pfSense bugtracker: Issueshttps://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162024-03-11T16:52:27ZpfSense bugtracker
Redmine pfSense - Feature #15331 (New): Client (service) for CloudFlare WARP/WAR+https://redmine.pfsense.org/issues/153312024-03-11T16:52:27ZSergei Shablovsky
<p><strong>On now CloudFlare in fact for a couple of years are fastest and reliable proxy and SDN for most users.</strong><br />(Sometimes magistrale and core borders routing problems that hit Akamai, make a not big touch on CF.)<br />Most of “child problems” as newly and fast growing company HAS GONE AWAY.</p>
<p>And <strong>NUMBER OF POINT OF PERSISTENCE (data centers, servers on colocation) ARE CONSTANTLY GROW!</strong></p>
<p><strong>All this make WARP/WARP+ CloudFlare service more and more wanted not only by most of ordinary users, advanced users, but small and middle private business and government organization.</strong></p>
<p>And as a result, from 2022 more and more ciders try to realize CloudFlare WARP/WARP+ client code for various OSs, especially on which routers/firewalls are based.</p>
<p>Please take a look on <br />thread on pfSense CE<br /><a class="external" href="https://forum.netgate.com/topic/177267/connecting-to-cloudflare-surely-its-possible">https://forum.netgate.com/topic/177267/connecting-to-cloudflare-surely-its-possible</a></p>
<p>thread on CloudFlare</p>
<p><a class="external" href="https://community.cloudflare.com/t/warp-client-for-freebsd-based-firewalls-eg-pfsense-opnsense/426717/1">https://community.cloudflare.com/t/warp-client-for-freebsd-based-firewalls-eg-pfsense-opnsense/426717/1</a></p>
<p>So, the downline of all of this:<br />making CloudFlare WARP/WARP+ client as separate package for pfSense is not so much time and efforts.</p>
<p>If DevTeam make it right now, testing and feedbacks from users within summer (when not so much business workload and negative impact would be minimal) for the next upcoming release (2.7.3-REL) this *adding more value to pfSense” and growing distance from concurrent OPNsense.</p> pfSense - Feature #15221 (New): Make System Tunables table sortablehttps://redmine.pfsense.org/issues/152212024-01-31T19:43:54ZRonald Antonyrcfa+pfsense.org@cubiculum.com
<p>On the System > Advanced page's System Tunables tab, it's really hard to <br />a) find/check values, since they are in no particular order<br />b) compare the settings of two machines, because, again, the values are in no particular order.</p>
<p>Being able to sort them by the Tunable Name is particularly important as it seems the Description of these fields has been changed over the years, so two systems originally set up at different times with different versions of pfSense have different descriptions for the same field, making it even harder to find/compare the values.</p> pfSense - Bug #15083 (New): Installing to ZFS mirror does not format or populate EFI partition on...https://redmine.pfsense.org/issues/150832023-12-11T16:28:54ZJim Pingle
<p>Installing Plus 23.09.1 or CE 2.7.2 to a ZFS mirror does not format or populate the EFI partition on the additional disks of the mirror. Only the first disk in the mirror has a populated EFI filesystem with the expected loader files.</p>
<p>The EFI Partition for the second disk (or later) is created and labeled as <code>/dev/gpt/efiboot1</code> (and so on) but there is no filesystem on that partition (and thus, no files).</p>
<p>Should the first disk in the mirror fail, this would leave the system unbootable.</p>
<p>Can be worked around by manually creating and populating the additional EFI partition(s) post-install</p>
<p>For example, to format and populate the EFI filesystem on the second disk of the mirror:</p>
<pre><code class="shell syntaxhl"><span class="c"># newfs_msdos -F 32 -c 1 -L EFISYS1 /dev/gpt/efiboot1</span>
<span class="c"># mount_msdosfs /dev/gpt/efiboot1 /mnt</span>
<span class="c"># cp -R /boot/efi/ /mnt</span>
<span class="c"># umount /mnt</span>
</code></pre> pfSense Packages - Feature #15056 (New): Feature Request: Donate to Package Maintainer Button https://redmine.pfsense.org/issues/150562023-12-01T20:31:37ZJonathan Lee
<p>Maybe the packages, should have a button so donate button to send some money to maintainers. I recently learned that Snort was built with donated time. I was really confused about this. It kind of confused me.</p> pfSense - Bug #15015 (New): Static routes not workinghttps://redmine.pfsense.org/issues/150152023-11-20T17:53:07ZSilviu Bajenaru
<p>Hello,</p>
<p>This morning I updated to PFSense 2.7.1 from 2.7.0. Now, I just tried to add a dynamic gateway and a static route. Unfortunately, the static route is not being added to the routing table. I restored the VM backup from this morning, before I updated, added the same gateway and static route and it was added to the routing table, and everything works fine.<br />I've set the priority to Urgent since this is quite bad for a router...?</p>
More info about my setup: I've got three sites, let's call them A, B and C. There is an IPSec tunnel between A and B, and one between B and C. Both tunnels are set with Mode VTI. I've assigned the ipsec interfaces and set the gateways and routes:<br />Site A has a gateway set on the IPSec interface and a route for site C that uses that gateway.<br />Site B has two gateways (one for each IPSec tunnel) and the following routes:
<ul>
<li>route to site A via the IPSec interface - gateway - going to site A</li>
<li>route to site B via the IPSec interface - gateway - going to site B<br />Site C has a gateway set on the IPSec interface and a route for site A that uses that gateway.<br />Site A was updated this morning to PFSense 2.7.1, while Site C is running 2.7.0.<br />Site A DOES NOT have the static routes added to the routing table.<br />Site C does have the static routes added to the routing table.</li>
</ul>
<p>Once I reverted Site A to 2.7.0, I did the same config again and the routes were added to the routing table.</p>
<p>Thank you.</p> pfSense Packages - Feature #14941 (New): add directdomains list in GUIhttps://redmine.pfsense.org/issues/149412023-11-03T09:46:08ZClaude-Axel Piller
<p>Is it possible to add directly in the GUI a directdomains category like whitelist or blacklist ...<br />this directdomains won't use the proxy and can access directly to internet.<br />Some apps like vrchat don't work with proxy.<br />thanks</p> pfSense - Feature #14923 (New): Feature request - Backup encryption using a public keyhttps://redmine.pfsense.org/issues/149232023-10-26T20:52:53ZWolfgang Thegreat
<p>This feature request is following a community post at <a class="external" href="https://forum.netgate.com/topic/183662/backup-encryption-using-a-public-key">https://forum.netgate.com/topic/183662/backup-encryption-using-a-public-key</a></p>
<p>Hello,</p>
<p>Currently the manual backup encryption is using a password the user needs to submit to the device, which is not so friendly and somewhat less secure, since browsers are multi-purpose and has plugins/addons that at times discovered as malicious.</p>
<p>So, I thought - why not do this encryption using a public key?<br />It can use the current users mechanism, as a user object can store a public key value, currently for SSH access authentication, but it can also be used to encrypt and sign the backup. One can even create a special user just for the goal of backup.</p>
<p>I guess this method can also be applied to the scheduled backups to the pfSense cloud, the "Auto Config Backup" feature.</p>
<p>This way the risk of password leak/exposure or even folks fear that pfSense will "steal" this password, will be gone.<br />Also, it should be easier for users to verify the authenticity and integrity of the output file and to decrypt it offline when needed, to read the plain text configuration XML file.</p>
<p>Thank you!</p> pfSense - Bug #14906 (New): DHCPv4 server self-assigning address to own DHCP client-enabled inter...https://redmine.pfsense.org/issues/149062023-10-22T15:24:26ZLuca Piccirillo
<p>Assume three NICs: igc0, igc1, igc2<br />Assume a single bridge: bridge0 (OPT2, OPT3)<br />And a VLAN: igc0.1036</p>
<p>Interfaces assignment as follows:<br />WAN -> igc0.1036 -> IPv4 (DHCP): 1.2.3.4/30<br />LAN -> bridge0 -> IPv4 (static): 192.168.1.1/24<br />OPT1 -> igc0 -> IPv4 (static): 192.168.100.2/24<br />OPT2 -> igc1<br />OPT3 -> igc2</p>
<p>DHCP & RA enabled for LAN only.</p>
<p>The problem: switching OPT1 IPv4 settings from static to DHCP makes pfSense to assign itself an address from the LAN pool, also creating a wrong on-link route for its LAN subnet over the igc0 port, which is the underlying IF of WAN.</p>
<p>Of course this is easily noticeable when no other DHCP serve is active on that igc0 port broadcast domain.</p> pfSense - Bug #14891 (New): High CPU usage when interface get down and up due to proces check_rel...https://redmine.pfsense.org/issues/148912023-10-18T10:40:27ZThijs K
<p>Today I noticed that the cpu usage was high on my pfSense appliance (N5105, I226). <br />After looking in top I see that check_reload_status is fully taxing one core. <br />This process seems to be triggered when the wan interface comes down and up. <br />The process keeps running and taxing the CPU until it is manually stopped.</p> pfSense Packages - Feature #14838 (New): Full support for AdBlock-style listshttps://redmine.pfsense.org/issues/148382023-10-04T21:57:19ZAndre Braitandrebrait@gmail.com
<p>The AdBlock syntax allows for both blacklisting and whitelisting, as well as using wildcards and sometimes plain regular expressions. Many popular lists make use of such features. Currently, pfBlockerNG only supports parsing simple non-wildcard blacklist entries, as long as they obey the format `^[|]{2}.*[^]$`.</p>
<p>Support can be improved, especially for the Python mode.</p>
<ul>
<li>Unbound mode:
<ul>
<li>Whitelist entries with wildcards (limited)
<ul>
<li>Using grep with regexes to rule out entries from the blacklists</li>
</ul>
</li>
</ul>
</li>
<li>Python mode
<ul>
<li>Blacklist entries with wildcard support
<ul>
<li>Requires filtering 100% inside Python</li>
</ul>
</li>
<li>Whitelist entries with wildcard support
<ul>
<li>Probably better and easier if done 100% inside Python</li>
<li>Default "re" engine might be too slow, better to import "regex"</li>
</ul></li>
</ul></li>
</ul>
<p>References: <br />1. <a class="external" href="https://help.adblockplus.org/hc/en-us/articles/360062733293-How-to-write-filters">https://help.adblockplus.org/hc/en-us/articles/360062733293-How-to-write-filters</a><br />2. <a class="external" href="https://adguard.com/kb/general/ad-filtering/create-own-filters/">https://adguard.com/kb/general/ad-filtering/create-own-filters/</a></p>
<p>Some of it is already implemented in this PR: <a class="external" href="https://github.com/pfsense/FreeBSD-ports/pull/1302">https://github.com/pfsense/FreeBSD-ports/pull/1302</a></p> pfSense Packages - Regression #14764 (New): HAProxy local syslog not workinghttps://redmine.pfsense.org/issues/147642023-09-09T19:08:28ZMichael Vincent
<p>HAProxy package v0.63_1</p>
<p>Setting the syslog host to <code>/var/run/log</code> in the HAProxy settings doesn't produce any entries in the pfSense system logs.</p>
<p>Following the suggestion in <a href="https://serverfault.com/a/1141223" class="external">this post</a> fixes the issue by making syslogd listen to a UDP socket:</p>
<ol>
<li>Edit <code>/etc/defaults/rc.conf</code> (Diagnostics -> Edit File).</li>
<li>Change <code>syslogd_flags="-s"</code> to <code>syslogd_flags="-s -b localhost -C"</code></li>
<li>Restart the syslogd service (Status -> Services).</li>
</ol>
<p>They also reference this forum post with more details:<br /><a class="external" href="https://forums.freebsd.org/threads/haproxy-not-logging.76876/#post-477067">https://forums.freebsd.org/threads/haproxy-not-logging.76876/#post-477067</a></p> pfSense - Bug #14741 (New): PHP error in DNS Forwarder host overrides when the language is set to...https://redmine.pfsense.org/issues/147412023-09-02T10:26:29ZNicolas PISTER
<p>A PHP error occur when a user try to add or modify Host Override in DNS Forwarder module</p>
<pre>
amd64
14.0-CURRENT
FreeBSD 14.0-CURRENT #1 RELENG_2_7_0-n255866-686c8d3c1f0: Wed Jun 28 04:21:19 UTC 2023 root@freebsd:/var/jenkins/workspace/pfSense-CE-snapshots-2_7_0-main/obj/amd64/LwYAddCr/var/jenkins/workspace/pfSense-CE-snapshots-2_7_0-main/sources/FreeBSD-src-REL
Crash report details:
PHP Errors:
[02-Sep-2023 11:55:24 Europe/Paris] PHP Fatal error: Uncaught ValueError: Unknown format specifier "p" in /usr/local/www/classes/Form/Input.class.php:127
Stack trace:
#0 /usr/local/www/classes/Form/Input.class.php(127): sprintf('Nom de domaine ...', '<br />')
#1 /usr/local/www/services_dnsmasq_edit.php(85): Form_Input->setHelp('Domain of the h...', '<br />')
#2 {main}
thrown in /usr/local/www/classes/Form/Input.class.php on line 127
[02-Sep-2023 11:58:37 Europe/Paris] PHP Fatal error: Uncaught ValueError: Unknown format specifier "p" in /usr/local/www/classes/Form/Input.class.php:127
Stack trace:
#0 /usr/local/www/classes/Form/Input.class.php(127): sprintf('Nom de domaine ...', '<br />')
#1 /usr/local/www/services_dnsmasq_edit.php(85): Form_Input->setHelp('Domain of the h...', '<br />')
#2 {main}
thrown in /usr/local/www/classes/Form/Input.class.php on line 127
[02-Sep-2023 11:58:46 Europe/Paris] PHP Fatal error: Uncaught ValueError: Unknown format specifier "p" in /usr/local/www/classes/Form/Input.class.php:127
Stack trace:
#0 /usr/local/www/classes/Form/Input.class.php(127): sprintf('Nom de domaine ...', '<br />')
#1 /usr/local/www/services_dnsmasq_edit.php(85): Form_Input->setHelp('Domain of the h...', '<br />')
#2 {main}
thrown in /usr/local/www/classes/Form/Input.class.php on line 127
</pre>
<p>I think it come from a french translation file because when i use original language, everithing works.</p> pfSense - Bug #14397 (New): DHCPv4 client (dhclient) does not use 802.1p Priority tagging on DHCP...https://redmine.pfsense.org/issues/143972023-05-19T14:52:52ZTue Madsen
<p>Some ISPs using VLANs for service, require DHCPv4/v6 Frames to be 802.1p priority tagged. <br />pfSense has the option to do this by either:<br />- Setting VLAN priority tagging in the Interface DHCP options (if you are not using Advanced configuration or a predefined configuration file)<br />- If using advanced configuration: By adding “vlan-pcp x” in the advanced modifier options.</p>
<p>BUG:<br />This priority setting in only used in DISCOVER and RELEASE frames sent by dhclient - NOT in RENEW or REBIND.</p>
<p>This is now causing major problems in France where Orange (Major ISP) has upgraded to also requiring the RENEW frames to be properly VLAN Priority tagged.<br />This causes the uplink to stop working when a renew is due. (About once a day)</p>
<p>I don’t know if the issue is the same in DHCPv6</p>
<p>The issue was patched in OPNsense about a month ago, and they decided to drop the advanced options overwrite of the VLAN priority setting in interface DHCP options. <br />Instead they let the user choose if VLAN priority should be used via the interface DHCP VLAN Priority setting already available. <br />If selected it would - apart from adding “vlan-pcp x” to the dhclient config - also set the priority tag in the builtin pffilter rule that passes Interface DHCP client traffic. This adds the tag to RENEW and REBIND frames.</p>
<p>The issue occurs because dhclient uses a bfg interface for DISCOVER and RELEASE - thus respecting the vlan-pcp settings. But for RENEW it uses a simple socket, and that causes it not to be tagged correctly. In pfSense you cannot create a floating match rule to manually tag the traffic that has higher priority than the builtin pass quick rule for the interface DHCP client.</p> pfSense Packages - Bug #13544 (New): SquidGuard either denying everything or proxying everythinghttps://redmine.pfsense.org/issues/135442022-10-05T01:40:03ZJimmy Michaelson
<p>Hey,</p>
<p>I truly doubt this is a configuration issue as I've tried all the possible combinations.</p>
<p>Relevant images and config:</p>
<p><a class="external" href="https://forum.netgate.com/topic/175057/10-btc-bounty-squid-proxy-whitelist-per-source-ip/6">https://forum.netgate.com/topic/175057/10-btc-bounty-squid-proxy-whitelist-per-source-ip/6</a></p>
<p>FYI: The bounty has been bumped to $20 and is also valid here.</p> pfSense - Bug #9295 (New): IPv6 PD does not work with PPPOE (Server & Client)https://redmine.pfsense.org/issues/92952019-01-29T11:51:01ZDirk Steingäßer
<p>Hi,</p>
<p>as encountering DHCPv6 with Prefix delegation does not work together with PPPOE Server vice versa it is not possible to get a prefix with an interface where the IPv4 Uplink is PPPOE.</p>