pfSense bugtracker: Issueshttps://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162024-01-29T11:58:34ZpfSense bugtracker
Redmine pfSense - Feature #15211 (New): tcpdump run with BIOS hardware clock set, but no on environment s...https://redmine.pfsense.org/issues/152112024-01-29T11:58:34ZSergei Shablovsky
<p>Brilliant pfSense Stuff!</p>
<p><strong>Please fix</strong> : <br />tcpdump could be run with TZ (Time Zone) set in the whole system environment.</p>
<p><strong>Description and how to replicate</strong> :<br />have wrong timestamp in “ Packet Capture Output” (pcap auto scroll view, the “Diagnostic / Packet Capture” main menu) : exactly 2 hours back shift from system time.</p>
<p>How to fix this?</p>
<p>P.S.<br />pfSense 2.7.2-RELEASE on bare metal server, System time are correct, timestamps in ALL other logs (syslogd) are correct, NTP are correct, no any NTP servers specified in DHCP per interface, and a reboot not help… ;)</p>
<p>Wrong timestamp in Packet Capture Output<br /><a class="external" href="https://forum.netgate.com/topic/185772/wrong-timestamp-in-packet-capture-output">https://forum.netgate.com/topic/185772/wrong-timestamp-in-packet-capture-output</a></p> pfSense - Bug #14479 (New): unbound doing qname-minimisation when enabled in unbound gui.https://redmine.pfsense.org/issues/144792023-06-16T18:46:14ZJohnPoz _
<p>I have not checked 2.7 or 23.05 yet but this came up in a discussion here</p>
<p><a class="external" href="https://forum.netgate.com/post/1110945">https://forum.netgate.com/post/1110945</a></p>
<p>Seems unbound is now doing qname by default.. So if there is no setting in the conf for qname-minimisation it does it. By default this option in 2.6 is not enabled, but since no entry in the .conf file it is being done. With no way to turn it off without placing an entry in the custom box to set it to no.</p>
<p>Logic should be changed to allow for enable/disable qname from the gui. What it defaults doesn't matter really, but with current logic there is no way to actually turn it off.. And gui reads that it is off by default, but it really isn't since unbound defaults to doing it.</p> pfSense - Feature #14177 (New): tcprtt Measures the TCP handshake RTT using the stats(9) statisti...https://redmine.pfsense.org/issues/141772023-03-24T17:54:42ZRyan Whitlock
<p>My coworker thought using 8.8.8.8 for the gateway monitor would suffice for a “is the internet up” monitor. Well, google rate limited us and I spent hours looking for the right approach.</p>
<ul>
<li><a class="external" href="https://redmine.pfsense.org/issues/7671">https://redmine.pfsense.org/issues/7671</a></li>
<li><a class="external" href="https://redmine.pfsense.org/issues/4354">https://redmine.pfsense.org/issues/4354</a></li>
<li><a class="external" href="https://www.reddit.com/r/PFSENSE/comments/xjlsdo/psa_88888844_9202022/">https://www.reddit.com/r/PFSENSE/comments/xjlsdo/psa_88888844_9202022/</a></li>
<li><a class="external" href="https://www.reddit.com/r/networking/comments/6ujvxo/has_l3_dns_4222_become_unreliable_for_anyone_else/">https://www.reddit.com/r/networking/comments/6ujvxo/has_l3_dns_4222_become_unreliable_for_anyone_else/</a></li>
<li><a class="external" href="https://forum.netgate.com/topic/110056/dpinger-multiple-targets-aka-gwmond-2-500">https://forum.netgate.com/topic/110056/dpinger-multiple-targets-aka-gwmond-2-500</a></li>
</ul>
<p>Ultimately, it seems using ICMP for monitoring against public DNS, NTP, etc. servers is the wrong approach for some use-cases. Cisco’s IP SLA has the ability to perform a number of health checks from many protocols, so I set out to find something comparable for FreeBSD. Tcprtt looks like it could be a good solution for internet uptime monitoring that does not rely on ICMP.</p>
<ul>
<li><a class="external" href="https://www.freshports.org/net/tcprtt">https://www.freshports.org/net/tcprtt</a></li>
<li><a class="external" href="https://reviews.freebsd.org/D20656">https://reviews.freebsd.org/D20656</a></li>
</ul>
<p>Does this seem like a viable solution?</p> pfSense - Bug #13486 (New): stongswan attributes should be comma-separated instead of whitespace-...https://redmine.pfsense.org/issues/134862022-09-12T09:30:48ZAndreas W
<p>The strongswan docs mention that attribute lists need to be "specified as a comma-separated list": <a class="external" href="https://docs.strongswan.org/docs/5.9/plugins/attr.html#_attribute_types">https://docs.strongswan.org/docs/5.9/plugins/attr.html#_attribute_types</a><br />The pfSense UI is using whitespace-separated values and is using them as-is.</p>
<p>This leads to a broken IPSec configuration and is especially relevant since <a class="issue tracker-1 status-3 priority-4 priority-default closed" title="Bug: IKEv2 Mobile IPsec clients do not receive ``INTERNAL_DNS_DOMAIN`` (value ``25``) attribute (Resolved)" href="https://redmine.pfsense.org/issues/12975">#12975</a> - which lead to a broken DNS resolution on 22.05 for my setup.</p>
<p>This applies to all fields that support multiple values - I noticed the issue with <pre>dns_split</pre> and attribute 25 specifically.</p> pfSense - Bug #13386 (New): service is work: MRT_DEL_MFC; Errno(49): Can't assign requested addresshttps://redmine.pfsense.org/issues/133862022-07-31T09:45:54ZTorstein Eide
<p>The service looks to be unable to work properly.</p>
<p><code><br />Jul 31 15:17:37 igmpproxy 80356 MRT_DEL_MFC; Errno(49): Can't assign requested address<br />Jul 31 15:17:37 igmpproxy 80356 Removing MFC: 84.214.120.18 -> 224.0.54.178, InpVIf: 0<br />Jul 31 15:17:31 igmpproxy 80356 MRT_DEL_MFC; Errno(49): Can't assign requested address<br />Jul 31 15:17:31 igmpproxy 80356 Removing MFC: 84.214.120.10 -> 224.0.54.91, InpVIf: 0<br />Jul 31 15:17:31 igmpproxy 80356 MRT_DEL_MFC; Errno(49): Can't assign requested address<br />Jul 31 15:17:31 igmpproxy 80356 Removing MFC: 84.214.120.10 -> 224.0.54.87, InpVIf: 0<br />Jul 31 15:17:26 igmpproxy 80356 The IGMP message was local multicast. Ignoring.<br />Jul 31 15:17:26 igmpproxy 80356 Inserted route table entry for 224.0.54.178 on VIF #-1<br />Jul 31 15:17:22 igmpproxy 80356 MRT_DEL_MFC; Errno(49): Can't assign requested address<br />Jul 31 15:17:22 igmpproxy 80356 Removing MFC: 84.214.120.26 -> 224.0.54.106, InpVIf: 0<br />Jul 31 15:17:22 igmpproxy 80356 MRT_DEL_MFC; Errno(49): Can't assign requested address<br />Jul 31 15:17:22 igmpproxy 80356 Removing MFC: 84.214.120.26 -> 224.0.54.58, InpVIf: 0<br />Jul 31 15:17:15 igmpproxy 80356 Inserted route table entry for 224.0.54.91 on VIF #-1<br />Jul 31 15:17:12 igmpproxy 80356 Inserted route table entry for 224.0.54.87 on VIF #-1<br />Jul 31 15:17:08 igmpproxy 80356 Inserted route table entry for 224.0.54.106 on VIF #-1<br />Jul 31 15:17:04 igmpproxy 80356 Inserted route table entry for 224.0.54.58 on VIF #-1<br />Jul 31 15:16:52 igmpproxy 80356 MRT_DEL_MFC; Errno(49): Can't assign requested address<br />Jul 31 15:16:52 igmpproxy 80356 Removing MFC: 84.214.120.18 -> 224.0.54.194, InpVIf: 0<br />Jul 31 15:16:46 igmpproxy 80356 The IGMP message was local multicast. Ignoring.<br />Jul 31 15:16:43 igmpproxy 80356 Inserted route table entry for 224.0.54.194 on VIF #-1<br />Jul 31 15:16:32 igmpproxy 80356 MRT_DEL_MFC; Errno(49): Can't assign requested address<br />Jul 31 15:16:32 igmpproxy 80356 Removing MFC: 84.214.120.10 -> 224.0.57.38, InpVIf: 0<br />Jul 31 15:16:26 igmpproxy 80356 The IGMP message was local multicast. Ignoring.<br />Jul 31 15:16:19 igmpproxy 80356 Inserted route table entry for 224.0.57.38 on VIF #-1<br />Jul 31 15:15:45 igmpproxy 80356 The IGMP message was local multicast. Ignoring.<br />Jul 31 15:15:26 igmpproxy 80356 The IGMP message was local multicast. Ignoring.<br />Jul 31 15:15:00 igmpproxy 80224 Joining group 224.0.0.22 on interface igc1<br />Jul 31 15:15:00 igmpproxy 80224 Joining group 224.0.0.2 on interface igc1<br />Jul 31 15:15:00 igmpproxy 80224 adding VIF, Ix 1 Fl 0x0 IP 0x0102a8c0 igc1, Threshold: 1, Ratelimit: 0<br />Jul 31 15:15:00 igmpproxy 80224 adding VIF, Ix 0 Fl 0x0 IP 0xc735d354 igc0, Threshold: 1, Ratelimit: 0<br /></code></p> pfSense - Bug #13252 (New): reduce frequency of php-fpm socket connection attempts from check_rel...https://redmine.pfsense.org/issues/132522022-06-06T13:06:48ZRoyce Williamsroyce@tycho.org
<p>When troubleshooting an issue, I discovered that my system logs were rotating every couple of minutes, due to many of these log entries being generated per second:</p>
<pre>
May 31 12:56:34 zeb check_reload_status[576]: Could not connect to /var/run/php-fpm.socket
[64 messages in the same second omitted]
May 31 12:56:34 zeb check_reload_status[576]: Could not connect to /var/run/php-fpm.socket
</pre>
<p>I am not sure what the root cause of this, but it appears to be within the Upgrade category.</p>
<p>If it's possible to reduce the frequency of this, that could help some users in the future.</p> pfSense - Bug #11093 (New): ral(4) driver non-functional in arm64https://redmine.pfsense.org/issues/110932020-11-21T10:45:54ZSteve Wheeler
<p>Devices using the ral(4) driver do not function in arm64 images.</p>
<p>The driver attaches correctly and the interface us available to assign and bring up but you cannot actually connect to it. In hostap mode the advertised SSID comes and goes and disappears if you try to connect a client to it.</p>
<p>The console shows the following errors:<br /><pre>
ral0: need multicast update callback
ral0: can't map mbuf (error 27)
ral0: can't map mbuf (error 27)
ral0: can't map mbuf (error 27)
ral0: device timeout
</pre></p>
<p>Tested in:<br /><pre>
2.5.0-DEVELOPMENT (arm64)
built on Sat Nov 21 06:54:36 EST 2020
FreeBSD 12.2-STABLE
</pre></p> pfSense - Bug #10833 (New): unbound exits on configuration error when link status flaps on LAN in...https://redmine.pfsense.org/issues/108332020-08-13T23:53:30ZJohn Hood
<p>I have pfSense installed at home on a small, old, core2duo-based machine. It does pretty typical home-router duty; the most obvious-to-me unusual parts of the configuration are that the internal IPv4 network is 198.206.215.0/24 instead of an RFC1918 network address, and I have an IPv6 tunnel to Hurricane Electric.</p>
<p>This week, the 11-year-old unmanaged GbE switch attached to the LAN port got flaky, and started to fail in some way that caused it to blink all lights on the front and stop passing traffic. Logs show link status flapping on the LAN interface. On power-cycling the switch, it would start working again. But DNS service was gone, though restartable at Status/Services/unbound. I found this in resolver.log:</p>
<pre>
Aug 13 20:28:22 router unbound: [27434:0] fatal error: Could not read config file: /unbound.conf. Maybe try unbound -dd, it stays on the commandline to see more errors, or unbound-checkconf
</pre>
<p>I wrote a little monitoring script that does 'pgrep unbound' and 'ifconfig em1' every 10 seconds. That seems to show link flapping between normal:</p>
<pre>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
</pre><br />and no link:<br /><pre>
media: Ethernet autoselect
status: no carrier
</pre>
<p>It also showed two copies of dhcpleases running after the link starts flapping.</p>
<p>Edited/excerpted logs and the monitoring script are attached, the switch starts flapping at Aug 13 20:27:57 in the logs, and I power-cycled the switch about 20:28:45. I restarted unbound at 20:30:36.</p>
<p>I tried reproducing the problem by manually plugging/unplugging the patch cable involved, and was not able to reproduce the problem. Alas, I destroyed the switch by plugging the wrong power supply in, so it's no longer helpful either. So I have no repro. I suspect connecting a FreeBSD box and running a little script that did things with 'ifconfig down' and 'ifconfig up' and 'ifconfig mediaopt <blah>' combined with some randomized short delays would eventually knock unbound over.</p>
<p>I haven't investigated the code at all, but it smells like some kind of race condition in the link-configuration scripts to me.</p> pfSense - Bug #9737 (New): traffic-graphs.js shows incorrect units inside the charthttps://redmine.pfsense.org/issues/97372019-09-09T06:35:19ZAlex Kolesnikpfsenseorg3@temp.spb.ru
<p><a class="external" href="https://github.com/pfsense/pfsense/blob/42839d824d51cad3a8a55fccb2dc96368568ce8e/src/usr/local/www/js/traffic-graphs.js#L204">https://github.com/pfsense/pfsense/blob/42839d824d51cad3a8a55fccb2dc96368568ce8e/src/usr/local/www/js/traffic-graphs.js#L204</a></p>
<p>that condition doesn't work (at least) in Chrome - window.size returns a string literal instead of a number.</p> pfSense - Feature #9226 (New): zfs GUI functionality - alertshttps://redmine.pfsense.org/issues/92262018-12-27T03:28:32Zgavin penney
<p><strong>some</strong> way of seeing the status in GUI, and most importantly, <strong>alerts</strong> for degraded<br />it looks like the dashboard already detects and displays zfs filesystem usage. a line that just shows "online" or "degraded" would be awesome. essentially: zpool status -x )</p>
<p>i'm using mailreport + zpoolstatus -v to send myself an email and then my damn mailbox filters to archive the ones with no error. this is horrid, and mailreport can only do daily, not when a failure occurs.<br />geom detects errors but geom remirrors my disks <strong>constantly</strong>, generating hundreds of alerts in the process</p>
<p>as nice as it would be to have attach/detach/scrub, snapshots and boot environments in the GUI, status/alerts are far more important</p>
<p>if i had the vaguest clue how to actually do so, I'd happily try making a package to add a page like for geom, but i dont even know where to start</p>
<p>I have email alerts set up, but I can't figure out a way to actually use the thing to send outputs from custom scripts, which is crippling to trying to make a cron to do monitoring</p> pfSense - Bug #8419 (New): webgui, when menubar is fixed to the top of the screen, the last items...https://redmine.pfsense.org/issues/84192018-04-02T17:36:14ZPi Ba
<p>webgui, when menubar is fixed to the top of the screen, the last items of long menus cannot be seen/used.</p>
<p>fix: <a class="external" href="https://github.com/pfsense/pfsense/pull/3930">https://github.com/pfsense/pfsense/pull/3930</a></p> pfSense - Feature #8168 (New): strongswan dhcp optionhttps://redmine.pfsense.org/issues/81682017-12-05T15:17:08ZLars Pedersenthacaleb@gmail.com
<p>Would be nice to have the dhcp plugin for strongswan in pfsense. This feature could be useful for a simple way to assign IP's using a dhcp server for IPSec mobile clients.</p>
<p>It needs to be configured as a compile option</p>
<p><a class="external" href="https://wiki.strongswan.org/projects/strongswan/wiki/Dhcpplugin">https://wiki.strongswan.org/projects/strongswan/wiki/Dhcpplugin</a></p>
<p>Afterwards a GUI option in strongswan.conf needs to be created to use a DHCP broadcast or a specific IP address.</p> pfSense - Bug #6026 (New): webinterface, firewall rules, wrapping of columns or visible (horizont...https://redmine.pfsense.org/issues/60262016-03-24T16:39:33ZPi Ba
<p>with some rulesets the 'action buttons' dont show on the screen, so first need to scroll down, then right, then back up again to delete, or move a rules using the anchors.. which isnt convenient when ruleset is several screens long..</p>
<p>Screenshot attached shows this happening on even the widest possible screen/layout..</p>
<p>The screenshot is made of specific testrules, but i first noticed in a production system where it happens to that action buttons are outside the visible area. And horizontal scroll-bar is at the bottom of the ruleset..</p> pfSense - Bug #5306 (New): textarea fields should have linebreaks sanitized automatically on savehttps://redmine.pfsense.org/issues/53062015-10-14T04:13:34ZKill Bill
<p>To avoid nonsense like this: <a class="external" href="https://github.com/doktornotor/pfsense-packages/blob/patch-2/config/squid3/34/squid.inc#L85">https://github.com/doktornotor/pfsense-packages/blob/patch-2/config/squid3/34/squid.inc#L85</a></p> pfSense - Feature #2593 (New): sync NTPD, SNMP config between HA membershttps://redmine.pfsense.org/issues/25932012-08-14T21:33:52ZAdam Thompsonathompso@athompso.net
<p>Since it's a part of the base system, it seems reasonable to add Services->NTP and Services->SNMP config syncing to the list of things that are sync'able.</p>