pfSense bugtracker: Issueshttps://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162024-03-27T15:47:47ZpfSense bugtracker
Redmine pfSense Packages - Bug #15365 (New): pfBlockerNG PHP error when editing a listhttps://redmine.pfsense.org/issues/153652024-03-27T15:47:47ZSteve Wheeler
<p>When editing an IPv4 list item I hit:<br /><pre>
PHP Errors:
[27-Mar-2024 15:22:03 Europe/London] PHP Fatal error: Uncaught ValueError: range(): Argument #3 ($step) must be greater than 0 for increasing ranges in /usr/local/www/pfblockerng/pfblockerng_category_edit.php:391
Stack trace:
#0 /usr/local/www/pfblockerng/pfblockerng_category_edit.php(391): range(1, 17, -1)
#1 {main}
thrown in /usr/local/www/pfblockerng/pfblockerng_category_edit.php on line 391
</pre></p>
<p>Looks like others have hit it editing other lists.</p>
<p>Tested:<br />pfSense-24.03.b.20240322.1708<br />pfSense-pkg-pfBlockerNG-3.2.0_9</p> pfSense - Bug #15363 (Confirmed): Reply traffic on a secondary WAN is dropped when it's delayed v...https://redmine.pfsense.org/issues/153632024-03-26T19:15:17ZMarcos M
<p>When a dummynet pipe with a delay is applied to traffic on a secondary WAN, reply traffic is dropped. It seems that the fix in <a class="issue tracker-4 status-3 priority-4 priority-default closed" title="Todo: Handle ``route-to`` and ``reply-to`` states when using the ``if-bound`` state policy (Resolved)" href="https://redmine.pfsense.org/issues/15220">#15220</a> does not take effect in this scenario.</p>
<p>Test setup:<br /><code>vmx1</code> is WAN1, <code>vmx2</code> is WAN2<br /><pre>
# match rule -- pfctl -vvsr
@296 match in on vmx2 inet all label "USER_RULE: QoS queue default (outside) IPv4" label "id:1686509600" ridentifier 1686509600 dnqueue(12, 9) ! tagged blocklist
[ Evaluations: 151142 Packets: 284 Bytes: 78078 States: 0 ]
[ Inserted: uid 0 pid 0 State Creations: 0 ]
[ Last Active Time: N/A ]
# pass rule -- pfctl -vvsr
@799 pass in quick on vmx2 reply-to (vmx2 192.168.1.254) inet proto udp from any to 127.0.0.1 port = rsf-1 keep state (if-bound) label "USER_RULE: OpenVPN" label "id:1679170153" ridentifier 1679170153 ! tagged blocklist
[ Evaluations: 438 Packets: 301 Bytes: 106093 States: 0 ]
[ Inserted: uid 0 pid 0 State Creations: 2 ]
[ Last Active Time: Tue Mar 26 12:24:48 2024 ]
</pre></p>
<p>The following works: limiter queue without a delay on the pipe:<br /><pre>
# pipe without delay -- dnctl pipe show
00004: 80.000 Mbit/s 0 ms burst 0
q131076 50 sl. 0 flows (1 buckets) sched 65540 weight 0 lmax 0 pri 0 droptail
sched 65540 type FIFO flags 0x0 0 buckets 0 active
# state info -- pfctl -vvss
vmx2 udp 127.0.0.1:1195 (192.168.1.253:1195) <- 172.58.109.152:61712 MULTIPLE:MULTIPLE
age 00:00:11, expires in 00:00:51, 10:8 pkts, 3632:3280 bytes, rule 799
id: dd6b0a6600000000 creatorid: af6c8b55 reply-to: 192.168.1.254@vmx2
origif: vmx1
</pre></p>
<p>The following does not work: limiter queue with a 1ms delay on the pipe:<br /><pre>
# pipe with 1ms delay -- dnctl pipe show
00004: 80.000 Mbit/s 1 ms burst 0
q131076 50 sl. 0 flows (1 buckets) sched 65540 weight 0 lmax 0 pri 0 droptail
sched 65540 type FIFO flags 0x0 0 buckets 0 active
# state info -- pfctl -vvss
all udp 127.0.0.1:1195 (192.168.1.253:1195) <- 172.58.109.152:64462 NO_TRAFFIC:SINGLE
age 00:00:40, expires in 00:00:20, 5:0 pkts, 410:0 bytes, rule 799
id: 7fe5096600000000 creatorid: af6c8b55 reply-to: 192.168.1.254@vmx2
origif: vmx2
</pre></p> pfSense - Bug #15362 (New): Config upgrade error with empty gateway interval tags.https://redmine.pfsense.org/issues/153622024-03-26T19:12:31ZSteve Wheeler
<p>Upgrading an old config that has set but empty gateway interval tags throws a php error.<br />For example a config containing:<br /><pre>
<gateway_item>
<interface>wan</interface>
<gateway>1.2.3.4</gateway>
<name>wan_gateway</name>
<weight/>
<interval/>
<descr><![CDATA[gw1]]></descr>
<defaultgw/>
</gateway_item>
</pre></p>
<p>Will hit:<br /><pre>
Fatal error: Uncaught TypeError: Unsupported operand types: string * int in /etc/inc/upgrade_config.inc:4169
Stack trace:
#0 /etc/inc/config.lib.inc(519): upgrade_130_to_131()
#1 /etc/rc.bootup(140): convert_config()
#2 {main}
thrown in /etc/inc/upgrade_config.inc on line 4169
PHP ERROR: Type: 1, File: /etc/inc/upgrade_config.inc, Line: 4169, Message: Uncaught TypeError: Unsupported operand types: string * int in /etc/inc/upgrade_config.inc:4169
Stack trace:
#0 /etc/inc/config.lib.inc(519): upgrade_130_to_131()
#1 /etc/rc.bootup(140): convert_config()
#2 {main}
</pre></p> pfSense Plus - Bug #15361 (New): Error in virtual IP aliases when using IPv6 "network" / "broadca...https://redmine.pfsense.org/issues/153612024-03-25T09:20:00ZMathis Cavalli
<p>There is no network address in IPv6, nor broadcasts like IPv4<br />When adding / editing an IP alias and putting there an address like fd00::/64 it shows the following error : "The network address cannot be used for this VIP" <br />It happened on my pfSense+ box but it seems the CE 2.7.2 is also affected.</p> pfSense Packages - Feature #15355 (New): Logging Verbosity Change via patch for miniupnpdhttps://redmine.pfsense.org/issues/153552024-03-21T18:00:34ZJeff Lewis
<p>Please see <a class="external" href="https://forum.netgate.com/post/1158297">https://forum.netgate.com/post/1158297</a></p>
<p>For those that wish to ingest miniupnpd (UPNP) firewall and nat manipulation logs into a logger or SIEM on a permanent basis, a change to the way miniupnpd is started is required. It needs the -v argument. I created my own patch to do this for now, but one of the admins suggested I open a feature request to make it available to others who whish to either a) apply the patch for debugging purposes on a temporary basis, or b) leave it applied across all restarts/upgrades so the logs are always generated. The miniupnpd service must be restarted after patch application/removal.</p>
<pre><code class="diff syntaxhl"><span class="gd">--- a/etc/inc/services.inc 2024-03-19 14:22:36.023371000 -0400
</span><span class="gi">+++ b/etc/inc/services.inc 2024-03-19 14:22:02.406017000 -0400
</span><span class="p">@@ -5006,1 +5006,1 @@</span>
<span class="gd">- mwexec_bg("/usr/local/sbin/miniupnpd -f /var/etc/miniupnpd.conf -P {$g['varrun_path']}/miniupnpd.pid");
</span><span class="gi">+ mwexec_bg("/usr/local/sbin/miniupnpd -v -f /var/etc/miniupnpd.conf -P {$g['varrun_path']}/miniupnpd.pid");
</span></code></pre> pfSense - Bug #15353 (New): Crashes Every ~8-12 Hours in New 2.7.2 Install with Unbound, Suricata...https://redmine.pfsense.org/issues/153532024-03-21T06:41:37ZDevin Dawson
<p>After reading some FreeBSD posts, it appears that this bug is potentially triggered by high CPU load. This occurs for me particularly during reloading or updating pfblockerNG, even though it's not consistently reproducible. I've attempted some mitigations such as disabling promiscuous mode in Suricata and restricting its use to the WAN interface, which seems to reduce the frequency of the issue but does not eliminate it entirely. Previously, running pfblockerNG in python mode alongside Suricata on both LAN and WAN interfaces resulted in the bug occurring more frequently.</p>
<p>The crash tends to happen approximately every 8 hours or so and appears to be related to two other FreeBSD issues:</p>
<pre><code>FreeBSD Commit "vm: Fix racy checks for swap objects" - <a class="external" href="https://cgit.freebsd.org/src/commit/?id=e123264e4dc394602f9fed2f0376204b5998d815">https://cgit.freebsd.org/src/commit/?id=e123264e4dc394602f9fed2f0376204b5998d815</a><br /> FreeBSD Bug Report "panic: vm_page_free_prep: freeing mapped page" - <a class="external" href="https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=261707">https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=261707</a>"</code></pre>
<p>Further investigation and possible collaboration with the FreeBSD community may be necessary to address this issue effectively.</p>
<pre><code class="shell syntaxhl">Intel<span class="o">(</span>R<span class="o">)</span> Pentium<span class="o">(</span>R<span class="o">)</span> CPU G3250 @ 3.20GHz
2 CPUs: 1 package<span class="o">(</span>s<span class="o">)</span> x 2 core<span class="o">(</span>s<span class="o">)</span>
AES-NI CPU Crypto: No
QAT Crypto: No
Kernel PTI Enabled
MDS Mitigation VERW
</code></pre>
<pre><code class="shell syntaxhl">amd64
14.0-CURRENT
FreeBSD 14.0-CURRENT amd64 1400094 <span class="c">#1 RELENG_2_7_2-n255948-8d2b56da39c: Wed Dec 6 20:45:47 UTC 2023 root@freebsd:/var/jenkins/workspace/pfSense-CE-snapshots-2_7_2-main/obj/amd64/StdASW5b/var/jenkins/workspace/pfSense-CE-snapshots-2_7_2-main/sources/F</span>
Filename: /var/crash/textdump.tar.0
ddb.txt
db:0:kdb.enter.default> show registers
cs 0x20
ds 0x3b
es 0x3b
fs 0x13
gs 0x1b
ss 0
rax 0x12
rcx 0xffffffff81451bc8
rdx 0xffffffff844195ff
rbx 0x100
rsp 0xfffffe00f5272780
rbp 0xfffffe00f5272780
rsi 0xfffffe00f52721f0
rdi 0xffffffff82d3f3d8 vt_conswindow+0x10
r8 0x10
r9 0x10
r10 0xf
r11 0x10
r12 0
r13 0x2
r14 0xffffffff813d55bb
r15 0xfffffe00f54e6e40
rip 0xffffffff80d32342 kdb_enter+0x32
rflags 0x82
kdb_enter+0x32: movq <span class="nv">$0</span>,0x234a4c3<span class="o">(</span>%rip<span class="o">)</span>
db:0:kdb.enter.default> run lockinfo
db:1:lockinfo> show locks
No such <span class="nb">command</span><span class="p">;</span> use <span class="s2">"help"</span> to list available commands
db:1:lockinfo> show alllocks
No such <span class="nb">command</span><span class="p">;</span> use <span class="s2">"help"</span> to list available commands
db:1:lockinfo> show lockedvnods
Locked vnodes
db:0:kdb.enter.default> show pcpu
cpuid <span class="o">=</span> 1
dynamic pcpu <span class="o">=</span> 0xfffffe009af25f80
curthread <span class="o">=</span> 0xfffffe00f54e6e40: pid 27610 tid 100715 critnest 1 <span class="s2">"unbound-control"</span>
curpcb <span class="o">=</span> 0xfffffe00f54e7360
fpcurthread <span class="o">=</span> 0xfffffe00f54e6e40: pid 27610 <span class="s2">"unbound-control"</span>
idlethread <span class="o">=</span> 0xfffffe001de1ec80: tid 100004 <span class="s2">"idle: cpu1"</span>
self <span class="o">=</span> 0xffffffff84011000
curpmap <span class="o">=</span> 0xfffff803a5a05ad0
tssp <span class="o">=</span> 0xffffffff84011384
rsp0 <span class="o">=</span> 0xfffffe00f5273000
kcr3 <span class="o">=</span> 0x800000008aefd67f
ucr3 <span class="o">=</span> 0x8000000271748e7f
scr3 <span class="o">=</span> 0x271748e7f
gs32p <span class="o">=</span> 0xffffffff84011404
ldt <span class="o">=</span> 0xffffffff84011444
tss <span class="o">=</span> 0xffffffff84011434
curvnet <span class="o">=</span> 0
db:0:kdb.enter.default> bt
Tracing pid 27610 tid 100715 td 0xfffffe00f54e6e40
kdb_enter<span class="o">()</span> at kdb_enter+0x32/frame 0xfffffe00f5272780
vpanic<span class="o">()</span> at vpanic+0x163/frame 0xfffffe00f52728b0
panic<span class="o">()</span> at panic+0x43/frame 0xfffffe00f5272910
trap_fatal<span class="o">()</span> at trap_fatal+0x40c/frame 0xfffffe00f5272970
trap_pfault<span class="o">()</span> at trap_pfault+0x4f/frame 0xfffffe00f52729d0
calltrap<span class="o">()</span> at calltrap+0x8/frame 0xfffffe00f52729d0
<span class="nt">---</span> <span class="nb">trap </span>0xc, rip <span class="o">=</span> 0xffffffff8127ee47, rsp <span class="o">=</span> 0xfffffe00f5272aa0, rbp <span class="o">=</span> 0xfffffe00f5272ac0 <span class="nt">---</span>
free_pv_entry<span class="o">()</span> at free_pv_entry+0x47/frame 0xfffffe00f5272ac0
pmap_pv_promote_pde<span class="o">()</span> at pmap_pv_promote_pde+0x14e/frame 0xfffffe00f5272b00
pmap_promote_pde<span class="o">()</span> at pmap_promote_pde+0x2fa/frame 0xfffffe00f5272b80
pmap_enter<span class="o">()</span> at pmap_enter+0xe8f/frame 0xfffffe00f5272c50
vm_fault<span class="o">()</span> at vm_fault+0xbf4/frame 0xfffffe00f5272d60
vm_fault_trap<span class="o">()</span> at vm_fault_trap+0x6b/frame 0xfffffe00f5272db0
trap_pfault<span class="o">()</span> at trap_pfault+0x1d9/frame 0xfffffe00f5272e10
<span class="nb">trap</span><span class="o">()</span> at <span class="nb">trap</span>+0x442/frame 0xfffffe00f5272f30
calltrap<span class="o">()</span> at calltrap+0x8/frame 0xfffffe00f5272f30
<span class="nt">---</span> <span class="nb">trap </span>0xc, rip <span class="o">=</span> 0x82784d8d0, rsp <span class="o">=</span> 0x820a9f758, rbp <span class="o">=</span> 0x820a9f940 <span class="nt">---</span>
</code></pre> pfSense Docs - New Content #15352 (New): Mobile IPsec Group Virtual Address Poolshttps://redmine.pfsense.org/issues/153522024-03-20T20:52:08ZMarcos M
<p>Document the feature introduced with:<br /><a class="external" href="https://redmine.pfsense.org/issues/13227">https://redmine.pfsense.org/issues/13227</a></p>
<p>Note that strongswan's <code>eap-radius</code> plugin only supports specifying a single group for a user in the RADIUS reply (e.g. <code>Class := "vpnusers"</code>).</p>
<p>Related:<br /><a class="external" href="https://docs.netgate.com/pfsense/en/latest/usermanager/radius.html#radius-groups">https://docs.netgate.com/pfsense/en/latest/usermanager/radius.html#radius-groups</a><br /><a class="external" href="https://docs.strongswan.org/docs/5.9/plugins/eap-radius.html#_group_selection">https://docs.strongswan.org/docs/5.9/plugins/eap-radius.html#_group_selection</a></p> pfSense - Feature #15348 (New): Block out PSK when viewing Phase 1 IPsec configurationhttps://redmine.pfsense.org/issues/153482024-03-18T14:31:12ZMike Moore
<p>When filling out a PSK in the phase 1 proposal section, the PSK really should be entered in obfuscated with the option in the WebUI to show the password.<br />Entering a password in clear text so anyone shoulder surfing can see it is a security issue.</p> pfSense - Bug #15346 (Confirmed): Port Forward Add Unassociated Filter Rule Not Workinghttps://redmine.pfsense.org/issues/153462024-03-16T21:51:40ZTimo M
<p>Upon creating a port forward entry on pfSense Plus 23.09.1 and choosing the "Add unassociated filter rule" option under Filter Rule Association, no firewall rule was actually created. Next time I checked the port forward Filter Rule Association setting on the rule that was created, it had been automatically set to "None". The documentation seems to indicate that a rule should still be created even when the unassociated option is chosen.</p>
<p><a class="external" href="https://docs.netgate.com/pfsense/en/latest/nat/port-forwards.html#port-forward-settings">https://docs.netgate.com/pfsense/en/latest/nat/port-forwards.html#port-forward-settings</a></p> pfSense Docs - Todo #15342 (Feedback): Document differences due to password security changeshttps://redmine.pfsense.org/issues/153422024-03-15T16:21:48ZJim Pingle
<p>In <a class="issue tracker-4 status-4 priority-5 priority-high4" title="Todo: Prevent usage of the default password in User Manager accounts (Feedback)" href="https://redmine.pfsense.org/issues/15266">#15266</a> significant changes were made in how passwords are handled. These changes need to be documented.</p>
<p>There is a summary of changes in <a class="issue tracker-4 status-4 priority-5 priority-high4" title="Todo: Prevent usage of the default password in User Manager accounts (Feedback)" href="https://redmine.pfsense.org/issues/15266#note-10">#15266#note-10</a></p> pfSense Packages - Feature #15340 (New): provide the ability to deactivate actions in Guihttps://redmine.pfsense.org/issues/153402024-03-15T14:52:21ZMike Moore
<p>When using the webUI to push changes there are times when i need to deactivate a portion of the config. For example, i create an ACL that has header restrictions (visit /login.php) but for testing purposes, i need to permit access to a URL i would need to delete the configuration under 'Actions' in the GUI Frontend configuration. Add it back later when testing is done. So i would take a screenshot of the config to add it later.</p>
<p>If possible similar to firewall rules, provide the ability to 'deactivate' ACLs Actions. Otherwise, the workaround is to delete the action and re-add it later.<br />Of course the other workaround would be to add the configuration through 'Advanced Passthru' but that defeats the purpose of using the GUI to build the rules.</p> pfSense Plus - Regression #15337 (Feedback): pfSense-boot pkg fails install in UFShttps://redmine.pfsense.org/issues/153372024-03-13T22:05:02ZSteve Wheeler
<p>Upgrading UFS installs to the current 24.03 snapshot fails when running the POST-INSTALL script inb the pfSense upgrade pkg:<br /><pre>
Installed packages to be UPGRADED:
pfSense-boot: 24.03.b.20240312.0600 -> 24.03.b.20240313.0600 [pfSense-core]
Number of packages to be upgraded: 1
[1/1] Upgrading pfSense-boot from 24.03.b.20240312.0600 to 24.03.b.20240313.0600...
[1/1] Extracting pfSense-boot-24.03.b.20240313.0600: .......... done
/bin/sh: Syntax error: end of file unexpected (expecting "fi")
pkg-static: POST-INSTALL script failed
failed.
Failed
</pre></p>
<p>This appears to be caused by the script truncating the UFS ID:<br /><pre>
+ mount -p
+ awk '$2 ~ /^\/$/ { match($1, "[[:alpha:]/]+[[:digit:]]+"); print substr($1, RSTART, RLENGTH); }'
+ bootdevs=/dev/ufsid/6023315
+ mount -p
+ awk '$2 ~/\/boot\/efi/'
+ [ -n '' ]
+ gpart show -p /dev/ufsid/6023315
+ awk '$4 ~ /efi/ {print $3}'
gpart: No such geom: /dev/ufsid/6023315.
</pre></p> pfSense Plus - Bug #15332 (New): Kea doesn't start without any logs when upload config with addit...https://redmine.pfsense.org/issues/153322024-03-12T13:17:13Zaleksei prokofiev
<p>If the config has additioan DHCP pool with extra parametrs configured, such default-lease-time or max-lease-time, then KEA won't start with out any logs. To fix that need delete from config those extra option. Or just resave affected pool without any changes, it will lead rewrite config without extra options. <br />For example <br /><pool><br /> <range><br /> <from>192.168.6.2</from><br /> <to>192.168.6.48</to><br /> </range><br /> <descr><![CDATA[NTP Server]]></descr><br /> <defaultleasetime>600</defaultleasetime><br /> <maxleasetime>3600</maxleasetime><br />After resave it will deleted<br /><pool><br /> <range><br /> <from>192.168.6.2</from><br /> <to>192.168.6.48</to><br /> </range><br /> <descr><![CDATA[NTP Server]]></descr><br /> <defaultleasetime></defaultleasetime><br /> <maxleasetime></maxleasetime></p> pfSense - Feature #15331 (New): Client (service) for CloudFlare WARP/WAR+https://redmine.pfsense.org/issues/153312024-03-11T16:52:27ZSergei Shablovsky
<p><strong>On now CloudFlare in fact for a couple of years are fastest and reliable proxy and SDN for most users.</strong><br />(Sometimes magistrale and core borders routing problems that hit Akamai, make a not big touch on CF.)<br />Most of “child problems” as newly and fast growing company HAS GONE AWAY.</p>
<p>And <strong>NUMBER OF POINT OF PERSISTENCE (data centers, servers on colocation) ARE CONSTANTLY GROW!</strong></p>
<p><strong>All this make WARP/WARP+ CloudFlare service more and more wanted not only by most of ordinary users, advanced users, but small and middle private business and government organization.</strong></p>
<p>And as a result, from 2022 more and more ciders try to realize CloudFlare WARP/WARP+ client code for various OSs, especially on which routers/firewalls are based.</p>
<p>Please take a look on <br />thread on pfSense CE<br /><a class="external" href="https://forum.netgate.com/topic/177267/connecting-to-cloudflare-surely-its-possible">https://forum.netgate.com/topic/177267/connecting-to-cloudflare-surely-its-possible</a></p>
<p>thread on CloudFlare</p>
<p><a class="external" href="https://community.cloudflare.com/t/warp-client-for-freebsd-based-firewalls-eg-pfsense-opnsense/426717/1">https://community.cloudflare.com/t/warp-client-for-freebsd-based-firewalls-eg-pfsense-opnsense/426717/1</a></p>
<p>So, the downline of all of this:<br />making CloudFlare WARP/WARP+ client as separate package for pfSense is not so much time and efforts.</p>
<p>If DevTeam make it right now, testing and feedbacks from users within summer (when not so much business workload and negative impact would be minimal) for the next upcoming release (2.7.3-REL) this *adding more value to pfSense” and growing distance from concurrent OPNsense.</p> pfSense Docs - Correction #15329 (New): Poor description of VLAN basicshttps://redmine.pfsense.org/issues/153292024-03-10T23:40:08ZTom Lane
<p>The definition of Parent Interface on page <a class="external" href="https://docs.netgate.com/pfsense/en/latest/vlan/terminology.html">https://docs.netgate.com/pfsense/en/latest/vlan/terminology.html</a> has a Note saying</p>
<p>"The sole function of the parent interface is, ideally, to be the parent for the defined VLANs and not used directly. In some situations this will work, but can cause difficulties with switch configuration, and it requires use of the default VLAN on the trunk port, which is best to avoid as discussed further in VLANs and Security."</p>
<p>As a relative newbie, I found this exceedingly confusing: it seems to mean that the parent interface is not to be used at all. That's reinforced by the configuration example a couple of pages later at <a class="external" href="https://docs.netgate.com/pfsense/en/latest/vlan/configuration.html#console-vlan-configuration">https://docs.netgate.com/pfsense/en/latest/vlan/configuration.html#console-vlan-configuration</a>, which actually shows VLANs being attached to an interface that's down (ie no cable attached). Of course, this reading is complete nonsense, but there's nothing in the definition of Parent Interface that would clarify it. I suggest adding a sentence to the Parent Interface definition along the lines of "The VLAN interface represents all packets tagged with its VLAN ID that are sent or received on the physical connection identified by the parent interface". The first sentence of the Note would be much better stated along the lines of "Ideally, all traffic sent or received on a physical interface used for VLANs should be tagged with one or another VLAN ID, so that no traffic flows through the parent interface as such." The rest of the Note is equally desperately in need of a rewrite, but I have no concrete suggestions there. After that, you should fix the configuration example so that it shows an actually-usable configuration, rather than VLANs attached to an unconnected interface.</p>