pfSense bugtracker: Issueshttps://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162024-02-20T21:51:14ZpfSense bugtracker
Redmine pfSense Packages - Bug #15274 (Incomplete): HAProxy Configuration Changes Require pfSense Reboot ...https://redmine.pfsense.org/issues/152742024-02-20T21:51:14ZZachary Cohen
<p>As originally reported here (<a class="external" href="https://forum.netgate.com/topic/172972/haproxy-config-changes-not-loaded-pfsense-restart-needed">https://forum.netgate.com/topic/172972/haproxy-config-changes-not-loaded-pfsense-restart-needed</a>), changes made to the HAProxy configuration require a reboot to take effect.</p>
<p>I'm consistently able to reproduce this issue when adding new backends.</p>
<p>When browsing to the new backend, I receive a 503 - "no server is available to handle this request". After rebooting, it works as expected.</p>
<p>Other users have been able to validate that this issue was present starting with pfSense 2.6.0 and HAProxy version haproxy-devel 0.62.10.</p>
<p>While I was able to replicate that issue starting on that version, I'm currently replicating it in pfSense 2.7.2-RELEASE (amd64) and haproxy-devel 0.63_2.</p> pfSense - Bug #15194 (Incomplete): PHP Fatal error in easyrule CLIhttps://redmine.pfsense.org/issues/151942024-01-26T14:31:35ZDavid Johnston
<p>Running "easyrule block wan 1.0.152.114" via ssh caused an error.<br />It looks like it's a problem in backup_config().<br />It's actually a permissions error; easyrule needs to be run as root.</p>
<p>Possible fixes:<br />1. chmod 700 /usr/local/bin/easyrule<br />2. Add a check to the PHP to report permissions errors.</p> pfSense Packages - Bug #15131 (Incomplete): OpenVPN client export issues with iPhone and IPV6 con...https://redmine.pfsense.org/issues/151312024-01-02T18:38:40ZJonathan Lee
<p>I have researched and found an issue within the OpenVPN's client export config file for iPhones (OpenVPN Connect (iOS/Android))</p>
<p>it exports with udp4 listed and this does not work with iPhones because of ipv6 in the config (.ovpn) file and must be changed to udp for iOS iPhones to work with OpenVPN and pfSense.</p>
<p>That is the only adaption needed to fix this issue.</p> pfSense Plus - Bug #15017 (Incomplete): DHCP relay CARP status VIP function is not working in pfs...https://redmine.pfsense.org/issues/150172023-11-20T19:51:25ZRobert Karsai
<p>Hello,<br />It seems that after 23.05.1->23.09 upgrade DHCP relay CARP status VIP function is not working properly, DHCP relay agent stays active all times (dhcrelay stays green on the dashboard widget, also pgrep dhcrelay<br />returns running processes in CLI), it will not be stopped when the chosen VIP is in BACKUP status. Not a big deal, there can be two active relay agents in the same network, but this is not how it supposed to work. Strangely this only affects our pfSense+ 23.09 clusters, in pfSense CE 2.7.1 this is not an issue.<br />--<br />BR<br />Robert</p> pfSense - Bug #14840 (Incomplete): OpenVPN Uncaught Exception log error: Uncaught Exception: Can'...https://redmine.pfsense.org/issues/148402023-10-05T12:29:00ZPhil Wardt
<p>I received the below notification about an error when pfsense was booted:</p>
<pre><code class="shell syntaxhl">7:51:21 PHP ERROR: Type: 1, File: /usr/local/share/openssl_x509_crl/ASN1_GENERALTIME.php, Line: 73, Message: Uncaught Exception: Can<span class="s1">'t parse time from string '</span>211029094223Z<span class="s1">' in /usr/local/share/openssl_x509_crl/ASN1_GENERALTIME.php:73
Stack trace:
#0 /usr/local/share/openssl_x509_crl/ASN1.php(136): Ukrbublik\openssl_x509_crl\ASN1_GENERALTIME->decodeSimple('</span>0<span class="se">\x</span>82<span class="se">\x</span>06e0<span class="se">\x</span>82<span class="se">\x</span>04M<span class="se">\x</span>A0<span class="se">\x</span>03<span class="se">\x</span>02<span class="se">\x</span>01<span class="se">\x</span>02<span class="se">\x</span>02<span class="se">\x</span>08...<span class="s1">', 167, 13)
#1 /usr/local/share/openssl_x509_crl/ASN1.php(314): Ukrbublik\openssl_x509_crl\ASN1->decode('</span>0<span class="se">\x</span>82<span class="se">\x</span>06e0<span class="se">\x</span>82<span class="se">\x</span>04M<span class="se">\x</span>A0<span class="se">\x</span>03<span class="se">\x</span>02<span class="se">\x</span>01<span class="se">\x</span>02<span class="se">\x</span>02<span class="se">\x</span>08...<span class="s1">', 167, 13)
#2 /usr/local/share/openssl_x509_crl/ASN1.php(138): Ukrbublik\openssl_x509_crl\ASN1->decodeConstructed('</span>0<span class="se">\x</span>82<span class="se">\x</span>06e0<span class="se">\x</span>82<span class="se">\x</span>04M<span class="se">\x</span>A0<span class="se">\x</span>03<span class="se">\x</span>02<span class="se">\x</span>01<span class="se">\x</span>02<span class="se">\x</span>02<span class="se">\x</span>08...<span class="s1">', 165, 30)
#3 /usr/local/share/openssl_x509_crl/ASN1.php(314): Ukrbublik\openssl_x509_crl\ASN1->decode('</span>0<span class="se">\x</span>82<span class="se">\x</span>06e0<span class="se">\x</span>82<span class="se">\x</span>04M<span class="se">\x</span>A0<span class="se">\x</span>03<span class="se">\x</span>02<span class="se">\x</span>01<span class="se">\x</span>02<span class="se">\x</span>02<span class="se">\x</span>08...<span class="s1">', 165, 30)
#4 /usr/local/share/openssl_x509_crl/ASN1.php(138): Ukrbublik\openssl_x509_crl\ASN1->decodeConstructed('</span>0<span class="se">\x</span>82<span class="se">\x</span>06e0<span class="se">\x</span>82<span class="se">\x</span>04M<span class="se">\x</span>A0<span class="se">\x</span>03<span class="se">\x</span>02<span class="se">\x</span>01<span class="se">\x</span>02<span class="se">\x</span>02<span class="se">\x</span>08...<span class="s1">', 8, 1101)
#5 /usr/local/share/openssl_x509_crl/ASN1.php(314): Ukrbublik\openssl_x509_crl\ASN1->decode('</span>0<span class="se">\x</span>82<span class="se">\x</span>06e0<span class="se">\x</span>82<span class="se">\x</span>04M<span class="se">\x</span>A0<span class="se">\x</span>03<span class="se">\x</span>02<span class="se">\x</span>01<span class="se">\x</span>02<span class="se">\x</span>02<span class="se">\x</span>08...<span class="s1">', 8, 1101)
#6 /usr/local/share/openssl_x509_crl/ASN1.php(138): Ukrbublik\openssl_x509_crl\ASN1->decodeConstructed('</span>0<span class="se">\x</span>82<span class="se">\x</span>06e0<span class="se">\x</span>82<span class="se">\x</span>04M<span class="se">\x</span>A0<span class="se">\x</span>03<span class="se">\x</span>02<span class="se">\x</span>01<span class="se">\x</span>02<span class="se">\x</span>02<span class="se">\x</span>08...<span class="s1">', 4, 1637)
#7 /usr/local/share/openssl_x509_crl/ASN1.php(314): Ukrbublik\openssl_x509_crl\ASN1->decode('</span>0<span class="se">\x</span>82<span class="se">\x</span>06e0<span class="se">\x</span>82<span class="se">\x</span>04M<span class="se">\x</span>A0<span class="se">\x</span>03<span class="se">\x</span>02<span class="se">\x</span>01<span class="se">\x</span>02<span class="se">\x</span>02<span class="se">\x</span>08...<span class="s1">', 4, 1637)
#8 /usr/local/share/openssl_x509_crl/ASN1.php(138): Ukrbublik\openssl_x509_crl\ASN1->decodeConstructed('</span>0<span class="se">\x</span>82<span class="se">\x</span>06e0<span class="se">\x</span>82<span class="se">\x</span>04M<span class="se">\x</span>A0<span class="se">\x</span>03<span class="se">\x</span>02<span class="se">\x</span>01<span class="se">\x</span>02<span class="se">\x</span>02<span class="se">\x</span>08...<span class="s1">', 0, 1641)
#9 /usr/local/share/openssl_x509_crl/X509_CERT.php(44): Ukrbublik\openssl_x509_crl\ASN1->decode('</span>0<span class="se">\x</span>82<span class="se">\x</span>06e0<span class="se">\x</span>82<span class="se">\x</span>04M<span class="se">\x</span>A0<span class="se">\x</span>03<span class="se">\x</span>02<span class="se">\x</span>01<span class="se">\x</span>02<span class="se">\x</span>02<span class="se">\x</span>08...<span class="s1">', 0, 1641)
#10 /usr/local/share/openssl_x509_crl/X509_CRL.php(60): Ukrbublik\openssl_x509_crl\X509_CERT::decode('</span>0<span class="se">\x</span>82<span class="se">\x</span>06e0<span class="se">\x</span>82<span class="se">\x</span>04M<span class="se">\x</span>A0<span class="se">\x</span>03<span class="se">\x</span>02<span class="se">\x</span>01<span class="se">\x</span>02<span class="se">\x</span>02<span class="se">\x</span>08...<span class="s1">')
#11 /etc/inc/certs.inc(1071): Ukrbublik\openssl_x509_crl\X509_CRL::create(Array, Object(OpenSSLAsymmetricKey), '</span>0<span class="se">\x</span>82<span class="se">\x</span>06e0<span class="se">\x</span>82<span class="se">\x</span>04M<span class="se">\x</span>A0<span class="se">\x</span>03<span class="se">\x</span>02<span class="se">\x</span>01<span class="se">\x</span>02<span class="se">\x</span>02<span class="se">\x</span>08...<span class="s1">')
#12 /etc/inc/openvpn.inc(1353): crl_update(Array)
#13 /etc/inc/openvpn.inc(1576): openvpn_reconfigure('</span>server<span class="s1">', Array)
#14 /etc/inc/openvpn.inc(1865): openvpn_restart('</span>server<span class="s1">', Array)
#15 /etc/inc/openvpn.inc(1907): openvpn_resync('</span>server<span class="s1">', Array)
#16 /etc/rc.newwanip(261): openvpn_resync_all('</span>wan<span class="s1">', '</span>inet<span class="s1">')
#17 {main}
thrown
</span></code></pre>
<p>It is the first time and never sent again !</p> pfSense - Bug #14839 (Incomplete): PHP Parse error: syntax errorhttps://redmine.pfsense.org/issues/148392023-10-05T09:43:54ZSam Vanchanna
<p>[05-Oct-2023 12:18:36 Asia/Phnom_Penh] PHP Parse error: syntax error, unexpected end of file in /usr/local/sbin/pfSsh.php(374) : eval()'d code on line 6</p> pfSense Plus - Bug #14778 (Incomplete): /usr/local/www/csrf/csrf-magic.php on line 161 PH...https://redmine.pfsense.org/issues/147782023-09-13T16:04:10ZAndrew Rojek
<p>Got this error message when trying to view a small list of CIDR addresses in Firewall->Aliases.<br />It was followed by a white blank screen and I had to reload the console page to reveal the error message below...</p>
<p>Crash report begins. Anonymous machine information:</p>
<p>arm64<br />14.0-CURRENT<br />FreeBSD 14.0-CURRENT #1 plus-RELENG_23_05_1-n256108-459fc493a87: Wed Jun 28 04:25:15 UTC 2023 root@freebsd:/var/jenkins/workspace/pfSense-Plus-snapshots-23_05_1-main/obj/aarch64/0P4W6joa/var/jenkins/workspace/pfSense-Plus-snapshots-23_05_1-main/source</p>
<p>Crash report details:</p>
<p>PHP Errors:<br />[13-Sep-2023 10:08:16 Europe/London] PHP Fatal error: str_ireplace(): Cannot use output buffering in output buffering display handlers in /usr/local/www/csrf/csrf-magic.php on line 161<br />[13-Sep-2023 10:08:53 Europe/London] PHP Fatal error: str_ireplace(): Cannot use output buffering in output buffering display handlers in /usr/local/www/csrf/csrf-magic.php on line 161</p>
<p>No FreeBSD crash data found.</p>
<p>Thank you.</p> pfSense Packages - Bug #14504 (Incomplete): FTP_Client_Proxy package doesn't create firewall rulehttps://redmine.pfsense.org/issues/145042023-06-23T08:23:53ZStefano Ceccherini
<p>I've installed FTP_Client_Proxy 0.3_8 on pfSense plus 23.05. I enabled the FTP client proxy services, but it doesn't create a firewall rule.</p>
<p>I had tested on pfSense plus 23.01 and it didn't work there, either.</p>
<p>When connecting from client, I got this in the firewall log:</p>
<p>#1 client command too long or not clean<br /><a class="issue tracker-1 status-3 priority-4 priority-default closed parent" title="Bug: Gateway not added when switching from DHCP to static (Resolved)" href="https://redmine.pfsense.org/issues/2">#2</a> client command too long or not clean</p> pfSense Packages - Bug #13886 (Incomplete): NUT Server Packagehttps://redmine.pfsense.org/issues/138862023-01-19T06:02:26ZAnonymous
<p>NUT server package (2.8.0_2) wont load in 23.01 Beta</p> pfSense - Bug #13215 (Incomplete): Allowed MAC/IP/Hostname traffic counts for authorized usershttps://redmine.pfsense.org/issues/132152022-05-25T03:03:52ZViktor Gurov
<p>This is due to rewriting pf tags.<br />CP rules must check <code>tagged</code> value on all steps.</p> pfSense - Bug #12927 (Incomplete): OpenVPN with OCSP enabled allows connections with revoked cert...https://redmine.pfsense.org/issues/129272022-03-10T04:20:17ZDanilo Zrenjanin
<p>OpenVPN doesn't honor certificate validity status against the site listed in the OCSP URL field.</p>
<p>See:<br /><a class="external" href="https://redmine.pfsense.org/issues/11830">https://redmine.pfsense.org/issues/11830</a></p>
<pre>
Konstantin Panchenko wrote in #note-11:
This is still an issue in 2.5.2, validation code still checking only for the last line returned from "openssl", documentation for exec command states that output parameter must be used to get the full output and that would be array. Last line analysed in current code would look only "Next Update: May 11 11:29:54 2021 GMT", see above.
https://www.php.net/manual/en/function.exec.php
I see the issue was closed by adding "-resp_text" option, however without analysing the whole outpup of the EXEC / Openssl function this won't work. I've attached my edit for review.
</pre> pfSense - Bug #12734 (Incomplete): Long hostname breaks DHCP leases layouthttps://redmine.pfsense.org/issues/127342022-01-26T13:11:38ZJuri Oo
<p>It appears, that long hostnames will kind of break the dhcp leases status page. <br />With Nmap package and MAC vendors, the right part is cut off almost completely and horizontal scrollbar is added at the bottom. <br />Is this normal? I can see long MAC vendors are being cut to 3 rows. Shouldn't the hostname line also be cut at some point (in such rare cases)?</p>
<p>Tested with 2.5.2-RELEASE (amd64). Hostname is 40 characters long.</p> pfSense Packages - Bug #11936 (Incomplete): FRR does not connect BGP when using passwordhttps://redmine.pfsense.org/issues/119362021-05-19T08:09:21ZClint Guillot
<p>Unsecured BGP sessions work fine, however password protected BGP sessions which previously worked fine no longer work in FRR.</p>
<p>Neighbor remains in "Active" state, never reaches "Established."</p> pfSense - Bug #8882 (Incomplete): Interface assignments lost on reboothttps://redmine.pfsense.org/issues/88822018-09-10T20:31:24ZJaime Geiger
<p>I'm running pfsense in AWS and I'm trying to route out of xn1 (second interface) instead of xn0 (using it as a sync interface). <br />LAN is xn0, WAN is xn1 in the interface assignment page. <br />Both interface assignments (LAN and WAN) get set to xn0 after a reboot, which causes everything to break.</p>
<p>This should not happen. If I set xn0 to WAN and xn1 to LAN then it does not lose the configuration on reboot. <br />Is WAN required to be the first interface (xn0)?</p>
<p>Let me know if you need other details.</p> pfSense - Bug #7286 (Incomplete): OpenVPN client is unreliable when you have multiple tunnelshttps://redmine.pfsense.org/issues/72862017-02-20T17:58:20ZViktor Petersson
<p>I've installed a new pfSense router to route my (Gigabit) WAN connection. My goal was to have it setup such that it both bridges two networks (site-to-site w/ two pfSense boxes) as well as route all outbound traffic over a VPN to anonymize the traffic. To accomplish this, I use two independent VPN providers to avoid SPoF in a gateway group</p>
<p>I was able to establish the connections just fine and was able to establish the VPN connections to all three VPN end-points and have traffic flowing through trough the two public VPN providers.</p>
<p>For a few days, things work fine, but later the connections randomly to dies. The WAN works fine and there's nothing wrong with the VPN end-points.</p>
<p>My expectation is that pfSense would automatically respawn the connections, which it appears to be doing to some degree. At some point, however, it appears to stop retrying and you end up like as the attached screenshot shows.</p>
<p>The strange thing is that even if the system indicates that the link is down, I can still see the ovpncX interface being up and running.</p>
<p>However, since all outbound traffic from the LAN is routed over the <abbr title="s">VPN</abbr>, the connection for the clients goes down.</p>
<p>My theory is that it is some internal health checker inside pfSense that is failing, which makes the system think the VPN links are down.</p>
<p>What's also worth noting is that even if I have two VPN links in the gateway group, if one VPN connection goes down, so does the full internet connectivity for the entire LAN (unless the VPN link is manually disabled).</p>
<p>I'm happy to provide logs, but I haven't spotted anything of significant interest.</p>