pfSense bugtracker: Issueshttps://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162024-02-26T09:35:21ZpfSense bugtracker
Redmine pfSense - Bug #15291 (New): Error on Traffic Shaper 0% Bandwidthhttps://redmine.pfsense.org/issues/152912024-02-26T09:35:21ZPavan K
<p>Link to post on pfSense Forum: <br /><a class="external" href="https://forum.netgate.com/topic/186137/error-on-traffic-shaper-0-bandwidth?_=1708915183963">https://forum.netgate.com/topic/186137/error-on-traffic-shaper-0-bandwidth?_=1708915183963</a></p>
<p>Backstory:<br />recently we migrated from pfSense 2.4.x to 2.7.2 which was a direct update. Everything worked fine etc the traffic shaping feature.</p>
<p>Following is the error:<br />There were error(s) loading the rules: pfctl: the sum of the child<br />bandwidth (1200000000) higher than parent "root_igc4" (1000000000) -<br />The line in question reads [0]: @ 2024-01-31 16:45:05</p>
<p>Following is our configuration:<br />Name → FAIRQ_7<br />Priority→ 7<br />Scheduler Option → Random Early detection in and out<br />Bandwidth → None</p>
<p>Add new Queue(Default)<br />Enable<br />Name → qFAIRQ_2(Default)<br />Priority→ 2<br />Scheduler Option → Default<br />Bandwidth → None</p>
<p>Add new Queue(ACK)<br />Enable<br />Name → qACK_6<br />Priority→ 6<br />Scheduler Option → Random Early detection in and out<br />Bandwidth → None</p>
<p>According to the configuration the Bandwidth on Queue(ACK) should be 0% which was migrated off from 2.4.x but on 2.7.2 it's not letting us save 0% bandwidth for some reason.</p>
<p>And due to this new rules which are created are not taking effect it's only after we disable and enable the Traffic Shaper completely the rule is effective.</p> pfSense - Feature #14558 (New): Feature Request: GUI options to Unbound Resolver's new DoH abili...https://redmine.pfsense.org/issues/145582023-07-07T15:51:47ZJonathan Lee
<p>Hello fellow PfSense Redmine community members,</p>
<p>I was wondering if the DNS resolver could have GUI abilities to configure DoH with unbound resolver as unbound is now able to do resolve DoH. This would be an amazing addition to the PfSense software.</p>
<p>Please see url:</p>
<p><a class="external" href="https://unbound.docs.nlnetlabs.nl/en/latest/topics/privacy/dns-over-https.html">https://unbound.docs.nlnetlabs.nl/en/latest/topics/privacy/dns-over-https.html</a></p>
<p><a class="external" href="https://forum.netgate.com/topic/181338/feature-request-gui-options-to-unbound-resolver-s-new-doh-abilities/2">https://forum.netgate.com/topic/181338/feature-request-gui-options-to-unbound-resolver-s-new-doh-abilities/2</a></p> pfSense - Bug #12552 (New): "Pull DNS" option within OpenVPN client does not cause pfSense to use...https://redmine.pfsense.org/issues/125522021-12-01T11:19:15ZJohn Williams
<p>I have an OpenVPN client setup to connect to ExpressVPN. ExpressVPN does not provide static DNS servers for use with their VPN traffic; DNS servers are assigned dynamically. If the "Pull DNS" checkbox is checked within the OpenVPN client settings, I'd expect my DNS Resolver to use the Express VPN assigned DNS servers</p>
<p>Instead, the DNS Resolver still uses the DNS servers that are configured via System -> General Setup. I have my DNS Resolver in forwarding mode ("Enable Forwarding Mode" is checked). If I put the DNS Resolver in resolver mode, then DNS queries are forwarded to my ISP (Comcast).</p> pfSense - Feature #11956 (New): "add" button in the top of pages with many user-added itemshttps://redmine.pfsense.org/issues/119562021-05-24T17:03:48ZGuillaume LUCAS
<p>In Interfaces > Assignments | VLANs, Firewall > Aliases | NAT | Rules | Virtual IPs, it's possible to add the "Add" button in the top of the page?<br />I have many items so I need to scroll before "Add". It's tiring when I add several items at once.<br />I have given some examples of pages, but my request applies to all pages where there may be many items added by the user.</p>
<p>Yes, I know the "end" key of my keyboard, but its location on some laptop keyboard is unpleasant.<br />In addition, team leaders don't care about this tech detail, they just want to click, click, and click again (user-firendly). How do you convince them to use pfSense when other firewalls interface have these kinds of little details they like?</p>
<p>This feature request enlarges feature <a class="issue tracker-2 status-1 priority-10 priority-lowest" title="Feature: Firewall Aliases Add button on top of list (New)" href="https://redmine.pfsense.org/issues/10290">#10290</a> / <a class="external" href="https://redmine.pfsense.org/issues/10290">https://redmine.pfsense.org/issues/10290</a> .</p> pfSense - Bug #10712 (New): "default allow LAN IPv6 to any" rule does not work right after boot w...https://redmine.pfsense.org/issues/107122020-06-29T04:54:35ZViktor Gurov
<p><a class="external" href="https://forum.netgate.com/topic/154856/multiple-ipv6-bugs-quirks-in-pfsense">https://forum.netgate.com/topic/154856/multiple-ipv6-bugs-quirks-in-pfsense</a>:<br />Quite simply, you boot, you get an IPv6 PD and give it out through SLAAC on your LAN interface, machines get an IP but aren't able to connect to the internet over IPv6. If you check the firewall logs, you'll see the traffic gets dropped due to the default drop all rule.</p>
<p>Workaround : disable and enable any firewall rule to force a reload of the rules. After that, connectivity works.</p>
<p>My assumption for the root cause: the "LAN net" source does not get updated correctly when the PD gets assigned, since it does take a while to get the PD and assign it to all the needed interfaced. Because of this, the traffic from the PDd IPs is not recognised and dropped. Reloading the rules forced a reload of the "LAN net" source and thus makes it work.</p> pfSense - Bug #8963 (New): 2.4.4 Limiters don't work after CARP fail-overhttps://redmine.pfsense.org/issues/89632018-09-27T01:12:17ZJames Cornett
<p>Limiters are not applied when using HA, states are being synced with pfsync, and a CARP fail over occurs.</p>
<p>When Firewall A has a limiter applied (like on a WAN interface) and a CARP fail-over event occurs, bandwidth becomes unrestricted for existing download sessions on Firewall B until either CARP fails back to Firewall A or the NAT session state expires on Firewall B.</p>
To replicate:<br />Setup pfSense:
<ul>
<li>Enable HA (pfsync)</li>
<li>Enable CARP and setup as default gateway for a LAN interface</li>
<li>Update NAT rules for HA and CARP (Manual NAT and modify gateway)</li>
<li>Create WAN_IN and WAN_OUT Limiters with defaults and a small bandwidth limit</li>
<li>Create a Floating Rules for In and Out and assign Limiters<br />Test Scenario:</li>
<li>Start a large download. </li>
<li>Note download speed and observe traffic chart on primary firewall. Download follows expected limiter behavior.</li>
<li>Goto Status, "CARP (failover)", and click "Enter Persistent CARP Maintenance Mode" </li>
<li>Download speed becomes unlimited and immediately increases speed. Observe traffic chart on failover firewall.</li>
<li>Simultaneously, without stopping first download, start another download from a different server. Note the download speed follows expected limiter behavior.</li>
<li>Goto Status, "CARP (failover)" on Primary firewall and click "Leave Persistent CARP Maintenance Mode" </li>
<li>The original download will throttle back down to the expected speed, whereas the second download will become unlimited.</li>
</ul> pfSense - Bug #8207 (New): 2.4 cannot boot as a Xen VM with more than 7 NICshttps://redmine.pfsense.org/issues/82072017-12-13T10:47:48ZMichael Reardon
<p>2.4 does not seem to be able to boot when running as a VM under Xen when the guest is assigned more than 7 NICs. Boot log attached. Selecting Safe Mode from the boot options does not resolve it and the system still hangs.</p>
<p>I've installed 2.3(.5) to it without any issue, but I would like to eventually move it along to 2.4 with the rest of our firewalls. I've attached the boot log, with the interesting lines from it being:</p>
<blockquote>
<p><em>xn7: failed to allocate tx grant refs<br />...<br />run_interrupt_driven_hooks: still waiting after 60 seconds for xenbusb_nop_confighook_cb<br />run_interrupt_driven_hooks: still waiting after 120 seconds for xenbusb_nop_confighook_cb<br />...</em></p>
</blockquote> pfSense - Bug #8177 (New): "../xsl/package.xsl" is referenced in package XML files but not on the...https://redmine.pfsense.org/issues/81772017-12-09T18:58:49ZHarry Coinhcoin@quietfountain.compfSense - Bug #8176 (New): ../schema/packages.dtd -- referenced in *xml, but missing?https://redmine.pfsense.org/issues/81762017-12-09T18:52:43ZHarry Coinhcoin@quietfountain.com
<p>Nearly every xml file in the packages collection includes<br /><!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"></p>
<p>However, I can not find that file on an installed system, even one that includes one of those packages, e.g. routed.</p> pfSense - Bug #7730 (New): 2.3.4_1 greX: loop detected when hit save on filter rules or interfaceshttps://redmine.pfsense.org/issues/77302017-07-27T07:16:59ZRichie M
<p>upgraded from 2.2.6<br />anytime we hit save in the GUI for interface or filter rules, even if no change was made, we start getting Jul 25 14:50:02 <histname> kernel: greX: loop detected spam in dmesg/system.log. Our GRE tunnel goes down.</p>
<p>Any cluster sync activity from the Primary to Secondary also causes this issue.</p>
<p>We have to do a save on the GRE interface in the web GUI (this downs/ups the interface) and the tunnel starts working again.</p>
<p><code><br />Jul 25 14:50:01 hostname kernel: gre0: loop detected<br />Jul 25 14:50:02 hostname kernel: gre1: loop detected<br />Jul 25 14:50:02 hostname kernel: gre0: loop detected<br />Jul 25 14:50:02 hostname kernel: gre1: loop detected<br />Jul 25 14:50:02 hostname kernel: gre0: loop detected<br />Jul 25 14:50:03 hostname kernel: gre1: loop detected<br />Jul 25 14:50:03 hostname kernel: gre0: loop detected<br />Jul 25 14:50:03 hostname kernel: gre1: loop detected<br /></code></p>
<p>Original Forum Thread: <a class="external" href="https://forum.pfsense.org/index.php?topic=134258.0">https://forum.pfsense.org/index.php?topic=134258.0</a></p> pfSense - Feature #7459 (New): "Refresh" button for Diagnostics/Tables displayhttps://redmine.pfsense.org/issues/74592017-04-09T02:32:18ZPhil Biggs
<p>When viewing a table, using the browser refresh produces a resend/resubmit dialog.<br />The only other way to refresh the displayed table is to navigate to another table then back to the original.<br />A Refresh button (perhaps next to the "Empty table" button) or a Refresh icon would be very useful.</p> pfSense - Todo #6727 (New): Missing file apple-touch-icon-precomposed.png ?https://redmine.pfsense.org/issues/67272016-08-18T14:10:11ZAndy Kniveton
<p>I notice this occasionally in my log files after logging in via the web browser :-</p>
<p>Aug 18 19:50:38 pfsense.localdomain nginx: 2016/08/18 19:50:38 [error] 36942#100114: *10595 open() "/usr/local/www/apple-touch-icon-precomposed.png" failed (2: No such file or directory), client: 172.16.1.20, server: , request: "GET /apple-touch-icon-precomposed.png HTTP/1.1", host: "172.16.1.1"</p>
<p>[2.3.2-RELEASE][<a class="email" href="mailto:admin@pfsense.localdomain">admin@pfsense.localdomain</a>]/root: ls /usr/local/www/apple-touch-icon-precomposed.png<br />ls: /usr/local/www/apple-touch-icon-precomposed.png: No such file or directory</p>
<p>[2.3.2-RELEASE][<a class="email" href="mailto:admin@pfsense.localdomain">admin@pfsense.localdomain</a>]/root: ls /usr/local/www/*.png<br />/usr/local/www/apple-touch-icon.png/usr/local/www/logo.png<br />/usr/local/www/logo-black.png /usr/local/www/pfs-mini.png<br />[2.3.2-RELEASE][<a class="email" href="mailto:admin@pfsense.localdomain">admin@pfsense.localdomain</a>]/root:</p>
<p>Maybe its just worth doing a symbolic link in the next pfSense build.</p> pfSense - Feature #5850 (New): Limit "WebCfg - System: User Manager page" privilege to non-admin...https://redmine.pfsense.org/issues/58502016-02-07T12:35:35ZTimon Esserme@timonster.com
<p>A user with the "WebCfg - System: User Manager page" privileges can asign himself and others to the admin group and gain admin rights this way. It would be nice to limit the "WebCfg - System: User Manager page" to privilege to manage only non-admins and certain groups. While having the ability to add himself to the admin group this privilege makes no sense, if im not wrong.</p> pfSense - Feature #2358 (New): NAT64 Supporthttps://redmine.pfsense.org/issues/23582012-04-08T16:48:12ZSeth Mosseth.mos@dds.nl
<p>example <a class="external" href="http://ecdysis.viagenie.ca/">http://ecdysis.viagenie.ca/</a></p> pfSense - Feature #1388 (New): 3G outbound failover connection with auto dial-up and hang-uphttps://redmine.pfsense.org/issues/13882011-03-28T11:06:20ZPio Pii
<p>I would like to see implemented a feature to use an USB 3G modems as a failover (not balancing) dial-up connection (<strong><b>connected only for the time strictly needed</b></strong>) to be used as in a Gateway Group.<br />A 3G failover connection <strong>always on</strong> is completely useless if you have a contract charged on a time basis (almost all 3G contract in Italy are charged according to the time you stay connected).<br />Actually it is not possible due to the way gateways are monitored in the "Gateway Groups".</p>
<p>In other words, using this feature you should be able to configure your box with a primary ADSL connection and a 3G failover working in this way:<br />shutting down the primary Wan (ADSL), the 3G modem should become active (dial up) and the traffic should be routed through the 3G connection.<br />When the primary ADSL connection comes up again, the 3G modem should <strong><b>disconnect</b></strong> and the traffic should be routed again through the ADSL connection.</p>