pfSense bugtracker: Issueshttps://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162024-03-28T15:30:27ZpfSense bugtracker
Redmine pfSense Plus - Feature #15368 (New): Bulk import DHCP host reservationshttps://redmine.pfsense.org/issues/153682024-03-28T15:30:27ZChris W
<p>It'd be a huge time saver to import from a CSV or XML file into Kea, or even just pasting into a text field like Firewall > Alias > Bulk Import currently does.</p> pfSense Plus - Bug #15361 (New): Error in virtual IP aliases when using IPv6 "network" / "broadca...https://redmine.pfsense.org/issues/153612024-03-25T09:20:00ZMathis Cavalli
<p>There is no network address in IPv6, nor broadcasts like IPv4<br />When adding / editing an IP alias and putting there an address like fd00::/64 it shows the following error : "The network address cannot be used for this VIP" <br />It happened on my pfSense+ box but it seems the CE 2.7.2 is also affected.</p> pfSense Plus - Bug #15332 (New): Kea doesn't start without any logs when upload config with addit...https://redmine.pfsense.org/issues/153322024-03-12T13:17:13Zaleksei prokofiev
<p>If the config has additioan DHCP pool with extra parametrs configured, such default-lease-time or max-lease-time, then KEA won't start with out any logs. To fix that need delete from config those extra option. Or just resave affected pool without any changes, it will lead rewrite config without extra options. <br />For example <br /><pool><br /> <range><br /> <from>192.168.6.2</from><br /> <to>192.168.6.48</to><br /> </range><br /> <descr><![CDATA[NTP Server]]></descr><br /> <defaultleasetime>600</defaultleasetime><br /> <maxleasetime>3600</maxleasetime><br />After resave it will deleted<br /><pool><br /> <range><br /> <from>192.168.6.2</from><br /> <to>192.168.6.48</to><br /> </range><br /> <descr><![CDATA[NTP Server]]></descr><br /> <defaultleasetime></defaultleasetime><br /> <maxleasetime></maxleasetime></p> pfSense Plus - Regression #15320 (New): XMLRPC Sync Trigger on CARP Maintenance Mode Causes webCo...https://redmine.pfsense.org/issues/153202024-03-08T03:13:23ZKris Phillips
<p>When syncing a large configuration file with a large number of Virtual IPs, XMLRPC Sync can cause the webConfigurator to completely hang on a secondary unit in an HA pair for several minutes. This can also lead to 504 Timeout messages. The webConfigurator will typically recover on it's own, but this will often take several minutes.</p>
<p>Disabling the Virtual IP portion of the XMLRPC sync resolves this issue and the failover is nearly instantaneous, along with complete responsiveness from the webConfigurator.</p>
<p>Likely improvements can be made to the PHP code to not just blindly copy and rebuild the entire Virtual IP configuration on the secondary unit, as these hangs can lead to high CPU load and responsiveness issues for the secondary firewall that you just failed over to. This is obviously less than ideal since that unit is supposed to be taking over traffic in a manual failover scenario.</p> pfSense Plus - Feature #15306 (New): Change Gateway Status from Pending to Unavailablehttps://redmine.pfsense.org/issues/153062024-03-03T01:25:28ZKris Phillips
<p>Per customer statement and request, gateway statuses of "Pending" are confusing as a state for gateways that do not exist yet due to dynamic allocation. Something like a state of "Unavailable" may be more appropriate wording.</p> pfSense Plus - Feature #15305 (New): Gateway Status Changes to Pending Do Not Trigger Gateway Log...https://redmine.pfsense.org/issues/153052024-03-03T01:22:28ZKris Phillips
<p>When a gateway transitions from an Online state to a Pending state, there is no logged event in the Gateway monitoring logs currently to state that the gateway has become unavailable.</p>
<p>Additionally, Email/System Notifications will send a notification for Gateway Up/Down events, but will not send a notification for changes to and from a Pending state. This would be useful for things like ISP equipment power loss or failures where the physical link is lost.</p> pfSense Plus - Bug #15303 (New): dpinger service does not always switch from Pending to Onlinehttps://redmine.pfsense.org/issues/153032024-03-02T17:07:07ZKris Phillips
<p>There are several situations where dpinger will not detect a gateway that is available when it should, forcing a restart of the dpinger service to "trigger" it to recheck.</p>
<p>Known situations, but there may be more:</p>
<p>1. Adding a new VTI tunnel as an interface<br />2. A release/renew of an IPv6 gateway (IPv4 gateway will show up, but IPv6 will not until a dpinger restart)<br />3. Adding an OpenVPN client/server as an interface</p>
<p>Related documentation redmine: <a class="external" href="https://redmine.pfsense.org/issues/15230">https://redmine.pfsense.org/issues/15230</a></p> pfSense Plus - Feature #15295 (New): State Filter Rule ID needs clarificationhttps://redmine.pfsense.org/issues/152952024-02-28T23:38:28ZMike Moore
<p>Not sure if this is a feature request but this isn't a bug.</p>
<p>See the forum post for details - <a class="external" href="https://forum.netgate.com/topic/186429/no-states-show-up-when-filtering-by-trackerid/5?_=1709161373761">https://forum.netgate.com/topic/186429/no-states-show-up-when-filtering-by-trackerid/5?_=1709161373761</a></p>
<p>Searching for states under Diagnostics/States/States and if you filter by Rule ID I mistakingly thought this meant TrackerID. The RuleID shows up if you hover over the state's entry of the firewall rule in the GUI and look at the bottom of the WebUI url and it will show what the corresponding ruleID is.</p>
<p>This doesnt make much sense considering if I search the firewall log in the WebUI and if i filter by "Rule Tracker ID" I can submit the TrackerID there and im able to narrow down my search whereas if i filter in the states screen nothing matches Rule ID because it's specifically looking for a number that the system generates for the Rule but there is no place in the UI to even know what that rule number could or would be.</p>
<p>The solution would be to either:<br />1. Fix the State filter so that it can filter by tracker ID instead of Rule ID<br />2. OR update documentation to inform users of the best place to find the rule ID.</p> pfSense Plus - Feature #15284 (New): Specify a Device parameter for Pushover Notificationshttps://redmine.pfsense.org/issues/152842024-02-22T03:14:10ZMichael Klein
<p>Hello,</p>
<p>Can you please add the ability to specify a DEVICE parameter for Pushover notifications so that a notification is sent to a specific device under that user account instead of ALL DEVICES under that user account? The menu is located at: System, Advanced, Notifications, Pushover.</p>
<p>Thank you!</p> pfSense Plus - Feature #15280 (New): Boot Environments 2.0https://redmine.pfsense.org/issues/152802024-02-21T19:59:52ZChristian McDonaldcmcdonald@netgate.com
<p>Changes:</p>
<ul>
<li>Configuration History is now a separate page and is no longer part of Backup & Restore.</li>
<li>Configuration History is now aware of Boot Environments. Supports downloading, deleting and restoring across boot environment boundaries.</li>
<li>System updates are now installed in an offline clone of the running system and booted "temporarily" to facilitate automatic fallback to previous working environment.</li>
<li>Boot Verification is performed when booting temporary Boot Environments. System will automatically reboot into prior boot environment upon boot failure.</li>
</ul>
<p><img src="https://redmine.pfsense.org/attachments/download/5936/clipboard-202402211456-bdjnl.png" alt="" /><br /><img src="https://redmine.pfsense.org/attachments/download/5937/clipboard-202402211457-fegcy.png" alt="" /><br /><img src="https://redmine.pfsense.org/attachments/download/5938/clipboard-202402211457-rbjkq.png" alt="" /><br /><img src="https://redmine.pfsense.org/attachments/download/5939/clipboard-202402211457-fcvqv.png" alt="" /><br /><img src="https://redmine.pfsense.org/attachments/download/5940/clipboard-202402211458-ydyne.png" alt="" /></p> pfSense Plus - Bug #15262 (New): Captive Portal Has High CPU Interrupts With Large Number of Usershttps://redmine.pfsense.org/issues/152622024-02-15T19:33:29ZKris Phillips
<p>When 700+ Captive Portal users are in use, CPU interrupts will cause high load averages to occur. This can lead to connectivity problems, such as packet loss on WAN uplinks, webConfigurator responsiveness issues, etc.</p>
<p>Tested with a customer who had load averages of 14-16 with Captive Portal on with 1400+ users. Once Captive Portal was turned off, load averages dropped to 0.5.</p>
<p>Load seems higher for Captive Portal when there is significant numbers of users since the transition to pf from ipfw.</p> pfSense Plus - Bug #15202 (New): Add Option for Network Portion of Subnet "Wildcard" for IPv6 Ruleshttps://redmine.pfsense.org/issues/152022024-01-27T22:28:27ZKris Phillips
<p>Filtering hosts with IPv6 is extremely difficult when utilizing an upstream provider that is providing a Prefix Delegation via DHCPv6 because the Prefix Delegation can change, which invalidates existing rules.</p>
<p>If there was a way to detect the interface PD for firewall rules, similar to how the DHCPv6 server currently detects the delegated prefix, users could assign rules based on only the host portion of the subnet and have the firewall filter rule automatically fill in the delegated prefix network ID portion before feeding it to pf.</p>
<p>This solves the following two scenarios:</p>
<p>1. A static DHCPv6 lease is assigned, but the delegated prefix changes<br />2. Clients configured via SLAAC typically will have the same host portion of an address, regardless of the network portion discovered by RAs, unless they are utilizing privacy extensions.</p>
<p>Obviously, this won't help in cases where SLAAC is used with RFC4941, but in many cases when creating rules like this it's possible to disable privacy extensions optionally in most operating systems.</p> pfSense Plus - Feature #15186 (New): Test DNS over TLShttps://redmine.pfsense.org/issues/151862024-01-24T23:57:32ZJeff Kuehl
<p>The ability to readily confirm TLS DNS would be established once saved.</p> pfSense Plus - Bug #15126 (New): SG-1100 pfSense+ recovery results in non aligned disk sliceshttps://redmine.pfsense.org/issues/151262023-12-29T03:11:42ZDavid Burnsdavid.burns@dugeem.net
<p>Currently preparing for an upgrade of SG-1100 remote worker fleet.</p>
<p>However after installing the latest SG-1100 recovery image (pfSense-plus-compat-recovery-23.09.1-RELEASE-aarch64.img.gz) it appears that the resulting image restore to SG-1100 eMMC is not aligned:<br />(reference <a class="external" href="https://docs.netgate.com/pfsense/en/latest/solutions/sg-1100/reinstall-pfsense.html">https://docs.netgate.com/pfsense/en/latest/solutions/sg-1100/reinstall-pfsense.html</a>)</p>
<pre>
gpart show mmcsd0
=> 1 15273599 mmcsd0 MBR (7.3G)
1 409600 1 efi (200M)
409601 131072 2 fat32 (64M)
540673 14732927 3 freebsd [active] (7.0G)
</pre>
<p>This is a UFS build. Clearly the FreeBSD slice (starting sector 540673) is not aligned with 4k / 32k / 1M boundary. Non aligned writes may have an impact on eMMC life (depends on write workload of course).</p>
<p>Within the slice the actual UFS partition is at least 8k aligned (although suboptimal given that the UFS2 default block size is 32kB):</p>
<pre>
gpart show mmcsd0s3
=> 0 14732927 mmcsd0s3 BSD (7.0G)
0 16 - free - (8.0K)
16 14732911 1 freebsd-ufs (7.0G)
</pre>
<p>Compare this to a Netgate 7100 (with ZFS):</p>
<pre>
gpart show mmcsd0
40 61071280 mmcsd0 GPT (29G)
40 1024 1 freebsd-boot (512K)
1064 984 - free - (492K)
2048 4194304 2 freebsd-swap (2.0G)
4196352 56872960 3 freebsd-zfs (27G)
61069312 2008 - free - (1.0M)
</pre>
<p>Hopefully image build can be corrected using appropriate <strong><code>gpart add -t freebsd -a 1M ... /dev/mmcsd0</code></strong> argument parameters.</p>
<p>Lastly is the SG-1100 (aarch64) recovery image also used for SG-2100? If so this issue may also impact SG-2100.</p> pfSense Plus - Bug #15104 (New): Layer 2 experimental Firewall/Rules/Ethernet: new broadcast doma...https://redmine.pfsense.org/issues/151042023-12-18T22:48:09ZJonathan Lee
<p>Layer 2 broadcast domain in 23.05.01 would separate compex card from the LAN RJ45 ports. It no longer separates the layer 2 broadcast domains in 23.09.01</p>
<p>Ref: <a class="external" href="https://forum.netgate.com/topic/184894/ethernet-rules-on-two-networks">https://forum.netgate.com/topic/184894/ethernet-rules-on-two-networks</a></p>
<p>23.09.01 requires intra interface communication for layer 2 and in 23.05.01 it did not. I run guest wifi on the compex card(OPT1) so the secure side or <abbr title="WLAN">LAN</abbr> now is prone to arp broadcast storms as it no longer has separate broadcast domains.</p>
<p>Both interfaces have NAT access outbound without talking to each other but in 23.09.01 it is now required for the layer 2 to have interface to interface traffic.</p>