pfSense bugtracker: Issueshttps://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162024-02-28T23:38:28ZpfSense bugtracker
Redmine pfSense Plus - Feature #15295 (New): State Filter Rule ID needs clarificationhttps://redmine.pfsense.org/issues/152952024-02-28T23:38:28ZMike Moore
<p>Not sure if this is a feature request but this isn't a bug.</p>
<p>See the forum post for details - <a class="external" href="https://forum.netgate.com/topic/186429/no-states-show-up-when-filtering-by-trackerid/5?_=1709161373761">https://forum.netgate.com/topic/186429/no-states-show-up-when-filtering-by-trackerid/5?_=1709161373761</a></p>
<p>Searching for states under Diagnostics/States/States and if you filter by Rule ID I mistakingly thought this meant TrackerID. The RuleID shows up if you hover over the state's entry of the firewall rule in the GUI and look at the bottom of the WebUI url and it will show what the corresponding ruleID is.</p>
<p>This doesnt make much sense considering if I search the firewall log in the WebUI and if i filter by "Rule Tracker ID" I can submit the TrackerID there and im able to narrow down my search whereas if i filter in the states screen nothing matches Rule ID because it's specifically looking for a number that the system generates for the Rule but there is no place in the UI to even know what that rule number could or would be.</p>
<p>The solution would be to either:<br />1. Fix the State filter so that it can filter by tracker ID instead of Rule ID<br />2. OR update documentation to inform users of the best place to find the rule ID.</p> pfSense Plus - Feature #15284 (New): Specify a Device parameter for Pushover Notificationshttps://redmine.pfsense.org/issues/152842024-02-22T03:14:10ZMichael Klein
<p>Hello,</p>
<p>Can you please add the ability to specify a DEVICE parameter for Pushover notifications so that a notification is sent to a specific device under that user account instead of ALL DEVICES under that user account? The menu is located at: System, Advanced, Notifications, Pushover.</p>
<p>Thank you!</p> pfSense Plus - Todo #15266 (Feedback): Prevent usage of the default password in User Manager acco...https://redmine.pfsense.org/issues/152662024-02-16T18:53:24ZJim Pingle
<p>Currently we detect in the GUI when the admin account is using the default password (<code>"pfsense"</code>) and print a warning message: source:src/usr/local/www/head.inc#L564</p>
<p>We should change that to check any account (not just <code>admin</code>) and force a password change during one or more of the user's initial interactions, for example:</p>
<ul>
<li>During the setup wizard</li>
<li>GUI login any time the password matches the default password</li>
<li>Shell (console or SSH) login any time the password matches the default password</li>
<li>Possibly during the installation process</li>
</ul>
<p>We should also not allow the user to change their password to any variation of "pfsense" in upper/lower/mixed case.</p> pfSense Plus - Feature #15186 (New): Test DNS over TLShttps://redmine.pfsense.org/issues/151862024-01-24T23:57:32ZJeff Kuehl
<p>The ability to readily confirm TLS DNS would be established once saved.</p> pfSense Plus - Feature #15070 (New): Script to fix: ld-elf.so.1: Shared object "libssl.so.30" not...https://redmine.pfsense.org/issues/150702023-12-06T05:14:20ZJonathan Lee
<p>When using boot environments to move system back a version to last stable version users can no longer check for updates. This version is displayed under GUI as a version to still use. Thus a boot environment should not contain this error for standard users it should default back also.</p>
<p>Error is:<br /><code>ld-elf.so.1: Shared object "libssl.so.30" not found, required by "pfSense-repoc"</code></p>
<p>stephenw10 fixed my issue with the linked library Boot Environment issue for plus</p>
<p><code>pkg-static upgrade -f pfSense-repoc</code></p>
<p>can we add a simple script that will auto run this command when users change to an older boot environment have a try catch error condition for this?</p>
<p>That way previous stable version boot environments do not see this error.</p> pfSense Plus - Feature #15022 (New): Package install/reinstall feature request.https://redmine.pfsense.org/issues/150222023-11-22T01:23:31ZJonathan Lee
<p>Hello fellow Redmine community members. I have noticed time and time again I have the ability to scroll during package installs to see the what package dependencies are installing and to check version numbers but I can't get it to stay still for longer than a split second before it auto scrolls back to the bottom. Can we make this stay where users are when the scroll and remove the auto scroll function?</p>
<p>We currently have no way to see the dependency information after it scrolls past because auto scroll takes us back to the bottom again.</p>
<p>See attached photo, I wanted to check what dependency versions were installed, Everytime you scroll it defaults to bottom again.</p> pfSense Plus - Feature #15013 (New): Speed Shift - Add Field to control lowest C-Statehttps://redmine.pfsense.org/issues/150132023-11-19T14:56:54ZDieter Kreuz
<p>Dear pfSense-team,</p>
<p>after updating to 2.7.1 i was curious how well the new speed shift GUI entries work.<br />In fact after adjusting it to per core and a value of 90, i can see my i3-7100U is able to clock somewhat lower and park the cores more often.</p>
<p>One thing in noticed with the command:<br />sysctl dev.cpu | grep cx_</p>
<p>is, that my CPU supports C1 and C2, but the lowest c-state setting was set to C1 by default:<br />dev.cpu.0.cx_method: C1/mwait/hwc C2/mwait/hwc<br />dev.cpu.0.cx_lowest: C1</p>
<p>By adding the following command to the tunables:<br />hw.acpi.cpu.cx_lowest = C2</p>
<p>I was able to get the CPU to use its C2-states too. Another XEON-pfsense setup was able to use its C3 states as well, by using the commands stated.<br />One is able to see the usage of c-states with the following command:<br />sysctl dev.cpu | grep cx_usage</p>
<p>dev.cpu.0.cx_usage_counters: 3717721 111658492<br />dev.cpu.0.cx_usage: 3.22% 96.77% last 294us</p>
<p>Would it be possible to add a new selection-field to the now existing speedshift-gui in order to be able to select the lowest c-state.<br />May the selectable values can be parsed from the cpus cabability, which is represented by the values of "dev.cpu.0.cx_method".</p>
<p>Thanks in advance.<br />Best regards<br />Dieter</p> pfSense Plus - Feature #14810 (New): add Packet Too Big icmp type in firewallhttps://redmine.pfsense.org/issues/148102023-09-25T21:58:26Zyon Liuinfo@ipv6china.com
<p>I hope more ICMP type refinements can be added to the firewall options.<br />For example, add Type 2 - Packet Too Big and 4 Fragmentation Needed and Don't Fragment was Set</p>
<p>Because I have security blocking most ICMP and only allowing necessary ICMP.</p> pfSense Plus - Feature #14594 (New): VDOM on pfsensehttps://redmine.pfsense.org/issues/145942023-07-20T00:58:58ZConor Dang
<p>I do not see this feature in any of the open requests but having a similar functionality to VDOM (virtual domain) on Fortinet devices in pfsense would open many more use cases for it. For those who don't know what a VDOM is, it allows a single firewall to be split up virtually, including having separate webconfigs per each VDOM. I found this post from 9 years ago that had no replies but brought the idea that it could be done on pfsense: <a class="external" href="https://list.pfsense.narkive.com/VCNLiGjK/pfsense-something-like-fortigate-s-vdom-feature">https://list.pfsense.narkive.com/VCNLiGjK/pfsense-something-like-fortigate-s-vdom-feature</a><br />If you want to learn more about VDOM as it works in Fortinet, visit their page describing it: <a class="external" href="https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/597696/vdom-overview">https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/597696/vdom-overview</a></p> pfSense Plus - Feature #14387 (New): Offline config modehttps://redmine.pfsense.org/issues/143872023-05-15T23:25:14ZMike Leone
<p>From a forum discussion. Steve deserves credit.<br />[[<a class="external" href="https://forum.netgate.com/topic/180107">https://forum.netgate.com/topic/180107</a>]]</p>
<h1>Offline Config Mode
<ul>
<li>Provide ability to set configurations while no internet or DNS is available. This is pursuant to bug <a class="issue tracker-1 status-3 priority-4 priority-default closed" title="Bug: Lack of DNS or Internet connectivity causes GUI to be slow (Resolved)" href="https://redmine.pfsense.org/issues/12141">#12141</a></li>
<li>23.01 seems to have reverted a little when no WAN is present, while certainly better than 2.6.0 is still quite frustrating</li>
<li>There are use-cases where not having any internet but wanting to even generate a config to load on another firewall with say a static WAN IP to make onsite install easier</li>
<li>When diagnosing a firewall where possibly the internet is down, and even the resolved issue is a bit too much wait especially under a stressful condition</li>
<li>Have an option that shows in the wizard as a checkbox</li>
<li>Have an option in the CLI, like hit "15 for Offline Config mode" before you log in. (Steve W notes "a simple php shell script in the CLI")</li>
<li>Have an option under the Diagnostic tab, to allow you to fix a wan or other routing issue without the web interface tripping allover itself</li>
</ul></h1> pfSense Plus - Feature #14252 (New): Optimization for 10GB-Connection/Throughputhttps://redmine.pfsense.org/issues/142522023-04-09T02:50:12ZDieter Kreuz
<p>Tuning a 10GB Connection, i´ve spent many days to get the most performance out of pfSense.</p>
<p>I´ve found the following commands, which drastically improved the throughput - peak-wise and providing a consistent throughput without dips:</p>
<p>This binds one core/Thread to a queue - i´ve found this is also present in the pSense-documentation, but as a non professional i had to search quite long to find how to set it up - maybe a more concrete example with what it means would be helpful:<br />net.isr.maxthreads="-1" <br />net.isr.bindthreads="1"</p>
<p>Allow interrupts on hyperthreaded cores:<br />machdep.hyperthreading_intr_allowed="1"</p>
<p>These can be added to the loader.conf.local.<br />Maybe this helps if someone can´t consistent and good 10GB performance.<br />Would it be possible to extend the pfSense-documentation or even add these options as checkboxes<br />e.g. under the Tab "Networking" Section "Network Interfaces" - like "Optimize Thread-/Queue usage" and "Make logical cores available for interrupt handling" - both with a litte explanation?</p>
<p>Thanks in advance.<br />Puni</p> pfSense Plus - Feature #14012 (New): ZFS memory usage graphshttps://redmine.pfsense.org/issues/140122023-02-22T09:50:05ZJim Pingle
<p>It's becoming increasingly relevant for users to monitor ZFS memory usage, especially ARC usage. This is ideal as a separate RRD graph under <strong>Status > Monitoring</strong> but might also be a nice addition to the ZFS widget or a separate ZFS Memory widget.</p>
<p>Currently users have to look at the output of <code>top</code> to see it:</p>
<pre>
ARC: 1202M Total, 743M MFU, 384M MRU, 916K Anon, 14M Header, 59M Other
1041M Compressed, 3148M Uncompressed, 3.02:1 Ratio
</pre>
<p>Or dig through sysctl OIDs:</p>
<pre>
kstat.zfs.misc.arcstats.mfu_ghost_size: 0
kstat.zfs.misc.arcstats.mfu_size: 778736128
kstat.zfs.misc.arcstats.mru_ghost_size: 0
kstat.zfs.misc.arcstats.mru_size: 402139648
kstat.zfs.misc.arcstats.anon_size: 989184
kstat.zfs.misc.arcstats.other_size: 62153984
kstat.zfs.misc.arcstats.bonus_size: 13352960
kstat.zfs.misc.arcstats.dnode_size: 35653000
kstat.zfs.misc.arcstats.dbuf_size: 13148024
kstat.zfs.misc.arcstats.metadata_size: 138728448
kstat.zfs.misc.arcstats.data_size: 1043136512
kstat.zfs.misc.arcstats.hdr_size: 14482464
kstat.zfs.misc.arcstats.overhead_size: 90355200
kstat.zfs.misc.arcstats.uncompressed_size: 3300402688
kstat.zfs.misc.arcstats.compressed_size: 1091509760
kstat.zfs.misc.arcstats.size: 1260264224
kstat.zfs.misc.abdstats.linear_data_size: 114316288
kstat.zfs.misc.abdstats.scatter_data_size: 977197568
kstat.zfs.misc.abdstats.struct_size: 6681872
</pre>
<p>The exact set of data to graph is open for debate here, but we should at least go with the equivalent values to those shown in <code>top</code> output.</p> pfSense Plus - Feature #13786 (New): ldap intergration for firewall ruleshttps://redmine.pfsense.org/issues/137862022-12-20T15:54:09ZMike Moore
<p>Seeing as there are LDAP connectors in the software already for authentication, would it be possible to leverage that for firewall rules?<br />Creating a permit/deny rule based on source 'LDAP\User1". This feature alone would be "nextgen" for pf.</p>
<p>On other vendors, this does require an agent being installed on an AD server to get that updated directory list to map IP addr to username. But i think that would only be helpful for reporting/analytics. If we need to just validate the username and thats it, then i think this is possible. Other packages such as Squid can be leveraged if reporting is needed to see what sites were visited and when.</p> pfSense Plus - Feature #12524 (New): OpenSSL QAT Enginehttps://redmine.pfsense.org/issues/125242021-11-15T05:07:22ZLuca De Andreis
<p>Hi all,</p>
<p>is possible to compile openssl to use QAT on PfSense plus, than accelerate OpenVPN ?</p>
<p>Thanks</p>
<p>Luca</p> pfSense Plus - Feature #11920 (New): SAML Authentication for pfSense (VPN and webConfigurator)https://redmine.pfsense.org/issues/119202021-05-13T14:27:23ZKris Phillips
<p>A customer has requested SAML authentication support for things like Azure as an alternative to LDAP and RADIUS. Please reference internal ticket number 84890 for more details.</p>
<p>There are some projects that exist for making the webConfigurator work with SAML for authentication. See here:<br /><a class="external" href="https://github.com/jaredhendrickson13/pfsense-saml2-auth">https://github.com/jaredhendrickson13/pfsense-saml2-auth</a></p>
<p>Additionally, it seems that OpenVPN has support for this as an authentication method.</p>