pfSense bugtracker: Issueshttps://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162024-03-18T14:31:12ZpfSense bugtracker
Redmine pfSense - Feature #15348 (New): Block out PSK when viewing Phase 1 IPsec configurationhttps://redmine.pfsense.org/issues/153482024-03-18T14:31:12ZMike Moore
<p>When filling out a PSK in the phase 1 proposal section, the PSK really should be entered in obfuscated with the option in the WebUI to show the password.<br />Entering a password in clear text so anyone shoulder surfing can see it is a security issue.</p> pfSense - Bug #15347 (New): OpenVPN Multiple WAN Asymmetric Routinghttps://redmine.pfsense.org/issues/153472024-03-16T22:12:32ZTimo M
<p>Using OpenVPN in multi-wan / failover environment (a OpenVPN interface has been created and is used by the OpenVPN server). WAN1 is Tier 1 and WAN2 is Tier 2. To be able to access OpenVPN server through both WAN1 and WAN2, I used the port forward method to bind the OpenVPN server to localhost and forward traffic from both WAN1 and WAN2 to it as described in the documentation:</p>
<p><a class="external" href="https://docs.netgate.com/pfsense/en/latest/multiwan/openvpn.html#bind-to-localhost-and-setup-port-forwards">https://docs.netgate.com/pfsense/en/latest/multiwan/openvpn.html#bind-to-localhost-and-setup-port-forwards</a></p>
<p>FreeRADIUS is used as the authentication backend for OpenVPN (to be able to use 2FA). When connecting through WAN2 (which is on Tier 2) traffic appears to exit back out WAN1 after the RADIUS authentication completes leading to asymmetric routing. I see the following in the logs from FreeRADIUS:</p>
<p><code>(0) Login OK: [user_id] (from client pfsenseclient port 1194 cli *WAN1_IP* :1194)</code></p>
<p>I can confirm that the connection to the OpenVPN server was indeed made through WAN2 by looking firewall states / traffic. Is this a bug, or is thus configuration (OpenVPN server with FreeRADIUS authentication) not supported (e.g. the <code>reply-to</code> functionality does not work properly)? Thanks in advance.</p> pfSense Docs - Correction #15345 (New): Advanced options -- fix typohttps://redmine.pfsense.org/issues/153452024-03-16T19:46:36ZCraig Coonrad
<p>URL: <a class="external" href="https://docs.netgate.com/pfsense/en/latest/config/advanced-firewall-nat.html#advanced-options">https://docs.netgate.com/pfsense/en/latest/config/advanced-firewall-nat.html#advanced-options</a></p>
<blockquote>
<p>Tip: While this option control the global default</p>
</blockquote>
<p>to</p>
<blockquote>
<p>Tip: While this option controls the global default</p>
</blockquote> pfSense Docs - Correction #15344 (New): Interface Bound States -- fix typohttps://redmine.pfsense.org/issues/153442024-03-16T19:40:53ZCraig Coonrad
<p>URL: <a class="external" href="https://docs.netgate.com/pfsense/en/latest/config/advanced-firewall-nat.html#interface-bound-states">https://docs.netgate.com/pfsense/en/latest/config/advanced-firewall-nat.html#interface-bound-states</a></p>
<blockquote>
<p>If a packet attempts to takes an path</p>
</blockquote>
<p>Think that should be:</p>
<blockquote>
<p>If a packet attempts to takes a path</p>
</blockquote> pfSense - Bug #15343 (New): DHCP host names for Windows 10/11 hosts have "." at the endhttps://redmine.pfsense.org/issues/153432024-03-15T16:50:34ZDaryl Morse
<p>Since changing to Kea DHCP, DHCP host names for Windows 10 and Windows 11 hosts are being created with a "." at the end.</p>
<p>This does not happen for types of hosts.</p>
<p>This does not affect DHCPv6.</p> pfSense - Bug #15341 (New): PHP errors in ``xmlrpc.php`` during configuration synchronization con...https://redmine.pfsense.org/issues/153412024-03-15T15:35:41ZChristopher Cope
<pre>
[15-Mar-2024 09:50:55 America/Chicago] PHP Fatal error: Uncaught TypeError: Cannot access offset of type string on string in /usr/local/www/xmlrpc.php:718
Stack trace:
#0 /usr/local/www/xmlrpc.php(638): pfsense_xmlrpc_server->filter_configure(false, false)
#1 /usr/local/share/pear/XML/RPC2/Server/CallHandler/Instance.php(141): pfsense_xmlrpc_server->restore_config_section(Array, 900)
#2 /usr/local/share/pear/XML/RPC2/Backend/Php/Server.php(135): XML_RPC2_Server_Callhandler_Instance->__call('pfsense.restore...', Array)
#3 /usr/local/share/pear/XML/RPC2/Backend/Php/Server.php(99): XML_RPC2_Backend_Php_Server->getResponse()
#4 /usr/local/www/xmlrpc.php(987): XML_RPC2_Backend_Php_Server->handleCall()
</pre>
<p>The error is being hit on<br /><pre>
23.09.1-RELEASE (amd64)
built on Wed Dec 20 13:27:00 EST 2023
FreeBSD 14.0-CURRENT
</pre></p>
<p>This seems to a similar issue to <a class="external" href="https://redmine.pfsense.org/issues/14034">https://redmine.pfsense.org/issues/14034</a> but this has to do with OpenVPN tags. I'll get a merge request together this week.</p> pfSense Packages - Feature #15340 (New): provide the ability to deactivate actions in Guihttps://redmine.pfsense.org/issues/153402024-03-15T14:52:21ZMike Moore
<p>When using the webUI to push changes there are times when i need to deactivate a portion of the config. For example, i create an ACL that has header restrictions (visit /login.php) but for testing purposes, i need to permit access to a URL i would need to delete the configuration under 'Actions' in the GUI Frontend configuration. Add it back later when testing is done. So i would take a screenshot of the config to add it later.</p>
<p>If possible similar to firewall rules, provide the ability to 'deactivate' ACLs Actions. Otherwise, the workaround is to delete the action and re-add it later.<br />Of course the other workaround would be to add the configuration through 'Advanced Passthru' but that defeats the purpose of using the GUI to build the rules.</p> pfSense Plus - Regression #15337 (New): pfSense-boot pkg fails install in UFShttps://redmine.pfsense.org/issues/153372024-03-13T22:05:02ZSteve Wheeler
<p>Upgrading UFS installs to the current 24.03 snapshot fails when running the POST-INSTALL script inb the pfSense upgrade pkg:<br /><pre>
Installed packages to be UPGRADED:
pfSense-boot: 24.03.b.20240312.0600 -> 24.03.b.20240313.0600 [pfSense-core]
Number of packages to be upgraded: 1
[1/1] Upgrading pfSense-boot from 24.03.b.20240312.0600 to 24.03.b.20240313.0600...
[1/1] Extracting pfSense-boot-24.03.b.20240313.0600: .......... done
/bin/sh: Syntax error: end of file unexpected (expecting "fi")
pkg-static: POST-INSTALL script failed
failed.
Failed
</pre></p>
<p>This appears to be caused by the script truncating the UFS ID:<br /><pre>
+ mount -p
+ awk '$2 ~ /^\/$/ { match($1, "[[:alpha:]/]+[[:digit:]]+"); print substr($1, RSTART, RLENGTH); }'
+ bootdevs=/dev/ufsid/6023315
+ mount -p
+ awk '$2 ~/\/boot\/efi/'
+ [ -n '' ]
+ gpart show -p /dev/ufsid/6023315
+ awk '$4 ~ /efi/ {print $3}'
gpart: No such geom: /dev/ufsid/6023315.
</pre></p> pfSense Plus - Bug #15332 (New): Kea doesn't start without any logs when upload config with addit...https://redmine.pfsense.org/issues/153322024-03-12T13:17:13Zaleksei prokofiev
<p>If the config has additioan DHCP pool with extra parametrs configured, such default-lease-time or max-lease-time, then KEA won't start with out any logs. To fix that need delete from config those extra option. Or just resave affected pool without any changes, it will lead rewrite config without extra options. <br />For example <br /><pool><br /> <range><br /> <from>192.168.6.2</from><br /> <to>192.168.6.48</to><br /> </range><br /> <descr><![CDATA[NTP Server]]></descr><br /> <defaultleasetime>600</defaultleasetime><br /> <maxleasetime>3600</maxleasetime><br />After resave it will deleted<br /><pool><br /> <range><br /> <from>192.168.6.2</from><br /> <to>192.168.6.48</to><br /> </range><br /> <descr><![CDATA[NTP Server]]></descr><br /> <defaultleasetime></defaultleasetime><br /> <maxleasetime></maxleasetime></p> pfSense - Feature #15331 (New): Client (service) for CloudFlare WARP/WAR+https://redmine.pfsense.org/issues/153312024-03-11T16:52:27ZSergei Shablovsky
<p><strong>On now CloudFlare in fact for a couple of years are fastest and reliable proxy and SDN for most users.</strong><br />(Sometimes magistrale and core borders routing problems that hit Akamai, make a not big touch on CF.)<br />Most of “child problems” as newly and fast growing company HAS GONE AWAY.</p>
<p>And <strong>NUMBER OF POINT OF PERSISTENCE (data centers, servers on colocation) ARE CONSTANTLY GROW!</strong></p>
<p><strong>All this make WARP/WARP+ CloudFlare service more and more wanted not only by most of ordinary users, advanced users, but small and middle private business and government organization.</strong></p>
<p>And as a result, from 2022 more and more ciders try to realize CloudFlare WARP/WARP+ client code for various OSs, especially on which routers/firewalls are based.</p>
<p>Please take a look on <br />thread on pfSense CE<br /><a class="external" href="https://forum.netgate.com/topic/177267/connecting-to-cloudflare-surely-its-possible">https://forum.netgate.com/topic/177267/connecting-to-cloudflare-surely-its-possible</a></p>
<p>thread on CloudFlare</p>
<p><a class="external" href="https://community.cloudflare.com/t/warp-client-for-freebsd-based-firewalls-eg-pfsense-opnsense/426717/1">https://community.cloudflare.com/t/warp-client-for-freebsd-based-firewalls-eg-pfsense-opnsense/426717/1</a></p>
<p>So, the downline of all of this:<br />making CloudFlare WARP/WARP+ client as separate package for pfSense is not so much time and efforts.</p>
<p>If DevTeam make it right now, testing and feedbacks from users within summer (when not so much business workload and negative impact would be minimal) for the next upcoming release (2.7.3-REL) this *adding more value to pfSense” and growing distance from concurrent OPNsense.</p> pfSense Docs - Correction #15329 (New): Poor description of VLAN basicshttps://redmine.pfsense.org/issues/153292024-03-10T23:40:08ZTom Lane
<p>The definition of Parent Interface on page <a class="external" href="https://docs.netgate.com/pfsense/en/latest/vlan/terminology.html">https://docs.netgate.com/pfsense/en/latest/vlan/terminology.html</a> has a Note saying</p>
<p>"The sole function of the parent interface is, ideally, to be the parent for the defined VLANs and not used directly. In some situations this will work, but can cause difficulties with switch configuration, and it requires use of the default VLAN on the trunk port, which is best to avoid as discussed further in VLANs and Security."</p>
<p>As a relative newbie, I found this exceedingly confusing: it seems to mean that the parent interface is not to be used at all. That's reinforced by the configuration example a couple of pages later at <a class="external" href="https://docs.netgate.com/pfsense/en/latest/vlan/configuration.html#console-vlan-configuration">https://docs.netgate.com/pfsense/en/latest/vlan/configuration.html#console-vlan-configuration</a>, which actually shows VLANs being attached to an interface that's down (ie no cable attached). Of course, this reading is complete nonsense, but there's nothing in the definition of Parent Interface that would clarify it. I suggest adding a sentence to the Parent Interface definition along the lines of "The VLAN interface represents all packets tagged with its VLAN ID that are sent or received on the physical connection identified by the parent interface". The first sentence of the Note would be much better stated along the lines of "Ideally, all traffic sent or received on a physical interface used for VLANs should be tagged with one or another VLAN ID, so that no traffic flows through the parent interface as such." The rest of the Note is equally desperately in need of a rewrite, but I have no concrete suggestions there. After that, you should fix the configuration example so that it shows an actually-usable configuration, rather than VLANs attached to an unconnected interface.</p> pfSense - Bug #15328 (New): Kea DHCP corrupts existing leases when a new DHCP pool is addedhttps://redmine.pfsense.org/issues/153282024-03-10T23:09:39ZTom Lane
<p>I set up a couple of DHCP pools for VLANs on a new Netgate 4200 (running pfsense+ 23.09.1), which is replacing an EdgeRouter-X that had been serving DHCP to the same clients. That went fine, and I watched several of the existing VLAN clients re-acquire their existing addresses from the new server. Then I added another DHCP pool attached directly to the PORT2LAN interface. That completely confused matters for existing leases: the server actively rejected attempts to renew those leases and gave out addresses of its own choosing. Now I am seeing two different entries in the DHCP Leases status page for the same MAC address, which surely should not happen. Digging in the DHCP log entries, it looks like when the server was restarted because of the pool addition, all the lease reloads failed with complaints like</p>
<p><code>Mar 10 16:09:18 kea-dhcp4 39285 WARN [kea-dhcp4.dhcpsrv.0x401b3c12000] DHCPSRV_LEASE_SANITY_FAIL The lease 10.0.20.41 with subnet-id 2 failed subnet-id checks (the lease should have subnet-id 3).<br /></code><br />10.0.20.41 is still shown (though as "down") in the Leases page, but there's also an entry for that client with its forcibly-assigned new IP address.</p>
<p>This isn't a fatal problem, assuming that the server manages to keep re-issuing these newly-chosen addresses, but it's mildly annoying. I'm not sure if there will be any outright conflicts as the remaining clients try to renew their leases.</p> pfSense - Feature #15326 (New): Use alias to define 1:1 NAT mappinghttps://redmine.pfsense.org/issues/153262024-03-10T01:52:20ZTom Lane
<p>I made some single-entry host aliases, which I find I can use in most firewall rules, but not in creating 1:1 NAT mappings (as either external or internal address). It'd be nice if that could work.</p>
<p>Previous discussion: <a class="external" href="https://forum.netgate.com/topic/186618/using-firewall-aliases-outside-of-firewall-rules?_=1710034514306">https://forum.netgate.com/topic/186618/using-firewall-aliases-outside-of-firewall-rules?_=1710034514306</a></p> pfSense Docs - New Content #15325 (New): Tailscale documents https://redmine.pfsense.org/issues/153252024-03-09T03:08:14ZAlhusein Zawi
<p>adding documents to explain how to setup Tailscale.</p> pfSense - Feature #15324 (New): Allow specifying cloudflare host id for dyndnshttps://redmine.pfsense.org/issues/153242024-03-08T21:41:23ZFlole Systems
<p>This can save a HTTP request when updating the entry, and may be used to update multiple entries with the same name but different IPs for round- robin based load-balancing.</p>