pfSense bugtracker: Issueshttps://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162024-01-31T19:43:54ZpfSense bugtracker
Redmine pfSense - Feature #15221 (New): Make System Tunables table sortablehttps://redmine.pfsense.org/issues/152212024-01-31T19:43:54ZRonald Antonyrcfa+pfsense.org@cubiculum.com
<p>On the System > Advanced page's System Tunables tab, it's really hard to <br />a) find/check values, since they are in no particular order<br />b) compare the settings of two machines, because, again, the values are in no particular order.</p>
<p>Being able to sort them by the Tunable Name is particularly important as it seems the Description of these fields has been changed over the years, so two systems originally set up at different times with different versions of pfSense have different descriptions for the same field, making it even harder to find/compare the values.</p> pfSense - Bug #15083 (New): Installing to ZFS mirror does not format or populate EFI partition on...https://redmine.pfsense.org/issues/150832023-12-11T16:28:54ZJim Pingle
<p>Installing Plus 23.09.1 or CE 2.7.2 to a ZFS mirror does not format or populate the EFI partition on the additional disks of the mirror. Only the first disk in the mirror has a populated EFI filesystem with the expected loader files.</p>
<p>The EFI Partition for the second disk (or later) is created and labeled as <code>/dev/gpt/efiboot1</code> (and so on) but there is no filesystem on that partition (and thus, no files).</p>
<p>Should the first disk in the mirror fail, this would leave the system unbootable.</p>
<p>Can be worked around by manually creating and populating the additional EFI partition(s) post-install</p>
<p>For example, to format and populate the EFI filesystem on the second disk of the mirror:</p>
<pre><code class="shell syntaxhl"><span class="c"># newfs_msdos -F 32 -c 1 -L EFISYS1 /dev/gpt/efiboot1</span>
<span class="c"># mount_msdosfs /dev/gpt/efiboot1 /mnt</span>
<span class="c"># cp -R /boot/efi/ /mnt</span>
<span class="c"># umount /mnt</span>
</code></pre> pfSense - Bug #15015 (New): Static routes not workinghttps://redmine.pfsense.org/issues/150152023-11-20T17:53:07ZSilviu Bajenaru
<p>Hello,</p>
<p>This morning I updated to PFSense 2.7.1 from 2.7.0. Now, I just tried to add a dynamic gateway and a static route. Unfortunately, the static route is not being added to the routing table. I restored the VM backup from this morning, before I updated, added the same gateway and static route and it was added to the routing table, and everything works fine.<br />I've set the priority to Urgent since this is quite bad for a router...?</p>
More info about my setup: I've got three sites, let's call them A, B and C. There is an IPSec tunnel between A and B, and one between B and C. Both tunnels are set with Mode VTI. I've assigned the ipsec interfaces and set the gateways and routes:<br />Site A has a gateway set on the IPSec interface and a route for site C that uses that gateway.<br />Site B has two gateways (one for each IPSec tunnel) and the following routes:
<ul>
<li>route to site A via the IPSec interface - gateway - going to site A</li>
<li>route to site B via the IPSec interface - gateway - going to site B<br />Site C has a gateway set on the IPSec interface and a route for site A that uses that gateway.<br />Site A was updated this morning to PFSense 2.7.1, while Site C is running 2.7.0.<br />Site A DOES NOT have the static routes added to the routing table.<br />Site C does have the static routes added to the routing table.</li>
</ul>
<p>Once I reverted Site A to 2.7.0, I did the same config again and the routes were added to the routing table.</p>
<p>Thank you.</p> pfSense - Feature #14802 (New): Re-enable multiqueue support for virtio NIChttps://redmine.pfsense.org/issues/148022023-09-20T21:08:51ZChristopher de Haas
<p>In current versions of pfSense (2.7.0, 23.05.1) multiqueue support for virtio NIC has vanished. Apparently this was done to support ALTQ. This is a serious new limitation for high throughput virtualized routers. Please re-add support for multiqueue on virtio. If this is driver limitation please at least allow us to choose between ALTQ or multiqueue enabled drivers for vitio like it is for other NIC's in pfsense.</p>
<p>Not sure whether this is a bug or request for a feature to be re-added.</p> pfSense - Bug #14741 (New): PHP error in DNS Forwarder host overrides when the language is set to...https://redmine.pfsense.org/issues/147412023-09-02T10:26:29ZNicolas PISTER
<p>A PHP error occur when a user try to add or modify Host Override in DNS Forwarder module</p>
<pre>
amd64
14.0-CURRENT
FreeBSD 14.0-CURRENT #1 RELENG_2_7_0-n255866-686c8d3c1f0: Wed Jun 28 04:21:19 UTC 2023 root@freebsd:/var/jenkins/workspace/pfSense-CE-snapshots-2_7_0-main/obj/amd64/LwYAddCr/var/jenkins/workspace/pfSense-CE-snapshots-2_7_0-main/sources/FreeBSD-src-REL
Crash report details:
PHP Errors:
[02-Sep-2023 11:55:24 Europe/Paris] PHP Fatal error: Uncaught ValueError: Unknown format specifier "p" in /usr/local/www/classes/Form/Input.class.php:127
Stack trace:
#0 /usr/local/www/classes/Form/Input.class.php(127): sprintf('Nom de domaine ...', '<br />')
#1 /usr/local/www/services_dnsmasq_edit.php(85): Form_Input->setHelp('Domain of the h...', '<br />')
#2 {main}
thrown in /usr/local/www/classes/Form/Input.class.php on line 127
[02-Sep-2023 11:58:37 Europe/Paris] PHP Fatal error: Uncaught ValueError: Unknown format specifier "p" in /usr/local/www/classes/Form/Input.class.php:127
Stack trace:
#0 /usr/local/www/classes/Form/Input.class.php(127): sprintf('Nom de domaine ...', '<br />')
#1 /usr/local/www/services_dnsmasq_edit.php(85): Form_Input->setHelp('Domain of the h...', '<br />')
#2 {main}
thrown in /usr/local/www/classes/Form/Input.class.php on line 127
[02-Sep-2023 11:58:46 Europe/Paris] PHP Fatal error: Uncaught ValueError: Unknown format specifier "p" in /usr/local/www/classes/Form/Input.class.php:127
Stack trace:
#0 /usr/local/www/classes/Form/Input.class.php(127): sprintf('Nom de domaine ...', '<br />')
#1 /usr/local/www/services_dnsmasq_edit.php(85): Form_Input->setHelp('Domain of the h...', '<br />')
#2 {main}
thrown in /usr/local/www/classes/Form/Input.class.php on line 127
</pre>
<p>I think it come from a french translation file because when i use original language, everithing works.</p> pfSense - Bug #14648 (Confirmed): Values obtained from ``sysctl`` are sometimes unexpectedly empt...https://redmine.pfsense.org/issues/146482023-08-03T11:18:33ZSteve Wheeler
<p>In 23.05.1:<br /><pre>
PHP Errors:
[16-Jul-2023 19:44:14 Etc/UTC] PHP Fatal error: Uncaught TypeError: Unsupported operand types: string / int in /etc/inc/util.inc:2479
Stack trace:
#0 /etc/inc/pfsense-utils.inc(2013): get_memory()
#1 /etc/inc/filter.inc(510): pfsense_default_state_size()
#2 /etc/rc.filter_configure_sync(32): filter_configure_sync()
#3 {main}
thrown in /etc/inc/util.inc on line 2479
[27-Jul-2023 21:20:37 Etc/UTC] PHP Fatal error: Uncaught TypeError: Unsupported operand types: string / int in /etc/inc/util.inc:2479
Stack trace:
#0 /etc/inc/pfsense-utils.inc(2013): get_memory()
#1 /usr/local/www/includes/functions.inc.php(104): pfsense_default_state_size()
#2 /usr/local/www/includes/functions.inc.php(35): get_pfstate()
#3 /usr/local/www/getstats.php(40): get_stats(Array)
#4 {main}
thrown in /etc/inc/util.inc on line 2479
</pre></p>
<p>The system hitting this reports those sysctls correctly;<br /><pre>
[23.05.1-RELEASE][suika@pfSense.pfsense.lan]/home/suika: sysctl hw.physmem
hw.physmem: 8288366592
[23.05.1-RELEASE][suika@pfSense.pfsense.lan]/home/suika: sysctl hw.realmem
hw.realmem: 8589934592
</pre></p> pfSense - Bug #14434 (New): PPPoE WAN interface with VIPs causes continuous interface restartinghttps://redmine.pfsense.org/issues/144342023-05-30T13:55:03ZBert Smith
<p>I have a /28 routable legacy IP block from the ISP, and they assign the first usable address of the /28 block as a /32 to the PPPOE interface, so i have:</p>
<p>Routable block: x.x.x.64/28<br />PPPOE address: x.x.x.65/32<br />LAN address CARP VIP: x.x.x.65/28</p>
<p>This configuration worked fine in 22.05, but is broken in 23.01 and remains broken in 23.05.</p>
<p>The PPPOE connection establishes and calls /etc/rc.newwanip, which then calls find_interface_ip() and get_interface_ip() to determine the address assigned to pppoe0. These functions return NULL, which causes rc.newwanip to restart the pppoe0 interface. This then causes an endless loop. The logs show the correct interface name, but no IP:</p>
<pre>
rc.newwanip: on (IP address: ) (interface: WAND[opt5]) (real interface: pppoe0).
</pre>
<p>Looking through the find_interface_ip() function, i can see it looks for $interface_ip_arr_cache - this array exists, but is empty causing the function to fail and return NULL.</p>
<p>I can see that if $interface_ip_arr_cache does not exist, it should open /var/db/${interface}_ip</p>
<pre>
if (!isset($interface_ip_arr_cache[$interface]) or $flush) {
if (file_exists("/var/db/${interface}_ip")) {
</pre>
<p>The file /var/db/pppoe0_ip is present and contains the correct address.</p>
<p>I'm hoping someone more familiar with the codebase and changes between 22.05/23.01 could give some insight into this otherwise i'll be trying to track it down further.</p> pfSense - Regression #14431 (Feedback): Sending IPv6 traffic on a disabled interface can trigger ...https://redmine.pfsense.org/issues/144312023-05-29T14:41:52ZSteve Wheeler
<p>This issue was hidden by <a class="external" href="https://redmine.pfsense.org/issues/14164">https://redmine.pfsense.org/issues/14164</a> but now that is solved in 23.05 is being seen.</p>
<pre>
db:1:pfs> bt
Tracing pid 93402 tid 103857 td 0xfffffe00cf7cac80
kdb_enter() at kdb_enter+0x32/frame 0xfffffe00cf8a0800
vpanic() at vpanic+0x183/frame 0xfffffe00cf8a0850
panic() at panic+0x43/frame 0xfffffe00cf8a08b0
trap_fatal() at trap_fatal+0x409/frame 0xfffffe00cf8a0910
trap_pfault() at trap_pfault+0x4f/frame 0xfffffe00cf8a0970
calltrap() at calltrap+0x8/frame 0xfffffe00cf8a0970
--- trap 0xc, rip = 0xffffffff80f5a036, rsp = 0xfffffe00cf8a0a40, rbp = 0xfffffe00cf8a0a70 ---
in6_selecthlim() at in6_selecthlim+0x96/frame 0xfffffe00cf8a0a70
tcp_default_output() at tcp_default_output+0x1ded/frame 0xfffffe00cf8a0c60
tcp_output() at tcp_output+0x14/frame 0xfffffe00cf8a0c80
tcp6_usr_connect() at tcp6_usr_connect+0x2f4/frame 0xfffffe00cf8a0d10
soconnectat() at soconnectat+0x9e/frame 0xfffffe00cf8a0d60
kern_connectat() at kern_connectat+0xc9/frame 0xfffffe00cf8a0dc0
sys_connect() at sys_connect+0x75/frame 0xfffffe00cf8a0e00
amd64_syscall() at amd64_syscall+0x109/frame 0xfffffe00cf8a0f30
fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe00cf8a0f30
--- syscall (98, FreeBSD ELF64, connect), rip = 0x800fddc8a, rsp = 0x7fffdf5f8c98, rbp = 0x7fffdf5f8cd0 ---
</pre>
<pre>
db:1:pfs> bt
Tracing pid 68614 tid 100330 td 0xfffffe00cf325720
kdb_enter() at kdb_enter+0x32/frame 0xfffffe00c7d955f0
vpanic() at vpanic+0x183/frame 0xfffffe00c7d95640
panic() at panic+0x43/frame 0xfffffe00c7d956a0
trap_fatal() at trap_fatal+0x409/frame 0xfffffe00c7d95700
trap_pfault() at trap_pfault+0x4f/frame 0xfffffe00c7d95760
calltrap() at calltrap+0x8/frame 0xfffffe00c7d95760
--- trap 0xc, rip = 0xffffffff80f63aa4, rsp = 0xfffffe00c7d95830, rbp = 0xfffffe00c7d95a50 ---
ip6_output() at ip6_output+0xb74/frame 0xfffffe00c7d95a50
udp6_send() at udp6_send+0x78e/frame 0xfffffe00c7d95c10
sosend_dgram() at sosend_dgram+0x357/frame 0xfffffe00c7d95c70
sousrsend() at sousrsend+0x5f/frame 0xfffffe00c7d95cd0
kern_sendit() at kern_sendit+0x132/frame 0xfffffe00c7d95d60
sendit() at sendit+0xb7/frame 0xfffffe00c7d95db0
sys_sendto() at sys_sendto+0x4d/frame 0xfffffe00c7d95e00
amd64_syscall() at amd64_syscall+0x109/frame 0xfffffe00c7d95f30
fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe00c7d95f30
--- syscall (133, FreeBSD ELF64, sendto), rip = 0x823f95f2a, rsp = 0x8202cea88, rbp = 0x8202cead0 ---
</pre>
<pre>
db:1:pfs> bt
Tracing pid 2 tid 100041 td 0xfffffe0085264560
kdb_enter() at kdb_enter+0x32/frame 0xfffffe00850ad910
vpanic() at vpanic+0x183/frame 0xfffffe00850ad960
panic() at panic+0x43/frame 0xfffffe00850ad9c0
trap_fatal() at trap_fatal+0x409/frame 0xfffffe00850ada20
trap_pfault() at trap_pfault+0x4f/frame 0xfffffe00850ada80
calltrap() at calltrap+0x8/frame 0xfffffe00850ada80
--- trap 0xc, rip = 0xffffffff80f5a036, rsp = 0xfffffe00850adb50, rbp = 0xfffffe00850adb80 ---
in6_selecthlim() at in6_selecthlim+0x96/frame 0xfffffe00850adb80
tcp_default_output() at tcp_default_output+0x1ded/frame 0xfffffe00850add70
tcp_timer_rexmt() at tcp_timer_rexmt+0x514/frame 0xfffffe00850addd0
tcp_timer_enter() at tcp_timer_enter+0x102/frame 0xfffffe00850ade10
softclock_call_cc() at softclock_call_cc+0x13c/frame 0xfffffe00850adec0
softclock_thread() at softclock_thread+0xe9/frame 0xfffffe00850adef0
fork_exit() at fork_exit+0x7d/frame 0xfffffe00850adf30
fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe00850adf30
--- trap 0, rip = 0, rsp = 0, rbp = 0 ---
db:1:pfs>
</pre> pfSense - Bug #14397 (New): DHCPv4 client (dhclient) does not use 802.1p Priority tagging on DHCP...https://redmine.pfsense.org/issues/143972023-05-19T14:52:52ZTue Madsen
<p>Some ISPs using VLANs for service, require DHCPv4/v6 Frames to be 802.1p priority tagged. <br />pfSense has the option to do this by either:<br />- Setting VLAN priority tagging in the Interface DHCP options (if you are not using Advanced configuration or a predefined configuration file)<br />- If using advanced configuration: By adding “vlan-pcp x” in the advanced modifier options.</p>
<p>BUG:<br />This priority setting in only used in DISCOVER and RELEASE frames sent by dhclient - NOT in RENEW or REBIND.</p>
<p>This is now causing major problems in France where Orange (Major ISP) has upgraded to also requiring the RENEW frames to be properly VLAN Priority tagged.<br />This causes the uplink to stop working when a renew is due. (About once a day)</p>
<p>I don’t know if the issue is the same in DHCPv6</p>
<p>The issue was patched in OPNsense about a month ago, and they decided to drop the advanced options overwrite of the VLAN priority setting in interface DHCP options. <br />Instead they let the user choose if VLAN priority should be used via the interface DHCP VLAN Priority setting already available. <br />If selected it would - apart from adding “vlan-pcp x” to the dhclient config - also set the priority tag in the builtin pffilter rule that passes Interface DHCP client traffic. This adds the tag to RENEW and REBIND frames.</p>
<p>The issue occurs because dhclient uses a bfg interface for DISCOVER and RELEASE - thus respecting the vlan-pcp settings. But for RENEW it uses a simple socket, and that causes it not to be tagged correctly. In pfSense you cannot create a floating match rule to manually tag the traffic that has higher priority than the builtin pass quick rule for the interface DHCP client.</p> pfSense - Bug #14118 (New): freeRadius "Amount of Time" setting is not accurately tracked for Sto...https://redmine.pfsense.org/issues/141182023-03-16T10:23:39ZDale Harron
<p>Re: tested on 23.01 plus mid Feb release: Correct time accounting error in captiveportal.inc Stop/Start routines for freeRadius. The Stop/Start freeRadius routine at lines 690 thru 693 forces the interval to 60 seconds. freeRadius is expecting a duration interval since the last accounting update and as a result, 60 seconds is subtracted from the “allowed time” setting in the freeRadius GIU in pfSense, which is one of the reasons Stop/Start freeRadius works for tracking “Amount of Time” and Stop/Start doesn’t. The Stop/Start routine at lines 693 thru 696 sends an increment from the start of the session to the current time resulting in the cumulation of time at an exponential rate and premature logout of that freeRadius user. Unfortunately once a minute accounting intervals do not work well with freeRadius and accounting data is dropped with the current code, masking this issue. The duration must be longer (I found that less than 600 seconds was iffy and anything below 120 seconds definitely doesn’t keep accurate accounting for interim, stop/start or stop/start freeradius) and that is particularly true as the system gets loaded down with more users. In order to support more users, I have found we simply have to extend the duration of the “accounting interval”. As freeRadius already has a user settable accounting interval for interim accounting. Lines 718 thru 738 but only uses that interval for the interim setting. For simplicity, I propose using it for both Stop/Start routines as well.<br />As the “reauthenticate every minute” setting in the CaptivePortal GUI will be redundant if the duration is longer than the accounting interval, it makes sense to also incorporate the freeRadius “accounting interval” for that as well.<br />It should be noted that the freeRadius GUI states that the default value for the accounting interval is 600 seconds but it is not, it is much shorter, more like a minute. This should be corrected while implementing this fix.<br />I have also reduced the “pause” duration at line 710 in stopstartfreeradius to support scaling to larger number of connected users. The value of 250000 microseconds or 1/4 of a second is arbitrary but working well during testing. <br />I took the code wrapping the interim interval and “copy/paste” wrapped the Stop/Start and Reauthenticate routines to demonstrate and test this proposed fix. It has worked well during my lab testing. No effort has been made to make this code efficient, it is included here for proof of principle and/or for testing. The fact the interim value applies to all freeRadius accounting, not just interim should be updated in the freeRadius GUI under Settings, freeRadius.<br />Line 684 in captiveportal.inc with modifications encapsulated inside “/*--"- commented sections follows: <br />684 /* do periodic reauthentication? For Radius servers, send accounting updates? <strong>/<br /> if (!$timedout) {<br /> //Radius servers : send accounting<br /> if (isset($cpcfg['radacct_enable']) && $cpentry['authmethod'] === 'radius') {<br /> if (substr($cpcfg['reauthenticateacct'], 0, 9) === "stopstart") {<br /> /</strong> stop and restart accounting <strong>/<br /> if ($cpcfg['reauthenticateacct'] === "stopstartfreeradius") {<br />/</strong>--- Use the actual interval since the last accounting interval update<br /> $rastart_time = 0;<br /> $rastop_time = 60;</p>
<p>*/
<p>$rastart_time = 0;<br /> $rastop_time = $cpentry<sup><a href="#fn10">10</a></sup>;<br /> } else {<br />/* --- Use the actual interval since the last accounting interval update to avoid cumulating time exponentially.<br /> $rastart_time = $cpentry<sup><a href="#fn0">0</a></sup>;<br /> $rastop_time = time();<br />*/<br /> $rastart_time = 0;<br /> $rastop_time = $cpentry<sup><a href="#fn10">10</a></sup>;<br /> }</p>
</p>
<p>/*-----------------------------------------------------------------------------------------------------------*/<br />/*--- Override to use interim update from freeRadius GUI setting for stop/start frequency as well */</p>
<pre><code>$session_time = $pruning_time - $cpentry[0];<br /> if (!empty($cpentry[10]) && $cpentry[10] > 60) {<br /> $interval = $cpentry[10];<br /> } else {<br /> $interval = 0;<br /> }<br /> $past_interval_min = ($session_time > $interval);<br /> if ($interval != 0) {<br /> $within_interval = ($session_time % $interval >= 0 && $session_time % $interval <= 59);<br /> }<br /> if ($interval === 0 || ($interval > 0 && $past_interval_min && $within_interval)) {</code></pre>
<p>/*-----------------------------------------------------------------------------------------------------------*/<br /> captiveportal_send_server_accounting('stop',<br /> $cpentry<sup><a href="#fn1">1</a></sup>, // ruleno<br /> $cpentry<sup><a href="#fn4">4</a></sup>, // username<br /> $cpentry<sup><a href="#fn2">2</a></sup>, // clientip<br /> $cpentry<sup><a href="#fn3">3</a></sup>, // clientmac<br /> $cpentry<sup><a href="#fn5">5</a></sup>, // sessionid<br /> $rastart_time, // start time<br /> $rastop_time, // Stop Time<br /> 10); // NAS Request<br /> /* XXX rewrite to C wrapper pfSense_pf_anchor_zerocnt() <strong>/<br /> captiveportal_anchor_zerocnt($cpentry<sup><a href="#fn2">2</a></sup>, 'auth');<br /> if ($cpcfg['reauthenticateacct'] "stopstartfreeradius") {<br /> /</strong> Need to pause here or the FreeRADIUS server gets confused about packet ordering. <strong>/<br />/</strong> --- 1 sec limits max # simultaneous users sleep(1); <strong>/<br /> usleep(250000);<br /> }<br /> captiveportal_send_server_accounting('start',<br /> $cpentry[1], // ruleno<br /> $cpentry[4], // username<br /> $cpentry[2], // clientip<br /> $cpentry[3], // clientmac<br /> $cpentry[5]); // sessionid<br />/</strong>-----------------------------------------------------------------------------------------------------------*/</p>
<pre><code>}</code></pre>
<p>/*-----------------------------------------------------------------------------------------------------------*/<br /> } else if ($cpcfg['reauthenticateacct'] "interimupdate") {<br /> $session_time = $pruning_time - $cpentry<sup><a href="#fn0">0</a></sup>;<br /> if (!empty($cpentry<sup><a href="#fn10">10</a></sup>) && $cpentry<sup><a href="#fn10">10</a></sup> > 60) {<br /> $interval = $cpentry<sup><a href="#fn10">10</a></sup>;<br /> } else {<br /> $interval = 0;<br /> }<br /> $past_interval_min = ($session_time > $interval);<br /> if ($interval != 0) {<br /> $within_interval = ($session_time % $interval >= 0 && $session_time % $interval <= 59);<br /> }<br /> if ($interval === 0 || ($interval > 0 && $past_interval_min && $within_interval)) {<br /> captiveportal_send_server_accounting('update',<br /> $cpentry<sup><a href="#fn1">1</a></sup>, // ruleno<br /> $cpentry<sup><a href="#fn4">4</a></sup>, // username<br /> $cpentry<sup><a href="#fn2">2</a></sup>, // clientip<br /> $cpentry<sup><a href="#fn3">3</a></sup>, // clientmac<br /> $cpentry<sup><a href="#fn5">5</a></sup>, // sessionid<br /> $cpentry<sup><a href="#fn0">0</a></sup>); // start time<br /> }<br /> }<br /> }</p>
<pre><code>/* check this user again */<br /> if (isset($cpcfg['reauthenticate']) && $cpentry['context'] !== 'voucher') {</code></pre>
<p>/*-----------------------------------------------------------------------------------------------------------*/<br />/*--- Override to use interim update from freeRadius GUI setting as reauthenticate frequency as well */</p>
<pre><code>$session_time = $pruning_time - $cpentry[0];<br /> if (!empty($cpentry[10]) && $cpentry[10] > 60) {<br /> $interval = $cpentry[10];<br /> } else {<br /> $interval = 0;<br /> }<br /> $past_interval_min = ($session_time > $interval);<br /> if ($interval != 0) {<br /> $within_interval = ($session_time % $interval >= 0 && $session_time % $interval <= 59);<br /> }<br /> if ($interval === 0 || ($interval > 0 && $past_interval_min && $within_interval)) {</code></pre>
<p>/*-----------------------------------------------------------------------------------------------------------*/</p>
<pre><code>$auth_result = captiveportal_authenticate_user(<br /> $cpentry[4], // username<br /> base64_decode($cpentry[6]), // password<br /> $cpentry[3], // clientmac<br /> $cpentry[2], // clientip<br /> $cpentry[1], // ruleno<br /> $cpentry['context']); // context<br /> if ($auth_result['result'] === false) {<br /> captiveportal_disconnect($cpentry, 17);<br /> captiveportal_logportalauth($cpentry[4], $cpentry[3], $cpentry[2], "DISCONNECT - REAUTHENTICATION FAILED", $auth_list['reply_message']);<br /> $unsetindexes[] = $cpentry[5];<br /> } else if ($auth_result['result'] === true) {<br /> if ($cpentry['authmethod'] !== $auth_result['auth_method']) {<br /> // if the user got authenticated against another server type: we update the database<br /> if (!empty($cpentry[5])) {<br /> captiveportal_update_entry($cpentry['sessionid'], $auth_result['auth_method'], 'authmethod');<br /> captiveportal_logportalauth($cpentry[4], $cpentry[3], $cpentry[2], "CHANGED AUTHENTICATION SERVER", $auth_list['reply_message']);<br /> }<br /> // User was logged on a RADIUS server, but is now logged in by another server type : we send an accounting Stop<br /> if (isset($config['captiveportal'][$cpzone]['radacct_enable']) && $cpentry['authmethod'] 'radius') {<br /> if ($cpcfg['reauthenticateacct'] = "stopstartfreeradius") {<br /> $rastart_time = 0;<br /> $rastop_time = 60;<br /> } else {<br /> $rastart_time = $cpentry[0];<br /> $rastop_time = time();<br /> }<br /> captiveportal_send_server_accounting('stop',<br /> $cpentry[1], // ruleno<br /> $cpentry[4], // username<br /> $cpentry[2], // clientip<br /> $cpentry[3], // clientmac<br /> $cpentry[5], // sessionid<br /> $rastart_time, // start time<br /> $rastop_time, // Stop Time<br /> 3); // Lost Service<br /> // User was logged on a non-RADIUS Server but is now logged in by a RADIUS server : we send an accounting Start<br /> } else if(isset($config['captiveportal'][$cpzone]['radacct_enable']) && $auth_result['auth_method'] === 'radius') {<br /> captiveportal_send_server_accounting('start',<br /> $cpentry[1], // ruleno<br /> $cpentry[4], // username<br /> $cpentry[2], // clientip<br /> $cpentry[3], // clientmac<br /> $cpentry[5], // sessionid<br /> $cpentry[0]); // start_time<br /> }<br /> }<br /> captiveportal_reapply_attributes($cpentry, $auth_result['attributes']);<br /> }<br />/*-----------------------------------------------------------------------------------------------------------*/</code></pre>
<pre><code>}</code></pre>
<p>/*-----------------------------------------------------------------------------------------------------------*/<br /> }<br /> }</p>
<p>Redmines <a class="issue tracker-2 status-1 priority-4 priority-default" title="Feature: Add ability to properly configure RADIUS captive portal user quotas of 4096MB or more (New)" href="https://redmine.pfsense.org/issues/13843">#13843</a> & <a class="issue tracker-2 status-1 priority-4 priority-default" title="Feature: Make RADIUS Start/Stop accounting immediately log off a user that exceeds quota when reauthentica... (New)" href="https://redmine.pfsense.org/issues/13844">#13844</a> must be fully implemented before this modification can be utilized on accounts with a data quota as overflowed value logouts >4GB will occur if a data quota is set (eg: 100GB = 1.7GB overflow equivalent). In order to complete this testing, I overrode the 32 bit overflow 4 GB data quota limit as follows (line 663 in captiveportal.inc). <a class="issue tracker-2 status-1 priority-4 priority-default" title="Feature: Make RADIUS Start/Stop accounting immediately log off a user that exceeds quota when reauthentica... (New)" href="https://redmine.pfsense.org/issues/13844">#13844</a> requires checking reauthenticate option in the captive portal GUI to force a logout for now. I include the code here to permit these fixes to progress in parallel or for those that need an immediate fix for 23.01.</p>
<p>Line 662 in captiveportal.inc:</p>
<pre><code>/* traffic quota, value retrieved from the radius attribute if the option is enabled <strong>/<br /> if (isset($cpcfg['radiustraffic_quota'])) {<br /> $utrafficquota = (is_numeric($cpentry[11])) ? $cpentry[11] : $trafficquota;<br />/</strong>-----------------------------------------------------------------------------------------------------------*/<br />/* new code <strong>/<br /> $intoverflow = true; //to stop 32 bit overflow premature logout<br />/</strong> new code <strong>/<br />/</strong>-----------------------------------------------------------------------------------------------------------*/<br /> } else {<br /> $utrafficquota = $trafficquota;<br /> }</code></pre>
<pre><code>if (!$timedout && $utrafficquota > 0) {<br /> $volume = getVolume($cpentry[2]);<br /> if (($volume['input_bytes'] + $volume['output_bytes']) > $utrafficquota) {</code></pre>
<p>/* edited code original $timedout = true; <strong>/<br />/</strong>-----------------------------------------------------------------------------------------------------------*/<br /> if ($intoverflow != true) {<br /> $timedout = true;<br />} else {<br /> $timedout = false; //to stop 32 bit overflow premature logout<br /> }<br />/*-----------------------------------------------------------------------------------------------------------*/<br />/* edited code */</p> pfSense - Bug #9295 (New): IPv6 PD does not work with PPPOE (Server & Client)https://redmine.pfsense.org/issues/92952019-01-29T11:51:01ZDirk Steingäßer
<p>Hi,</p>
<p>as encountering DHCPv6 with Prefix delegation does not work together with PPPOE Server vice versa it is not possible to get a prefix with an interface where the IPv4 Uplink is PPPOE.</p> pfSense - Bug #9123 (Feedback): Adding/configuring vlan on ixl-devices causes aq_add_macvlan err ...https://redmine.pfsense.org/issues/91232018-11-15T10:50:14ZSebastian Deuerling
<p>The actual vlan addition/configuring process is triggering error "aq_add_macvlan err -53, aq_error 14" on ixl-devices.<br />Configuring vlans seems to work nevertheless, but saving interface configurations with vlans takes a lot of time.<br />In our setup (two igb-interfaces, two ix-interfaces, two ixl-interfaces; 25 vlans on failover-lagg of ixl0 and igb0) saving changes on interface configuration lasts around about 20 to 30 minutes. After that pfSense seems to freeze. After reboot all vlans are working.<br />But booting also takes a lof of time. Around 5 minutes in step "Configuring VLANS...".<br />Our hardware: SYS-5018D-FN4T (Supermicro Intel Xeon D-1541 system) and X710DA2BLK (Intel X710-DA2 Dual-SFP+-PCIe-Addon-cards).<br />Further information here: <a class="external" href="https://forum.netgate.com/topic/136201/new-version-2-4-4-interface-error-aq_add_macvlan-err-53-aq_error-14/14">https://forum.netgate.com/topic/136201/new-version-2-4-4-interface-error-aq_add_macvlan-err-53-aq_error-14/14</a></p> pfSense - Bug #8089 (New): VLAN page breaks after config restore to new hardware.https://redmine.pfsense.org/issues/80892017-11-13T11:09:13ZBridgetowermedia IT
<p>The VLAN interface page breaks after restoring a backup from devices using emX interfaces to devices using igbX interfaces.<br />This is rather problemmatic as after the page is broken the only way to fix is to re-image.<br />The work around is to remove all VLAN interfaces from the configuration before backing up and restoring.</p>
<p>When the page breaks this is the error received:<br />Fatal error: Cannot redeclare vlan_inuse() (previously declared in /usr/local/www/interfaces_vlan.php:42) in /etc/inc/interfaces.inc on line 272 Call Stack: 0.0026 231112 1. {main}() /usr/local/www/interfaces_vlan.php:0 0.0027 231616 2. require_once('/usr/local/www/guiconfig.inc') /usr/local/www/interfaces_vlan.php:33 0.0029 254168 3. require_once('/etc/inc/authgui.inc') /usr/local/www/guiconfig.inc:51 0.0029 254800 4. include_once('/etc/inc/auth.inc') /etc/inc/authgui.inc:25 0.0029 255232 5. require_once('/etc/inc/config.gui.inc') /etc/inc/auth.inc:31 0.0061 279224 6. require_once('/etc/inc/notices.inc') /etc/inc/config.gui.inc:37 0.0061 279600 7. require_once('/etc/inc/functions.inc') /etc/inc/notices.inc:24 PHP ERROR: Type: 1, File: /etc/inc/interfaces.inc, Line: 272, Message: Cannot redeclare vlan_inuse() (previously declared in /usr/local/www/interfaces_vl an.php:42)</p>
<p>You can reproduce by:</p>
<p>add vlan to 8860 interface<br />backup config<br />restore config to vmware device<br />reassign interfaces as normal.<br />backup config<br />restore to 8860<br />then try and reassign interfaces,<br />get errors about non existing vlans<br />attempt to resolve vlan issue on vlan interfaces page.</p> pfSense - Feature #7521 (New): Package Updates via Mirrorhttps://redmine.pfsense.org/issues/75212017-05-04T20:21:52ZMark Olliver
<p>Since the upgrade to 2.3 systems that no longer can connect to the internet directly or via a proxy can not get updates manually.</p>
<p>This is leaving internal firewalls vulnerable to potential threats, can we please have an option to mirror the Pfsense repo and thus conversely an option in the system updates menu to enter a local mirror as an override.</p>
<p>By doing this we can reinstate updates for offline systems and keep them secure.</p>
<p>Thanks</p>
<p>Mark</p> pfSense - Bug #5355 (New): on Dynamic WAN IP (DHCP Client) it takes 10 minutes before Phase1 reco...https://redmine.pfsense.org/issues/53552015-10-29T03:37:18ZVitali Karivitali.kari@gmail.com
<p>2.2.4-RELEASE (i386)<br />built on Sat Jul 25 19:56:41 CDT 2015<br />FreeBSD 10.1-RELEASE-p15</p>
<p>It seems that charon do not care or is being not informed after WAN IP address changes</p>
<p>it try still use the old IP address and cannot bind this.</p>
<p>i see this messages after IP adress is changed: (the XXX.XXX.180.28 is an old IP address)<br />Logs are in reverse order!</p>
<p>...<br />Oct 26 09:43:49 charon: 09[IKE] <con1000|2> sending DPD request<br />Oct 26 09:43:49 charon: 09[IKE] <con1000|2> sending DPD request<br />Oct 26 09:43:48 charon: 05[NET] error writing to socket: Can't assign requested address<br />Oct 26 09:43:48 charon: 09[NET] <con1000|3> sending packet: from XXX.XXX.180.28<sup><a href="#fn500">500</a></sup> to XXX.XXX.183.110<sup><a href="#fn500">500</a></sup> (391 bytes)<br />Oct 26 09:43:48 charon: 09[IKE] <con1000|3> sending retransmit 4 of request message ID 0, seq 1<br />Oct 26 09:43:48 charon: 09[IKE] <con1000|3> sending retransmit 4 of request message ID 0, seq 1<br />Oct 26 09:43:39 charon: 09[IKE] <con1000|2> sending DPD request<br />Oct 26 09:43:39 charon: 09[IKE] <con1000|2> sending DPD request<br />Oct 26 09:43:29 charon: 09[IKE] <con1000|2> sending DPD request<br />Oct 26 09:43:29 charon: 09[IKE] <con1000|2> sending DPD request<br />Oct 26 09:43:24 charon: 05[NET] error writing to socket: Can't assign requested address<br />Oct 26 09:43:24 charon: 09[NET] <con1000|3> sending packet: from XXX.XXX.180.28<sup><a href="#fn500">500</a></sup> to XXX.XXX.183.110<sup><a href="#fn500">500</a></sup> (391 bytes)<br />Oct 26 09:43:24 charon: 09[IKE] <con1000|3> sending retransmit 3 of request message ID 0, seq 1<br />Oct 26 09:43:24 charon: 09[IKE] <con1000|3> sending retransmit 3 of request message ID 0, seq 1<br />Oct 26 09:43:19 charon: 09[IKE] <con1000|2> sending DPD request<br />Oct 26 09:43:19 charon: 09[IKE] <con1000|2> sending DPD request<br />...</p>
<p>after i while (10 - 15 minutes) IPsec realizes that the WAN address is changed and reconnects successfully:</p>
<p>...<br />Oct 26 09:53:32 charon: 12[IKE] <con1000|4> IKE_SA con1000<sup><a href="#fn4">4</a></sup> established between XXX.XXX.180.42[XXX]...XXX.XXX.183.110[XXX.XXX.183.110]<br />Oct 26 09:53:32 charon: 12[ENC] <con1000|4> received unknown vendor ID: 69:93:69:22:87:41:c6:d4:ca:09:4c:93:e2:42:c9:de:19:e7:b7:c6:00:00:00:05:00:00:05:00<br />Oct 26 09:53:32 charon: 12[IKE] <con1000|4> received NAT-T (RFC 3947) vendor ID<br />Oct 26 09:53:32 charon: 12[IKE] <con1000|4> received NAT-T (RFC 3947) vendor ID<br />Oct 26 09:53:32 charon: 12[IKE] <con1000|4> received DPD vendor ID<br />Oct 26 09:53:32 charon: 12[IKE] <con1000|4> received DPD vendor ID<br />Oct 26 09:53:32 charon: 12[ENC] <con1000|4> parsed AGGRESSIVE response 0 [ SA KE No ID HASH V V V NAT-D NAT-D ]<br />Oct 26 09:53:32 charon: 12[NET] <con1000|4> received packet: from XXX.XXX.183.110<sup><a href="#fn500">500</a></sup> to XXX.XXX.180.42<sup><a href="#fn500">500</a></sup> (388 bytes)<br />Oct 26 09:53:32 charon: 12[NET] <con1000|4> sending packet: from XXX.XXX.180.42<sup><a href="#fn500">500</a></sup> to XXX.XXX.183.110<sup><a href="#fn500">500</a></sup> (391 bytes)<br />Oct 26 09:53:32 charon: 12[ENC] <con1000|4> generating AGGRESSIVE request 0 [ SA KE No ID V V V V V V ]<br />Oct 26 09:53:32 charon: 12[IKE] <con1000|4> initiating Aggressive Mode IKE_SA con1000<sup><a href="#fn4">4</a></sup> to XXX.XXX.183.110<br />Oct 26 09:53:32 charon: 12[IKE] <con1000|4> initiating Aggressive Mode IKE_SA con1000<sup><a href="#fn4">4</a></sup> to XXX.XXX.183.110<br />Oct 26 09:53:32 charon: 16[KNL] creating acquire job for policy XXX.XXX.180.42/32|/0 === XXX.XXX.183.110/32|/0 with reqid {2}<br />Oct 26 09:51:15 charon: 16[IKE] <con1000|3> establishing IKE_SA failed, peer not responding<br />Oct 26 09:51:15 charon: 16[IKE] <con1000|3> establishing IKE_SA failed, peer not responding<br />Oct 26 09:51:15 charon: 16[IKE] <con1000|3> giving up after 5 retransmits<br />Oct 26 09:51:15 charon: 16[IKE] <con1000|3> giving up after 5 retransmits<br />Oct 26 09:50:00 charon: 05[NET] error writing to socket: Can't assign requested address<br />...</p>
<p>If more debug information is needed, I can provide this.</p>