://support.zabbix.com/browse/ZBX-24161">https://support.zabbix.com/browse/ZBX-24161</a><br /><a class="external" href="https://support.zabbix.com/browse/ZBX-23232">https://support.zabbix.com/browse/ZBX-23232</a></p>
<p>It looks like this issue was addressed in Zabbix 6.4.12:<br /><a class="external" href="https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/28b3672d114">https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/28b3672d114</a></p>
<p>We are running 23.05.1 and the package manager installs Zabbix 6.4.1 (revision 546e284fd7c).<br />Would it be possible to have the Zabbix proxy and agent packages updated to 6.4.12?</p>
<p>It looks like the packages were updated to 6.4.8 for pfSense 23.09, so even upgrading to that will not solve the issue.<br /><a class="external" href="https://redmine.pfsense.org/issues/14913">https://redmine.pfsense.org/issues/14913</a></p> pfSense Packages - Bug #15296 (New): WAN Interface cannot added to ntopng if offline-packet loss https://redmine.pfsense.org/issues/152962024-02-29T06:58:23ZSergei Shablovsky
<p>Brilliant pfSense DevTeam !</p>
<p>In multi-WAN pfSense configuration WAN interfaces that pfSense decide in “Offline, Packet loss” state CANNOT BE ADDED into ntopng config.</p>
<p>(to adding certain WAN connection (for example if WAN interface come from “Offline, packet loss” state to “Online” state), ntopng need to be disabled, service stopped, ntopng pkg uninstalled (with all data and configs deleted), than hardware rebooting, install ntopng pkg again, and only after that new WAN with “Online” status becomes visible as Interface in ntopng”).</p>
<p>But LAN interfaces ALL would be ADDED as well even some of them are not connected physically. So this bug related only WAN interfaces.</p>
<p>P.S.<br />This is related for WAN DHCP, do not know about WAN STATIC.</p> pfSense Packages - Bug #15274 (Incomplete): HAProxy Configuration Changes Require pfSense Reboot ...https://redmine.pfsense.org/issues/152742024-02-20T21:51:14ZZachary Cohen
<p>As originally reported here (<a class="external" href="https://forum.netgate.com/topic/172972/haproxy-config-changes-not-loaded-pfsense-restart-needed">https://forum.netgate.com/topic/172972/haproxy-config-changes-not-loaded-pfsense-restart-needed</a>), changes made to the HAProxy configuration require a reboot to take effect.</p>
<p>I'm consistently able to reproduce this issue when adding new backends.</p>
<p>When browsing to the new backend, I receive a 503 - "no server is available to handle this request". After rebooting, it works as expected.</p>
<p>Other users have been able to validate that this issue was present starting with pfSense 2.6.0 and HAProxy version haproxy-devel 0.62.10.</p>
<p>While I was able to replicate that issue starting on that version, I'm currently replicating it in pfSense 2.7.2-RELEASE (amd64) and haproxy-devel 0.63_2.</p> pfSense Packages - Bug #15131 (Incomplete): OpenVPN client export issues with iPhone and IPV6 con...https://redmine.pfsense.org/issues/151312024-01-02T18:38:40ZJonathan Lee
<p>I have researched and found an issue within the OpenVPN's client export config file for iPhones (OpenVPN Connect (iOS/Android))</p>
<p>it exports with udp4 listed and this does not work with iPhones because of ipv6 in the config (.ovpn) file and must be changed to udp for iOS iPhones to work with OpenVPN and pfSense.</p>
<p>That is the only adaption needed to fix this issue.</p> pfSense Packages - Bug #15048 (New): Snort large memory consumption when updatinghttps://redmine.pfsense.org/issues/150482023-11-29T09:47:49ZRicardo ot
<p>Snort since the last updates uses a lot of memory when updating and it has a big impact. Can this be improved?</p>
<p>Thanks,</p>
<p>I have these configurations active for 2 interfaces:<br />Resolve Flowbits. checked.<br />Use IPS Policy. Checked.<br />IPS Policy Selection. Connectivity.<br />All the rulesets (Categories). Checked all</p>
<p>I already changed the PfBlokerng configuration to use "Unbound python mode" and changed the time so that the update is not done at the same time. This has improved PfblockerNg's memory usage.</p>
<p>System log Logs:</p>
<blockquote>
<p>Nov 29 00:48:16 php 46952 [pfBlockerNG] No changes to Firewall rules, skipping Filter Reload<br />Nov 29 00:45:00 php 46952 [pfBlockerNG] Starting cron process.<br />Nov 29 00:25:57 php 85398 [Snort] The Rules update has finished.<br />Nov 29 00:25:57 php 85398 [Snort] Snort has restarted on WANONT with your new set of rules...<br />Nov 29 00:25:45 php 85398 [Snort] Snort START for <abbr title="vmx3">WANONT</abbr>...<br />Nov 29 00:25:44 kernel pid 31736 (snort), jid 0, uid 0: exited on signal 11 (core dumped)<br />Nov 29 00:25:44 snort 31736 * * * Caught Term-Signal<br />Nov 29 00:25:43 php 85398 [Snort] Snort STOP for <abbr title="vmx3">WANONT</abbr>...<br />Nov 29 00:25:42 php 85398 [Snort] Building new sid-msg.map file for WANONT...<br />Nov 29 00:25:42 php 85398 [Snort] Enabling any flowbit-required rules for: WANONT...<br />Nov 29 00:25:42 php 85398 [Snort] Enabling any flowbit-required rules for: WANONT...<br />Nov 29 00:25:41 php 85398 [Snort] Updating rules configuration for: WANONT ...<br />Nov 29 00:25:41 php 85398 [Snort] Snort has restarted on LAN with your new set of rules...<br />Nov 29 00:25:29 kernel pid 29090 (snort), jid 0, uid 0: exited on signal 11 (core dumped)<br />Nov 29 00:25:29 php 85398 [Snort] Snort START for <abbr title="vmx1">LAN</abbr>...<br />Nov 29 00:25:28 snort 29090 *** Caught Term-Signal<br />Nov 29 00:25:27 php 85398 [Snort] Snort STOP for <abbr title="vmx1">LAN</abbr>...<br />Nov 29 00:25:27 php 85398 [Snort] Building new sid-msg.map file for LAN...<br />Nov 29 00:25:27 php 85398 [Snort] Enabling any flowbit-required rules for: LAN...<br />Nov 29 00:25:26 php 85398 [Snort] Enabling any flowbit-required rules for: LAN...<br />Nov 29 00:25:26 php 85398 [Snort] Updating rules configuration for: LAN ...<br />Nov 29 00:25:25 php 85398 [Snort] Building new sid-msg.map file for WAN...<br />Nov 29 00:25:25 php 85398 [Snort] Enabling any flowbit-required rules for: WAN...<br />Nov 29 00:25:25 php 85398 [Snort] Enabling any flowbit-required rules for: WAN...<br />Nov 29 00:25:24 php 85398 [Snort] Updating rules configuration for: WAN ...<br />Nov 29 00:25:24 php 85398 [Snort] Removed 49 obsoleted rules category files.<br />Nov 29 00:25:24 php 85398 [Snort] Hide Deprecated Rules is enabled. Removing obsoleted rules categories.<br />Nov 29 00:25:17 php 85398 [Snort] Feodo Tracker Botnet C2 IP rules were updated...<br />Nov 29 00:25:17 php 85398 [Snort] Feodo Tracker Botnet C2 IP rules file update downloaded successfully.<br />Nov 29 00:25:17 php 85398 [Snort] Emerging Threats Open rules file update downloaded successfully<br />Nov 29 00:25:15 php 85398 [Snort] There is a new set of Emerging Threats Open rules posted. Downloading emerging.rules.tar.gz...<br />Nov 29 00:25:15 php 85398 [Snort] Snort GPLv2 Community Rules file update downloaded successfully<br />Nov 29 00:25:13 php 85398 [Snort] There is a new set of Snort GPLv2 Community Rules posted. Downloading community-rules.tar.gz...<br />Nov 29 00:25:13 php 85398 [Snort] Snort Subscriber rules file update downloaded successfully<br />Nov 29 00:25:04 php 85398 [Snort] There is a new set of Snort Subscriber rules posted. Downloading snortrules-snapshot-29200.tar.gz...</p>
</blockquote> pfSense - Bug #15015 (New): Static routes not workinghttps://redmine.pfsense.org/issues/150152023-11-20T17:53:07ZSilviu Bajenaru
<p>Hello,</p>
<p>This morning I updated to PFSense 2.7.1 from 2.7.0. Now, I just tried to add a dynamic gateway and a static route. Unfortunately, the static route is not being added to the routing table. I restored the VM backup from this morning, before I updated, added the same gateway and static route and it was added to the routing table, and everything works fine.<br />I've set the priority to Urgent since this is quite bad for a router...?</p>
More info about my setup: I've got three sites, let's call them A, B and C. There is an IPSec tunnel between A and B, and one between B and C. Both tunnels are set with Mode VTI. I've assigned the ipsec interfaces and set the gateways and routes:<br />Site A has a gateway set on the IPSec interface and a route for site C that uses that gateway.<br />Site B has two gateways (one for each IPSec tunnel) and the following routes:
<ul>
<li>route to site A via the IPSec interface - gateway - going to site A</li>
<li>route to site B via the IPSec interface - gateway - going to site B<br />Site C has a gateway set on the IPSec interface and a route for site A that uses that gateway.<br />Site A was updated this morning to PFSense 2.7.1, while Site C is running 2.7.0.<br />Site A DOES NOT have the static routes added to the routing table.<br />Site C does have the static routes added to the routing table.</li>
</ul>
<p>Once I reverted Site A to 2.7.0, I did the same config again and the routes were added to the routing table.</p>
<p>Thank you.</p> pfSense - Bug #14906 (New): DHCPv4 server self-assigning address to own DHCP client-enabled inter...https://redmine.pfsense.org/issues/149062023-10-22T15:24:26ZLuca Piccirillo
<p>Assume three NICs: igc0, igc1, igc2<br />Assume a single bridge: bridge0 (OPT2, OPT3)<br />And a VLAN: igc0.1036</p>
<p>Interfaces assignment as follows:<br />WAN -> igc0.1036 -> IPv4 (DHCP): 1.2.3.4/30<br />LAN -> bridge0 -> IPv4 (static): 192.168.1.1/24<br />OPT1 -> igc0 -> IPv4 (static): 192.168.100.2/24<br />OPT2 -> igc1<br />OPT3 -> igc2</p>
<p>DHCP & RA enabled for LAN only.</p>
<p>The problem: switching OPT1 IPv4 settings from static to DHCP makes pfSense to assign itself an address from the LAN pool, also creating a wrong on-link route for its LAN subnet over the igc0 port, which is the underlying IF of WAN.</p>
<p>Of course this is easily noticeable when no other DHCP serve is active on that igc0 port broadcast domain.</p> pfSense - Bug #14891 (New): High CPU usage when interface get down and up due to proces check_rel...https://redmine.pfsense.org/issues/148912023-10-18T10:40:27ZThijs K
<p>Today I noticed that the cpu usage was high on my pfSense appliance (N5105, I226). <br />After looking in top I see that check_reload_status is fully taxing one core. <br />This process seems to be triggered when the wan interface comes down and up. <br />The process keeps running and taxing the CPU until it is manually stopped.</p> pfSense - Bug #14741 (New): PHP error in DNS Forwarder host overrides when the language is set to...https://redmine.pfsense.org/issues/147412023-09-02T10:26:29ZNicolas PISTER
<p>A PHP error occur when a user try to add or modify Host Override in DNS Forwarder module</p>
<pre>
amd64
14.0-CURRENT
FreeBSD 14.0-CURRENT #1 RELENG_2_7_0-n255866-686c8d3c1f0: Wed Jun 28 04:21:19 UTC 2023 root@freebsd:/var/jenkins/workspace/pfSense-CE-snapshots-2_7_0-main/obj/amd64/LwYAddCr/var/jenkins/workspace/pfSense-CE-snapshots-2_7_0-main/sources/FreeBSD-src-REL
Crash report details:
PHP Errors:
[02-Sep-2023 11:55:24 Europe/Paris] PHP Fatal error: Uncaught ValueError: Unknown format specifier "p" in /usr/local/www/classes/Form/Input.class.php:127
Stack trace:
#0 /usr/local/www/classes/Form/Input.class.php(127): sprintf('Nom de domaine ...', '<br />')
#1 /usr/local/www/services_dnsmasq_edit.php(85): Form_Input->setHelp('Domain of the h...', '<br />')
#2 {main}
thrown in /usr/local/www/classes/Form/Input.class.php on line 127
[02-Sep-2023 11:58:37 Europe/Paris] PHP Fatal error: Uncaught ValueError: Unknown format specifier "p" in /usr/local/www/classes/Form/Input.class.php:127
Stack trace:
#0 /usr/local/www/classes/Form/Input.class.php(127): sprintf('Nom de domaine ...', '<br />')
#1 /usr/local/www/services_dnsmasq_edit.php(85): Form_Input->setHelp('Domain of the h...', '<br />')
#2 {main}
thrown in /usr/local/www/classes/Form/Input.class.php on line 127
[02-Sep-2023 11:58:46 Europe/Paris] PHP Fatal error: Uncaught ValueError: Unknown format specifier "p" in /usr/local/www/classes/Form/Input.class.php:127
Stack trace:
#0 /usr/local/www/classes/Form/Input.class.php(127): sprintf('Nom de domaine ...', '<br />')
#1 /usr/local/www/services_dnsmasq_edit.php(85): Form_Input->setHelp('Domain of the h...', '<br />')
#2 {main}
thrown in /usr/local/www/classes/Form/Input.class.php on line 127
</pre>
<p>I think it come from a french translation file because when i use original language, everithing works.</p> pfSense - Bug #14734 (New): Alias FQDN resolving issue results in incomplete tableshttps://redmine.pfsense.org/issues/147342023-08-31T13:59:20ZRobert Gijsen
<p>In CE 2.7.0, there are still issues when FQDN are used in aliasses. Vonsider an alias with 3 entries, 2 static IP's and one FQDN, pointing to one of those IP's as well. When the FQDN changes to the other IP, the IP it had initially is gone from the table.</p>
<p>Steps to reproduce:</p>
Create an alias
<ul>
<li>add 1.1.1.1</li>
<li>add 8.8.8.8</li>
<li>add a (public) dns entry you created, pointing to 1.1.1.1, ie pfsensetest.domain.com</li>
<li>monitor the table-entry for the alias, all will be ok</li>
<li>now change the DNS entry for pfsensetest.domain.com from 1.1.1.1 to 8.8.8.8 and wait for it to be replicated and pfSense to pick it up</li>
<li>in my setups, 1.1.1.1 got deleted from the table. So while 8.8.8.8 is in there 'twice' now, and 1.1.1.1 only once statically, it's not there anymore</li>
<li>killing filterdns and reloading filters repopulates the tables correctly it seems.</li>
</ul>
<p>It looks like when the FQDN is resolved, it overrules the static entry if one with the same value exists, and when the FQDN changes, the static entry is not put back in to the table. I tailed resolver.log while reproducing the issue, but it made no notion at all of resolving the FQDN to another IP. So I don't know what log to add, or which log to enable verbose logging for.</p>
<p>I consider this high priority, as it has high potential of actually functionally breaking an environment.</p> pfSense - Bug #14684 (Confirmed): Allowed IP Address does not control incoming speed in captive p...https://redmine.pfsense.org/issues/146842023-08-13T16:29:38ZNoman Haroon
<p>Hi PF Sense Engineers, I like to report a bug. There is problem in captive portal in latest release 2.7, In captive portal it cannot control speed in Allowed Ip Addresses. <--- This is the problem which need to be fixed.</p>
<p>However captive portal mac based speed limitation but it should also work with Allowed IP Addreses.<br />Therefore as a PF Sense user I am requesting to kindly address this issue<br />I will be highly oblidged.</p> pfSense - Bug #14648 (Confirmed): Values obtained from ``sysctl`` are sometimes unexpectedly empt...https://redmine.pfsense.org/issues/146482023-08-03T11:18:33ZSteve Wheeler
<p>In 23.05.1:<br /><pre>
PHP Errors:
[16-Jul-2023 19:44:14 Etc/UTC] PHP Fatal error: Uncaught TypeError: Unsupported operand types: string / int in /etc/inc/util.inc:2479
Stack trace:
#0 /etc/inc/pfsense-utils.inc(2013): get_memory()
#1 /etc/inc/filter.inc(510): pfsense_default_state_size()
#2 /etc/rc.filter_configure_sync(32): filter_configure_sync()
#3 {main}
thrown in /etc/inc/util.inc on line 2479
[27-Jul-2023 21:20:37 Etc/UTC] PHP Fatal error: Uncaught TypeError: Unsupported operand types: string / int in /etc/inc/util.inc:2479
Stack trace:
#0 /etc/inc/pfsense-utils.inc(2013): get_memory()
#1 /usr/local/www/includes/functions.inc.php(104): pfsense_default_state_size()
#2 /usr/local/www/includes/functions.inc.php(35): get_pfstate()
#3 /usr/local/www/getstats.php(40): get_stats(Array)
#4 {main}
thrown in /etc/inc/util.inc on line 2479
</pre></p>
<p>The system hitting this reports those sysctls correctly;<br /><pre>
[23.05.1-RELEASE][suika@pfSense.pfsense.lan]/home/suika: sysctl hw.physmem
hw.physmem: 8288366592
[23.05.1-RELEASE][suika@pfSense.pfsense.lan]/home/suika: sysctl hw.realmem
hw.realmem: 8589934592
</pre></p> pfSense Packages - Bug #14510 (New): match rpki invalid What is actually executed is match rpki v...https://redmine.pfsense.org/issues/145102023-06-26T22:03:58Zyon Liuinfo@ipv6china.com
<p>when i setup match rpki invalid for deny, then actually executed is match rpki valid for deny.</p>
<p>please your check and fix it.</p> pfSense Packages - Bug #13544 (New): SquidGuard either denying everything or proxying everythinghttps://redmine.pfsense.org/issues/135442022-10-05T01:40:03ZJimmy Michaelson
<p>Hey,</p>
<p>I truly doubt this is a configuration issue as I've tried all the possible combinations.</p>
<p>Relevant images and config:</p>
<p><a class="external" href="https://forum.netgate.com/topic/175057/10-btc-bounty-squid-proxy-whitelist-per-source-ip/6">https://forum.netgate.com/topic/175057/10-btc-bounty-squid-proxy-whitelist-per-source-ip/6</a></p>
<p>FYI: The bounty has been bumped to $20 and is also valid here.</p> pfSense - Bug #9295 (New): IPv6 PD does not work with PPPOE (Server & Client)https://redmine.pfsense.org/issues/92952019-01-29T11:51:01ZDirk Steingäßer
<p>Hi,</p>
<p>as encountering DHCPv6 with Prefix delegation does not work together with PPPOE Server vice versa it is not possible to get a prefix with an interface where the IPv4 Uplink is PPPOE.</p>