pfSense bugtracker: Issueshttps://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162024-02-21T19:59:52ZpfSense bugtracker
Redmine pfSense Plus - Feature #15280 (New): Boot Environments 2.0https://redmine.pfsense.org/issues/152802024-02-21T19:59:52ZChristian McDonaldcmcdonald@netgate.com
<p>Changes:</p>
<ul>
<li>Configuration History is now a separate page and is no longer part of Backup & Restore.</li>
<li>Configuration History is now aware of Boot Environments. Supports downloading, deleting and restoring across boot environment boundaries.</li>
<li>System updates are now installed in an offline clone of the running system and booted "temporarily" to facilitate automatic fallback to previous working environment.</li>
<li>Boot Verification is performed when booting temporary Boot Environments. System will automatically reboot into prior boot environment upon boot failure.</li>
</ul>
<p><img src="https://redmine.pfsense.org/attachments/download/5936/clipboard-202402211456-bdjnl.png" alt="" /><br /><img src="https://redmine.pfsense.org/attachments/download/5937/clipboard-202402211457-fegcy.png" alt="" /><br /><img src="https://redmine.pfsense.org/attachments/download/5938/clipboard-202402211457-rbjkq.png" alt="" /><br /><img src="https://redmine.pfsense.org/attachments/download/5939/clipboard-202402211457-fcvqv.png" alt="" /><br /><img src="https://redmine.pfsense.org/attachments/download/5940/clipboard-202402211458-ydyne.png" alt="" /></p> pfSense Plus - Todo #15266 (Feedback): Prevent usage of the default password in User Manager acco...https://redmine.pfsense.org/issues/152662024-02-16T18:53:24ZJim Pingle
<p>Currently we detect in the GUI when the admin account is using the default password (<code>"pfsense"</code>) and print a warning message: source:src/usr/local/www/head.inc#L564</p>
<p>We should change that to check any account (not just <code>admin</code>) and force a password change during one or more of the user's initial interactions, for example:</p>
<ul>
<li>During the setup wizard</li>
<li>GUI login any time the password matches the default password</li>
<li>Shell (console or SSH) login any time the password matches the default password</li>
<li>Possibly during the installation process</li>
</ul>
<p>We should also not allow the user to change their password to any variation of "pfsense" in upper/lower/mixed case.</p> pfSense Plus - Bug #15157 (Incomplete): Problem in Restore Backuphttps://redmine.pfsense.org/issues/151572024-01-12T23:35:22ZRamon Alonso Costa
<p>I am having the following issue when trying to update the DNS Resolver backup. Below is the file with the error.</p> pfSense Plus - Feature #15070 (New): Script to fix: ld-elf.so.1: Shared object "libssl.so.30" not...https://redmine.pfsense.org/issues/150702023-12-06T05:14:20ZJonathan Lee
<p>When using boot environments to move system back a version to last stable version users can no longer check for updates. This version is displayed under GUI as a version to still use. Thus a boot environment should not contain this error for standard users it should default back also.</p>
<p>Error is:<br /><code>ld-elf.so.1: Shared object "libssl.so.30" not found, required by "pfSense-repoc"</code></p>
<p>stephenw10 fixed my issue with the linked library Boot Environment issue for plus</p>
<p><code>pkg-static upgrade -f pfSense-repoc</code></p>
<p>can we add a simple script that will auto run this command when users change to an older boot environment have a try catch error condition for this?</p>
<p>That way previous stable version boot environments do not see this error.</p> pfSense Plus - Feature #15022 (New): Package install/reinstall feature request.https://redmine.pfsense.org/issues/150222023-11-22T01:23:31ZJonathan Lee
<p>Hello fellow Redmine community members. I have noticed time and time again I have the ability to scroll during package installs to see the what package dependencies are installing and to check version numbers but I can't get it to stay still for longer than a split second before it auto scrolls back to the bottom. Can we make this stay where users are when the scroll and remove the auto scroll function?</p>
<p>We currently have no way to see the dependency information after it scrolls past because auto scroll takes us back to the bottom again.</p>
<p>See attached photo, I wanted to check what dependency versions were installed, Everytime you scroll it defaults to bottom again.</p> pfSense Plus - Bug #14968 (New): Google LDAP fail to bindhttps://redmine.pfsense.org/issues/149682023-11-11T13:11:11ZLev Prokofev
<p>Even with a freshly created cert and Bind user login/pass it fails to bind with the message:</p>
<p><em>/system_authservers.php: ERROR! ldap_get_user_ous() could not bind to server.</em></p>
<p>It seems the TLS talk between the client and server went smoothly (packet capture attached)</p>
<p>Ticket for reference #2067635022</p> pfSense Plus - Feature #14915 (New): MAC-aliasses / Lists with MAC-addresses would be very helpfullhttps://redmine.pfsense.org/issues/149152023-10-24T14:54:14ZLouis B
<p>I would like to create a MAC-filter using the Ethernet layer firewall and it is absolutely not practical / a good idea to define a rule for each mac-address to check. In general If you want to set a TAG in favor of policy filtering, it will almost certainly be related to a group of mac-addresses, not a single one.</p>
<p>So it would be very helpful if the firewall alias function would be extended for mac-addresses.</p> pfSense Plus - Regression #14378 (Confirmed): Packages are not removed when using the hardware re...https://redmine.pfsense.org/issues/143782023-05-12T00:41:38ZSteve Wheeler
<p>More precisely it appears that packages are re-installed after rebooting into the new config.</p>
<p>This does not happen using the factory default options in the GUI or console menu.</p>
<p>Tested on 4100 and 6100 with 23.05.r.20230509.2241</p> pfSense Plus - Feature #14297 (New): Add Option for Vendor Class ID in DHCP Clienthttps://redmine.pfsense.org/issues/142972023-04-21T15:07:26ZKris Phillips
<p>Some ISPs require a Vendor Class ID be sent (option 60) when requesting DHCP. This can currently be accomplished in pfSense with vendor-class-identifier manually added to a dhcp config file, but adding this as a field would be helpful.</p> pfSense Plus - Bug #14175 (New): LDAP authentication for SSH failshttps://redmine.pfsense.org/issues/141752023-03-24T12:58:35ZGeorgiy Tyutyunnik
<p>LDAP authentication fails for SSH user authentication via LDAP with error (Invalid credentials).<br />Same user successfully authenticates to GUI.<br />User group with shell access is defined on pfSense and recognized at LDAP login, Shell Authentication Group DN is defined. <br />Logs for successful gui and failed ssh logins are attached.</p> pfSense Plus - Feature #14133 (New): Exporting and Importing - Change Layouthttps://redmine.pfsense.org/issues/141332023-03-20T03:47:01ZSteven Cedrone
<p>Please change Backup & Restore to allow for choosing only what areas you want to import/export without having to do it one area at a time.</p>
<p>The drop down-style boxes for "Backup Area" and "Restore Area" should allow you to hold CTRL and choose multiple areas at a time. Or change the drop-down boxes to scrolling boxes similar to other Areas of PfSense when you select Multiple WAN or LAN connections in PfBlocker for example.</p>
<p>This would be quite handy for exporting partial settings for new setup-up's without having to do it area by area.</p> pfSense Plus - Bug #14104 (New): Google LDAP connections still fail even after adding SNI for TLS...https://redmine.pfsense.org/issues/141042023-03-14T03:11:56ZAzamat Khakimyanov
<p>tested on 23.01 and with IPv6</p>
<p>After fixing <a class="external" href="https://redmine.pfsense.org/issues/11626">https://redmine.pfsense.org/issues/11626</a> I see that the LDAP client is sending the SNI header during TLS negotiation ('Client_Hello.png') but Google LDAP connections still fail.</p>
<p>In PCAP I got 'Alert (Level: Fatal, Description: Unknown CA)' so looks like Google LDAP is still replying with a self-signed certificate that will not pass CA validation checks (<a class="external" href="https://support.google.com/a/answer/9190869">https://support.google.com/a/answer/9190869</a>)</p>
<p>Strange part is that I got no error if I run #ldapsearch -H ldaps://ldap.google.com -x -d1</p>
<p><em>ldap_url_parse_ext(ldaps://ldap.google.com)<br />ldap_create<br />ldap_url_parse_ext(ldaps://ldap.google.com:636/??base)<br />ldap_sasl_bind<br />ldap_send_initial_request<br />ldap_new_connection 1 1 0<br />ldap_int_open_connection<br />ldap_connect_to_host: TCP ldap.google.com:636<br />ldap_new_socket: 3<br />ldap_prepare_socket: 3<br />ldap_connect_to_host: Trying 2001:4860:4802:32::3a 636<br />ldap_pvt_connect: fd: 3 tm: -1 async: 0<br />attempting to connect:<br />connect success<br />TLS trace: SSL_connect:before SSL initialization<br />TLS trace: SSL_connect:SSLv3/TLS write client hello<br />TLS trace: SSL_connect:SSLv3/TLS write client hello<br />TLS trace: SSL_connect:SSLv3/TLS read server hello<br />TLS trace: SSL_connect:TLSv1.3 read encrypted extensions<br />TLS trace: SSL_connect:SSLv3/TLS read server certificate request<br />TLS certificate verification: depth: 2, err: 0, subject: /C=US/O=Google Trust Services LLC/CN=GTS Root R1, issuer: /C=US/O=Google Trust Services LLC/CN=GTS Root R1<br />TLS certificate verification: depth: 1, err: 0, subject: /C=US/O=Google Trust Services LLC/CN=GTS CA 1C3, issuer: /C=US/O=Google Trust Services LLC/CN=GTS Root R1<br />TLS certificate verification: depth: 0, err: 0, subject: /CN=ldap.google.com, issuer: /C=US/O=Google Trust Services LLC/CN=GTS CA 1C3<br />TLS trace: SSL_connect:SSLv3/TLS read server certificate<br />TLS trace: SSL_connect:TLSv1.3 read server certificate verify<br />TLS trace: SSL_connect:SSLv3/TLS read finished<br />TLS trace: SSL_connect:SSLv3/TLS write change cipher spec<br />TLS trace: SSL_connect:SSLv3/TLS write client certificate<br />TLS trace: SSL_connect:SSLv3/TLS write finished<br />ldap_open_defconn: successful</em></p> pfSense Plus - Feature #13740 (New): Feature Request: Mark Boot Environments with different prope...https://redmine.pfsense.org/issues/137402022-12-09T14:04:10ZJonas R
<p>Boot snapshots are awesome. However. I see huge potential for expanding the features on these. So here are a few suggestions</p>
<p>Mark a snapshot as forbidden to boot.<br />This comes from a weird situaton from my 6100. Where the first boot would work just perfectly. However, ever subsequent boot would result in a completely broken LAN. So I had to be suuuper careful not to boot the last remaining snapshot of my "working" system whilst trouble shooting. But if I had been able to mark it so it wasn't allowed to be booted. Then this would've been real handy.</p>
<p>Mark snapshot with Deletion Prevention:<br />This is basically an option to mark a specific snapshot so that it isn't allowed to be deleted, whilst the "Prevent from being deleted"-flag is set. Or something similar. Suggestion is to have it as a check box from within the edit-page. This could then disable the Trash-icon on the main paige.</p> pfSense Plus - Feature #12546 (New): Add 2FA Support to pfSense Plus Local Database Authenticationhttps://redmine.pfsense.org/issues/125462021-11-27T17:36:40ZKris Phillips
<p>To eliminate the reliance on unsupported packages like freeRADIUS for making this work, we should add the capability to the built-in user database in pfSense for time-based tokens. This could be "bolted on" to the end of passwords similar to how other options accomplish this for OpenVPN or IPSec VPNs, but we may be able to add a field to the webConfigurator login for 2FA.</p> pfSense Plus - Feature #11920 (New): SAML Authentication for pfSense (VPN and webConfigurator)https://redmine.pfsense.org/issues/119202021-05-13T14:27:23ZKris Phillips
<p>A customer has requested SAML authentication support for things like Azure as an alternative to LDAP and RADIUS. Please reference internal ticket number 84890 for more details.</p>
<p>There are some projects that exist for making the webConfigurator work with SAML for authentication. See here:<br /><a class="external" href="https://github.com/jaredhendrickson13/pfsense-saml2-auth">https://github.com/jaredhendrickson13/pfsense-saml2-auth</a></p>
<p>Additionally, it seems that OpenVPN has support for this as an authentication method.</p>