pfSense bugtracker: Issueshttps://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162024-03-18T20:37:19ZpfSense bugtracker
Redmine pfSense - Bug #15349 (New): 1:1 NAT rule for subnet always uses full subnet rangehttps://redmine.pfsense.org/issues/153492024-03-18T20:37:19ZYehuda Katz
<p>Creating a 1:1 NAT rule for something like <code>10.0.0.5/28 -> 10.1.0.7/28</code> will actually create the proper rules for the entire <code>/24</code> subnet.</p>
<p>Output from <code>pfctl -s nat</code>:</p>
<pre>
[2.7.2-RELEASE][admin@pfSense.home.arpa]/root: pfctl -s nat | grep 10.0
binat on vtnet0 inet from 10.1.0.0/28 to any -> 10.0.0.0/28
</pre>
<p>This is probably the correct behavior, but may not be what people expect and does not appear to be documented.<br />It would probably make sense for the web interface to reject this kind of rule and require the subnet be specified properly by the first IP in the range.</p> pfSense - Feature #15348 (New): Block out PSK when viewing Phase 1 IPsec configurationhttps://redmine.pfsense.org/issues/153482024-03-18T14:31:12ZMike Moore
<p>When filling out a PSK in the phase 1 proposal section, the PSK really should be entered in obfuscated with the option in the WebUI to show the password.<br />Entering a password in clear text so anyone shoulder surfing can see it is a security issue.</p> pfSense - Bug #15347 (New): OpenVPN Multiple WAN Asymmetric Routinghttps://redmine.pfsense.org/issues/153472024-03-16T22:12:32ZTimo M
<p>Using OpenVPN in multi-wan / failover environment (a OpenVPN interface has been created and is used by the OpenVPN server). WAN1 is Tier 1 and WAN2 is Tier 2. To be able to access OpenVPN server through both WAN1 and WAN2, I used the port forward method to bind the OpenVPN server to localhost and forward traffic from both WAN1 and WAN2 to it as described in the documentation:</p>
<p><a class="external" href="https://docs.netgate.com/pfsense/en/latest/multiwan/openvpn.html#bind-to-localhost-and-setup-port-forwards">https://docs.netgate.com/pfsense/en/latest/multiwan/openvpn.html#bind-to-localhost-and-setup-port-forwards</a></p>
<p>FreeRADIUS is used as the authentication backend for OpenVPN (to be able to use 2FA). When connecting through WAN2 (which is on Tier 2) traffic appears to exit back out WAN1 after the RADIUS authentication completes leading to asymmetric routing. I see the following in the logs from FreeRADIUS:</p>
<p><code>(0) Login OK: [user_id] (from client pfsenseclient port 1194 cli *WAN1_IP* :1194)</code></p>
<p>I can confirm that the connection to the OpenVPN server was indeed made through WAN2 by looking firewall states / traffic. Is this a bug, or is thus configuration (OpenVPN server with FreeRADIUS authentication) not supported (e.g. the <code>reply-to</code> functionality does not work properly)? Thanks in advance.</p> pfSense - Bug #15346 (Confirmed): Port Forward Add Unassociated Filter Rule Not Workinghttps://redmine.pfsense.org/issues/153462024-03-16T21:51:40ZTimo M
<p>Upon creating a port forward entry on pfSense Plus 23.09.1 and choosing the "Add unassociated filter rule" option under Filter Rule Association, no firewall rule was actually created. Next time I checked the port forward Filter Rule Association setting on the rule that was created, it had been automatically set to "None". The documentation seems to indicate that a rule should still be created even when the unassociated option is chosen.</p>
<p><a class="external" href="https://docs.netgate.com/pfsense/en/latest/nat/port-forwards.html#port-forward-settings">https://docs.netgate.com/pfsense/en/latest/nat/port-forwards.html#port-forward-settings</a></p> pfSense Docs - Correction #15345 (New): Advanced options -- fix typohttps://redmine.pfsense.org/issues/153452024-03-16T19:46:36ZCraig Coonrad
<p>URL: <a class="external" href="https://docs.netgate.com/pfsense/en/latest/config/advanced-firewall-nat.html#advanced-options">https://docs.netgate.com/pfsense/en/latest/config/advanced-firewall-nat.html#advanced-options</a></p>
<blockquote>
<p>Tip: While this option control the global default</p>
</blockquote>
<p>to</p>
<blockquote>
<p>Tip: While this option controls the global default</p>
</blockquote> pfSense Docs - Correction #15344 (New): Interface Bound States -- fix typohttps://redmine.pfsense.org/issues/153442024-03-16T19:40:53ZCraig Coonrad
<p>URL: <a class="external" href="https://docs.netgate.com/pfsense/en/latest/config/advanced-firewall-nat.html#interface-bound-states">https://docs.netgate.com/pfsense/en/latest/config/advanced-firewall-nat.html#interface-bound-states</a></p>
<blockquote>
<p>If a packet attempts to takes an path</p>
</blockquote>
<p>Think that should be:</p>
<blockquote>
<p>If a packet attempts to takes a path</p>
</blockquote> pfSense - Bug #15343 (New): DHCP host names for Windows 10/11 hosts have "." at the endhttps://redmine.pfsense.org/issues/153432024-03-15T16:50:34ZDaryl Morse
<p>Since changing to Kea DHCP, DHCP host names for Windows 10 and Windows 11 hosts are being created with a "." at the end.</p>
<p>This does not happen for types of hosts.</p>
<p>This does not affect DHCPv6.</p> pfSense Packages - Bug #15333 (Confirmed): Interface Description not updated properly when add/cr...https://redmine.pfsense.org/issues/153332024-03-12T15:30:46ZSergei Shablovsky
<p><strong>Brilliant pfSense DevTeam!</strong></p>
<p><strong>WHERE</strong><br />in <strong>Services / Suricata</strong> package<br />on <strong>Interfaces</strong></p>
<p><strong>ISSUE</strong><br />Interface <strong>Description</strong> not updated properly in <strong>General Settings / Description</strong> when add/creating new interface in Suricata (by pressing “+” button at the right):</p>
<p>When page first time loaded, the Description field are pre-filled by Inreface name (taked from Interfaces / General Configurateion page from Description field).</p>
<p><strong>AFTER ANOTHER INTERFACE</strong> from drop-down list <strong>SELECTED</strong> , the <strong>DESCRIPTION PRE-FILLDE BY BSD INTERFACE NAME (LAN, WAN, OPT1, OPT2,…)</strong> and not the Inreface name (taked from Interfaces / General Configurateion page from Description field).</p>
<p>P.S.<br />Also would be good after first page loading AUTOMATICALLY take focus and select all text in Description field.</p> pfSense Packages - Bug #15296 (New): WAN Interface cannot added to ntopng if offline-packet loss https://redmine.pfsense.org/issues/152962024-02-29T06:58:23ZSergei Shablovsky
<p>Brilliant pfSense DevTeam !</p>
<p>In multi-WAN pfSense configuration WAN interfaces that pfSense decide in “Offline, Packet loss” state CANNOT BE ADDED into ntopng config.</p>
<p>(to adding certain WAN connection (for example if WAN interface come from “Offline, packet loss” state to “Online” state), ntopng need to be disabled, service stopped, ntopng pkg uninstalled (with all data and configs deleted), than hardware rebooting, install ntopng pkg again, and only after that new WAN with “Online” status becomes visible as Interface in ntopng”).</p>
<p>But LAN interfaces ALL would be ADDED as well even some of them are not connected physically. So this bug related only WAN interfaces.</p>
<p>P.S.<br />This is related for WAN DHCP, do not know about WAN STATIC.</p> pfSense Plus - Todo #15266 (Feedback): Prevent usage of the default password in User Manager acco...https://redmine.pfsense.org/issues/152662024-02-16T18:53:24ZJim Pingle
<p>Currently we detect in the GUI when the admin account is using the default password (<code>"pfsense"</code>) and print a warning message: source:src/usr/local/www/head.inc#L564</p>
<p>We should change that to check any account (not just <code>admin</code>) and force a password change during one or more of the user's initial interactions, for example:</p>
<ul>
<li>During the setup wizard</li>
<li>GUI login any time the password matches the default password</li>
<li>Shell (console or SSH) login any time the password matches the default password</li>
<li>Possibly during the installation process</li>
</ul>
<p>We should also not allow the user to change their password to any variation of "pfsense" in upper/lower/mixed case.</p> pfSense - Bug #15181 (Feedback): PHP error in ``interfaces_qinq_edit.php`` when creating a QinQ i...https://redmine.pfsense.org/issues/151812024-01-21T22:30:06ZJens Becker
<p>When creating a new QinQ interface on /interfaces_qinq_edit.php it throws this error:</p>
<pre>
[21-Jan-2024 22:59:34 Europe/Berlin] PHP Fatal error: Uncaught TypeError: Cannot access offset of type string on string in /usr/local/www/interfaces_qinq_edit.php:206
Stack trace:
#0 {main}
thrown in /usr/local/www/interfaces_qinq_edit.php on line 206
</pre>
<p>After this the Interfaces QinQs view is still empty but the new interfaces show up on Interface Assignments. After a reboot they are gone again.</p>
<p>This to me looks similar to <a class="issue tracker-1 status-3 priority-4 priority-default closed" title="Bug: interfaces_qinq_edit.php: PHP error when editing QinQ entries (Resolved)" href="https://redmine.pfsense.org/issues/9109">#9109</a></p> pfSense - Bug #15110 (New): pfSense hangs when rebootinghttps://redmine.pfsense.org/issues/151102023-12-21T16:09:41ZDanilo Zrenjanin
<p>Start the reboot from the GUI:<br /><pre>
Enter an option: pflog0: promiscuous mode disabled
Waiting (max 60 seconds) for system process `vnlru' to stop... done
Waiting (max 60 seconds) for system process `syncer' to stop...
Syncing disks, vnodes remaining... 0 0 0 0 0 0 done
All buffers synced.
Uptime: 3m20s
Khelp module "ertt" can't unload until its refcount drops from 1 to 0.
uhub0: detached
</pre><br />At this point, it hangs. Noticed on a Netgate 6100 with 23.09.1.</p> pfSense - Feature #14208 (Pull Request Review): Automatic Split-DNS for 1:1 NAThttps://redmine.pfsense.org/issues/142082023-03-30T22:26:32ZYehuda Katz
<p>There is a well-known challenge of dealing with accessing public IP addresses from inside the network. The two existing solutions are NAT reflection and split DNS, each of which has its own challenges. Unbound and dnsmasq both support rewriting IP addresses in returned results.</p>
<p>In unbound, this is done using the `respip` module.</p>
<p>In dnsmasq, this is done using the `alias` option.</p>
<p>The pull request I am working on will allow automatically building the unbound respip configuration using the 1:1 NAT configuration.</p>
<p>I tested this code on a firewall running 2.6.0-RELEASE and I believe I made all the necessary changes to make it work in the `master` branch, but I haven't tested that.</p> pfSense Packages - Todo #14073 (Confirmed): Shalla block list is offline but still available in p...https://redmine.pfsense.org/issues/140732023-03-04T20:17:30ZChris W
<p>The Shalla Services blocklist went offline permanently in January 2022. It's still available as a list option in the pfSense GUI (Firewall > PfBlockerNG > DNSBL > DNSBL Category) but of course pfBlocker can't download it.<br /><a class="external" href="https://forum.netgate.com/topic/169241/shalla-list-off">https://forum.netgate.com/topic/169241/shalla-list-off</a><br /><a class="external" href="https://www.shallalist.de/">https://www.shallalist.de/</a></p>
<pre>
UPDATE PROCESS START [ v3.2.0_3 ] [ 03/4/23 19:17:01 ]
===[ DNSBL Process ]================================================
Loading DNSBL Statistics... completed
Loading DNSBL SafeSearch... disabled
Loading DNSBL Whitelist... completed
Downloading Blacklist Database(s) [ shallalist (~10MB) ] ... Please wait ...
Failed Shallalist ... Failed
[ StevenBlack_ADs ] exists. [ 03/4/23 19:17:03 ]
</pre> pfSense - Feature #13227 (New): Enable IPSec Virtual IP Pool assignment by Radius for Mobile User...https://redmine.pfsense.org/issues/132272022-05-27T10:09:22ZTue Madsen
<p>Currently you cannot create additional Virtual IP Pools to assign mobile users IP addresses from, if you are using EAP-Radius as the authentication source.<br />This prohibits using different firewall rules for different groups of users.<br />Everyone is treated the same, unless you specifically assign a static IP to a specific user from Radius via framed-ip-address - which is NOT scalable.</p>
<p>But all the logic is enabled in strongswan, and the GUI settings to swanctl.conf scripts already has enabled the groups features in strongswan, so it will accept the "Class" attribute from Radius as a groups identifier.</p>
<p>There just needs to be a way to create a groups identifier in the GUI with an attached IP Pool that is written correctly to the config files.</p>
<p>By hacking /etc/inc/ipsec.inc I have enabled this by asking the "preshared secrets" GUI part to write an EAP Shared secret as a "groups" in the remote section instead of an "id".<br />All I did is the following edit in /etc/inc/ipsec.inc":<br />Locate the major section called: "/***f ipsec/ipsec_setup_userpools" about halfway into the file.<br />Locate the line: "$scconf['connections'][$upconn]['remote']['id'] = $clientid;" <br />Change it to "$scconf['connections'][$upconn]['remote']['groups'] = $clientid;"</p>
<p>Once that is done, if you enable "group authentication" on your mobile clients settings, groups identifiers returned with the "Class" attribute is respected, and the user is assigned an IP from the custom pool. Default users are still assigned IPs from the default mobile warrior pool if the Radius return the group(s) name selected in the mobile clients setup.</p>
<p>A very quick fix to this issue would be to add a new "Groups" tab in IPsec where you can add a group identifier and the IP Pool to use for that group. It can use most of the same script parts from "/***f ipsec/ipsec_setup_userpools" in ipsec.inc - it just needs to create the line in the remote part of swanctl.conf with 'groups' instead of 'id'.</p>