pfSense bugtracker: Issueshttps://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162024-03-26T19:12:31ZpfSense bugtracker
Redmine pfSense - Bug #15362 (New): Config upgrade error with empty gateway interval tags.https://redmine.pfsense.org/issues/153622024-03-26T19:12:31ZSteve Wheeler
<p>Upgrading an old config that has set but empty gateway interval tags throws a php error.<br />For example a config containing:<br /><pre>
<gateway_item>
<interface>wan</interface>
<gateway>1.2.3.4</gateway>
<name>wan_gateway</name>
<weight/>
<interval/>
<descr><![CDATA[gw1]]></descr>
<defaultgw/>
</gateway_item>
</pre></p>
<p>Will hit:<br /><pre>
Fatal error: Uncaught TypeError: Unsupported operand types: string * int in /etc/inc/upgrade_config.inc:4169
Stack trace:
#0 /etc/inc/config.lib.inc(519): upgrade_130_to_131()
#1 /etc/rc.bootup(140): convert_config()
#2 {main}
thrown in /etc/inc/upgrade_config.inc on line 4169
PHP ERROR: Type: 1, File: /etc/inc/upgrade_config.inc, Line: 4169, Message: Uncaught TypeError: Unsupported operand types: string * int in /etc/inc/upgrade_config.inc:4169
Stack trace:
#0 /etc/inc/config.lib.inc(519): upgrade_130_to_131()
#1 /etc/rc.bootup(140): convert_config()
#2 {main}
</pre></p> pfSense - Bug #15353 (New): Crashes Every ~8-12 Hours in New 2.7.2 Install with Unbound, Suricata...https://redmine.pfsense.org/issues/153532024-03-21T06:41:37ZDevin Dawson
<p>After reading some FreeBSD posts, it appears that this bug is potentially triggered by high CPU load. This occurs for me particularly during reloading or updating pfblockerNG, even though it's not consistently reproducible. I've attempted some mitigations such as disabling promiscuous mode in Suricata and restricting its use to the WAN interface, which seems to reduce the frequency of the issue but does not eliminate it entirely. Previously, running pfblockerNG in python mode alongside Suricata on both LAN and WAN interfaces resulted in the bug occurring more frequently.</p>
<p>The crash tends to happen approximately every 8 hours or so and appears to be related to two other FreeBSD issues:</p>
<pre><code>FreeBSD Commit "vm: Fix racy checks for swap objects" - <a class="external" href="https://cgit.freebsd.org/src/commit/?id=e123264e4dc394602f9fed2f0376204b5998d815">https://cgit.freebsd.org/src/commit/?id=e123264e4dc394602f9fed2f0376204b5998d815</a><br /> FreeBSD Bug Report "panic: vm_page_free_prep: freeing mapped page" - <a class="external" href="https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=261707">https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=261707</a>"</code></pre>
<p>Further investigation and possible collaboration with the FreeBSD community may be necessary to address this issue effectively.</p>
<pre><code class="shell syntaxhl">Intel<span class="o">(</span>R<span class="o">)</span> Pentium<span class="o">(</span>R<span class="o">)</span> CPU G3250 @ 3.20GHz
2 CPUs: 1 package<span class="o">(</span>s<span class="o">)</span> x 2 core<span class="o">(</span>s<span class="o">)</span>
AES-NI CPU Crypto: No
QAT Crypto: No
Kernel PTI Enabled
MDS Mitigation VERW
</code></pre>
<pre><code class="shell syntaxhl">amd64
14.0-CURRENT
FreeBSD 14.0-CURRENT amd64 1400094 <span class="c">#1 RELENG_2_7_2-n255948-8d2b56da39c: Wed Dec 6 20:45:47 UTC 2023 root@freebsd:/var/jenkins/workspace/pfSense-CE-snapshots-2_7_2-main/obj/amd64/StdASW5b/var/jenkins/workspace/pfSense-CE-snapshots-2_7_2-main/sources/F</span>
Filename: /var/crash/textdump.tar.0
ddb.txt
db:0:kdb.enter.default> show registers
cs 0x20
ds 0x3b
es 0x3b
fs 0x13
gs 0x1b
ss 0
rax 0x12
rcx 0xffffffff81451bc8
rdx 0xffffffff844195ff
rbx 0x100
rsp 0xfffffe00f5272780
rbp 0xfffffe00f5272780
rsi 0xfffffe00f52721f0
rdi 0xffffffff82d3f3d8 vt_conswindow+0x10
r8 0x10
r9 0x10
r10 0xf
r11 0x10
r12 0
r13 0x2
r14 0xffffffff813d55bb
r15 0xfffffe00f54e6e40
rip 0xffffffff80d32342 kdb_enter+0x32
rflags 0x82
kdb_enter+0x32: movq <span class="nv">$0</span>,0x234a4c3<span class="o">(</span>%rip<span class="o">)</span>
db:0:kdb.enter.default> run lockinfo
db:1:lockinfo> show locks
No such <span class="nb">command</span><span class="p">;</span> use <span class="s2">"help"</span> to list available commands
db:1:lockinfo> show alllocks
No such <span class="nb">command</span><span class="p">;</span> use <span class="s2">"help"</span> to list available commands
db:1:lockinfo> show lockedvnods
Locked vnodes
db:0:kdb.enter.default> show pcpu
cpuid <span class="o">=</span> 1
dynamic pcpu <span class="o">=</span> 0xfffffe009af25f80
curthread <span class="o">=</span> 0xfffffe00f54e6e40: pid 27610 tid 100715 critnest 1 <span class="s2">"unbound-control"</span>
curpcb <span class="o">=</span> 0xfffffe00f54e7360
fpcurthread <span class="o">=</span> 0xfffffe00f54e6e40: pid 27610 <span class="s2">"unbound-control"</span>
idlethread <span class="o">=</span> 0xfffffe001de1ec80: tid 100004 <span class="s2">"idle: cpu1"</span>
self <span class="o">=</span> 0xffffffff84011000
curpmap <span class="o">=</span> 0xfffff803a5a05ad0
tssp <span class="o">=</span> 0xffffffff84011384
rsp0 <span class="o">=</span> 0xfffffe00f5273000
kcr3 <span class="o">=</span> 0x800000008aefd67f
ucr3 <span class="o">=</span> 0x8000000271748e7f
scr3 <span class="o">=</span> 0x271748e7f
gs32p <span class="o">=</span> 0xffffffff84011404
ldt <span class="o">=</span> 0xffffffff84011444
tss <span class="o">=</span> 0xffffffff84011434
curvnet <span class="o">=</span> 0
db:0:kdb.enter.default> bt
Tracing pid 27610 tid 100715 td 0xfffffe00f54e6e40
kdb_enter<span class="o">()</span> at kdb_enter+0x32/frame 0xfffffe00f5272780
vpanic<span class="o">()</span> at vpanic+0x163/frame 0xfffffe00f52728b0
panic<span class="o">()</span> at panic+0x43/frame 0xfffffe00f5272910
trap_fatal<span class="o">()</span> at trap_fatal+0x40c/frame 0xfffffe00f5272970
trap_pfault<span class="o">()</span> at trap_pfault+0x4f/frame 0xfffffe00f52729d0
calltrap<span class="o">()</span> at calltrap+0x8/frame 0xfffffe00f52729d0
<span class="nt">---</span> <span class="nb">trap </span>0xc, rip <span class="o">=</span> 0xffffffff8127ee47, rsp <span class="o">=</span> 0xfffffe00f5272aa0, rbp <span class="o">=</span> 0xfffffe00f5272ac0 <span class="nt">---</span>
free_pv_entry<span class="o">()</span> at free_pv_entry+0x47/frame 0xfffffe00f5272ac0
pmap_pv_promote_pde<span class="o">()</span> at pmap_pv_promote_pde+0x14e/frame 0xfffffe00f5272b00
pmap_promote_pde<span class="o">()</span> at pmap_promote_pde+0x2fa/frame 0xfffffe00f5272b80
pmap_enter<span class="o">()</span> at pmap_enter+0xe8f/frame 0xfffffe00f5272c50
vm_fault<span class="o">()</span> at vm_fault+0xbf4/frame 0xfffffe00f5272d60
vm_fault_trap<span class="o">()</span> at vm_fault_trap+0x6b/frame 0xfffffe00f5272db0
trap_pfault<span class="o">()</span> at trap_pfault+0x1d9/frame 0xfffffe00f5272e10
<span class="nb">trap</span><span class="o">()</span> at <span class="nb">trap</span>+0x442/frame 0xfffffe00f5272f30
calltrap<span class="o">()</span> at calltrap+0x8/frame 0xfffffe00f5272f30
<span class="nt">---</span> <span class="nb">trap </span>0xc, rip <span class="o">=</span> 0x82784d8d0, rsp <span class="o">=</span> 0x820a9f758, rbp <span class="o">=</span> 0x820a9f940 <span class="nt">---</span>
</code></pre> pfSense - Bug #15346 (Confirmed): Port Forward Add Unassociated Filter Rule Not Workinghttps://redmine.pfsense.org/issues/153462024-03-16T21:51:40ZTimo M
<p>Upon creating a port forward entry on pfSense Plus 23.09.1 and choosing the "Add unassociated filter rule" option under Filter Rule Association, no firewall rule was actually created. Next time I checked the port forward Filter Rule Association setting on the rule that was created, it had been automatically set to "None". The documentation seems to indicate that a rule should still be created even when the unassociated option is chosen.</p>
<p><a class="external" href="https://docs.netgate.com/pfsense/en/latest/nat/port-forwards.html#port-forward-settings">https://docs.netgate.com/pfsense/en/latest/nat/port-forwards.html#port-forward-settings</a></p> pfSense - Bug #15317 (Confirmed): IPsec widget does not show mobile clients with IP addresses ass...https://redmine.pfsense.org/issues/153172024-03-07T14:17:46ZChristopher de Haas
<p>The front page IPsec widget does not show mobile clients on the Mobile tab when connected clients get an IP assigned from RADIUS</p> pfSense - Bug #15291 (New): Error on Traffic Shaper 0% Bandwidthhttps://redmine.pfsense.org/issues/152912024-02-26T09:35:21ZPavan K
<p>Link to post on pfSense Forum: <br /><a class="external" href="https://forum.netgate.com/topic/186137/error-on-traffic-shaper-0-bandwidth?_=1708915183963">https://forum.netgate.com/topic/186137/error-on-traffic-shaper-0-bandwidth?_=1708915183963</a></p>
<p>Backstory:<br />recently we migrated from pfSense 2.4.x to 2.7.2 which was a direct update. Everything worked fine etc the traffic shaping feature.</p>
<p>Following is the error:<br />There were error(s) loading the rules: pfctl: the sum of the child<br />bandwidth (1200000000) higher than parent "root_igc4" (1000000000) -<br />The line in question reads [0]: @ 2024-01-31 16:45:05</p>
<p>Following is our configuration:<br />Name → FAIRQ_7<br />Priority→ 7<br />Scheduler Option → Random Early detection in and out<br />Bandwidth → None</p>
<p>Add new Queue(Default)<br />Enable<br />Name → qFAIRQ_2(Default)<br />Priority→ 2<br />Scheduler Option → Default<br />Bandwidth → None</p>
<p>Add new Queue(ACK)<br />Enable<br />Name → qACK_6<br />Priority→ 6<br />Scheduler Option → Random Early detection in and out<br />Bandwidth → None</p>
<p>According to the configuration the Bandwidth on Queue(ACK) should be 0% which was migrated off from 2.4.x but on 2.7.2 it's not letting us save 0% bandwidth for some reason.</p>
<p>And due to this new rules which are created are not taking effect it's only after we disable and enable the Traffic Shaper completely the rule is effective.</p> pfSense - Bug #15287 (New): hw.ix.unsupported_sfp=1 parameter for ix driver not workinghttps://redmine.pfsense.org/issues/152872024-02-23T09:29:33ZEric Chaubert
<p>When using ix driver with an Intel 82599ES chipset the driver seem not to support anymore the hw.ix.unsupported_sfp=1 even if configured in the loader.conf files.</p>
<p>On top of that when enumerating the pic numbers if the drivers fails on one interface it uses the same interface id for the next one. This creates a physical to logical binding of the psi slots that changes between boot sequences weather there is an initialisation error on one pci device which is not the expected behaviour,</p>
<p>Reading through the various message boards it looks like a regression as it was reported to work on previous releases.</p>
<p>Drivers, configs, logs and trace information attached to this bug report as files.</p>
<p>Firmware versin: dev.ix.0.fw_version: eTrack 0x800004e1 PHY FW V65535</p> pfSense - Bug #15258 (New): DynDNS for Gandi no longer workshttps://redmine.pfsense.org/issues/152582024-02-14T18:01:39ZMatthew Drury
<p>In August 2023 Gandi changed how authentication works with their API. Now you need to use Personal Access Tokens and a new Authentication header in HTTP updates/calls.</p>
<p>If attempting to use the PATs in pfSense now, the log shows a 403 Authentication error, Permission Denied.</p> pfSense - Bug #15228 (Confirmed): User manger fails to display certificate option for a new user ...https://redmine.pfsense.org/issues/152282024-02-03T00:50:09ZSteve Wheeler
<p>When creating a new user in the user manager the option to add a user cert for the user is hidden if an error is made in one of the fields creating an input error condition.</p>
<p>This is unexpected and may be missed when the correction is made.</p> pfSense - Bug #15216 (New): captive portal zone name conflicts with existing interface namehttps://redmine.pfsense.org/issues/152162024-01-30T15:47:21ZGeorgiy Tyutyunnik
<p>Customer reports intermittent issues with captive portal on HA cluster.<br />Connectivity between nodes in this VLAN interface breaks periodically, client traffic gets dropped.<br />The issue seems to be linked with the captive portal zone having the same name as its parent interface. Recreating the same zone with a different name fixes the issue.<br />config for the parent interface, CARP VIP and zone are attached.</p> pfSense - Bug #15194 (Incomplete): PHP Fatal error in easyrule CLIhttps://redmine.pfsense.org/issues/151942024-01-26T14:31:35ZDavid Johnston
<p>Running "easyrule block wan 1.0.152.114" via ssh caused an error.<br />It looks like it's a problem in backup_config().<br />It's actually a permissions error; easyrule needs to be run as root.</p>
<p>Possible fixes:<br />1. chmod 700 /usr/local/bin/easyrule<br />2. Add a check to the PHP to report permissions errors.</p> pfSense - Bug #15185 (Incomplete): Problem with Widgets OpenVPN in Pfsense 2.7.2 after upgradehttps://redmine.pfsense.org/issues/151852024-01-24T10:46:57ZPrzemyslaw Przybyl
<p>After Upgrade with 2.7.0 to 2.7.1 next to 2.7.2.</p>
<p>Widgets OpenVPN - Servers, OpenVPN - Clients, OpenVPN - Client Exports and Dwnloading Packages OpenVpn in Widget Client Eports are loading very slow, about 1-2 minutes. In the shell Pfsense I can see only one process at 100% php-fpm. Tunning parameters in php-fpm "/usr/local/etc/php-fpm.conf" doesn't working.</p>
<p>386 root 1 133 0 163M 64M CPU15 15 2:16 100.00% php-fpm<br />41229 root 1 68 0 159M 63M accept 15 1:09 0.00% php-fpm<br />387 root 1 68 0 163M 65M accept 6 0:47 0.00% php-fpm<br />53332 root 1 68 0 159M 61M accept 3 0:34 0.00% php-fpm<br />385 root 1 20 0 107M 27M kqread 3 0:04 0.00% php-fpm</p> pfSense - Bug #15178 (New): ACB (autoconfig backup) restore always returns could not decrypt desp...https://redmine.pfsense.org/issues/151782024-01-20T22:34:33ZJordan G
<p>ACB restore, using the proper password will permit viewing the encrypted and decrypted configuration, but either using the install this revision button on the xml view page or the action button on the restore tab always returns the error below, which cannot be accurate since the decrypted configuration can be viewed, subsequently copied and then used in a working configuration. It would seem copying the information into a new file and restoring or directly pasting it into the running configuration would be the only way to actually restore from an ACB backup entry.</p>
<p><img src="https://redmine.pfsense.org/attachments/download/5863/clipboard-202401201632-ifito.png" alt="" /></p> pfSense - Bug #15162 (Confirmed): Wrong string in “MAC address”https://redmine.pfsense.org/issues/151622024-01-13T23:54:32ZSergei Shablovsky
<p>Hi, brilliant pfSense stuff!</p>
<p>Wrong string in “ <strong>MAC address</strong> ” txt entry field in “ <strong>Services / Wake-on-LAN / Edit</strong> ” when press on “ <strong>+* ” in “ *Actions</strong> ” column in “ <strong>Diagnostics / ARP Table</strong> ” page in WebGUI.</p> pfSense - Bug #15154 (New): dco_update_peer_stat: invalid peer ID 0 returned by kernelhttps://redmine.pfsense.org/issues/151542024-01-11T00:16:09ZJonathan Lee
<p>Hello fellow redmine members</p>
<p>I am showing this error</p>
<p><code>dco_update_peer_stat: invalid peer ID 0 returned by kernel</code></p>
<p>I have the crypto acceleration chip enabled in system menu. I am using dco Per other users it should automatically work if a system has the chip <br />In 23.05.01 this did not occur with dco enabled</p> pfSense - Bug #15140 (Incomplete): Remote syslog servers on dynamically routed networks are being...https://redmine.pfsense.org/issues/151402024-01-04T16:48:42ZJames Blanton
<p>Syslogd is started before any packages are started, including the FRR package. If any remote syslog servers are on a network whose route is learned over BGP, then this traffic will be routed to the default gateway initially. This is expected behavior, since the FRR package hasn't been loaded and no BGP routes have been received.</p>
<p>The problem is that the traffic is NOT being redirected after BGP routes are established due to the state that was created initially by routing the traffic through the default GW.</p>
<p>In my specific case, I've got a remote site sending syslog traffic over an OpenVPN tunnel with BGP routing between sites. When the remote router reboots, the syslog messages are routed out of the WAN interface, creating a state with an "src-org" of the LAN IP and "src" of the WAN IP. After the FRR package starts and the BGP routes are received, these messages continue to go out of the WAN interface until the state is killed.</p>
<p>I originally reported this bug with <a class="issue tracker-1 status-12 priority-4 priority-default closed" title="Bug: Syslog Over OpenVPN Routed Out Default GW On Reboot (Not a Bug)" href="https://redmine.pfsense.org/issues/14403">#14403</a>, but was told:</p>
<pre><code><em>This is a configuration issue -- if traffic is taking a path you don't want when the VPN is down, you need to add rules to block it (e.g. reject it outbound on WAN via floating rules).</em></code></pre>
<p>However, this does not work either. While it does prevent the traffic from exiting the WAN interface, the syslog messages are still not being routed properly after the BGP routes are received. This began occurring for me originally on 23.01, but is still occurring in 23.09.1.</p>
<p>I was able to get this working by adding some code in to the "/etc/rc.state_packages" script in the foreach loop that starts that packages that checks to see if the FRR package was just started, then looks to see if any remote syslog servers were configured. If there were any servers configured, then it sleeps for 15 seconds (to give time for the BGP peering to start) before looping through the servers and checking for any existing states. If any states exists, it checks for a "src-org" field and compares it to the "src" field. If the "src" and "src-org" don't match, then it kills that state. I have tested this change with 23.09.1, and it has been working as expected.</p>