pfSense bugtracker: Issueshttps://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162023-08-07T21:24:06ZpfSense bugtracker
Redmine pfSense Packages - Bug #14659 (New): vlan (add/modify/delete) with pfblockerNG installed - all in...https://redmine.pfsense.org/issues/146592023-08-07T21:24:06ZMike Moore
<p>Hard to say if this is a bug per se but its a reproducible problem.</p>
<p>1. create a LAGG with assigned VLANs and those VLANs are assigned interfaces.<br />2. install pfBlockerNG and assign your incoming and outgoing interfaces per usual. Incoming will be WAN and outgoing will be the VLAN interfaces<br />3. If you modify any part of the vlan configuration - change the description or change the vlan.id, this triggers a complete flap of all interfaces. If you have FRR routing neighbors, those neighbors will flap as well.</p>
<p>The workaround is to modify the LAGG during a maintenance window. <br />Changing a VLAN description shouldn't trigger this system-wide outage behavior.</p>
<p>I have found that if you disable the pfBlocker package then the LAGG doesn't bounce and the system operates normally. I traced this issue to pfblocker by removing all packages and installing them one by one and going through the process of vlan modifications. pfBlocker is the only package that triggers this.</p>
<p>system.log file shown when vlan description changed</p>
<p>Aug 7 16:51:17 GAFW kernel: vlan5: changing name to 'lagg0.3'<br />Aug 7 16:51:17 GAFW php-fpm<sup><a href="#fn9054">9054</a></sup>: /interfaces_vlan_edit.php: Gateway, NONE AVAILABLE<br />Aug 7 16:51:17 GAFW check_reload_status<sup><a href="#fn441">441</a></sup>: Restarting IPsec tunnels<br />Aug 7 16:51:17 GAFW check_reload_status<sup><a href="#fn441">441</a></sup>: updating dyndns opt4<br />Aug 7 16:51:17 GAFW php-fpm<sup><a href="#fn9054">9054</a></sup>: /interfaces_vlan_edit.php: Configuration Change: <a class="email" href="mailto:admin@192.168.50.241">admin@192.168.50.241</a> (Local Database Fallback): VLAN interface added<br />Aug 7 16:51:17 GAFW check_reload_status<sup><a href="#fn441">441</a></sup>: Syncing firewall<br />Aug 7 16:51:17 GAFW php-fpm<sup><a href="#fn9054">9054</a></sup>: /interfaces_vlan_edit.php: Beginning configuration backup to <a class="external" href="https://acb.netgate.com/save">https://acb.netgate.com/save</a><br />Aug 7 16:51:21 GAFW arpwatch<sup><a href="#fn39747">39747</a></sup>: bogon 0.0.0.0 da:e2:d7:9b:a5:bc<br />Aug 7 16:51:21 GAFW arpwatch<sup><a href="#fn39747">39747</a></sup>: bogon 0.0.0.0 da:e2:d7:9b:a5:bc<br />Aug 7 16:51:21 GAFW arpwatch<sup><a href="#fn39747">39747</a></sup>: bogon 0.0.0.0 da:e2:d7:9b:a5:bc<br />Aug 7 16:51:33 GAFW php-fpm<sup><a href="#fn1682">1682</a></sup>: /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.<br />Aug 7 16:51:33 GAFW check_reload_status<sup><a href="#fn441">441</a></sup>: Reloading filter<br />Aug 7 16:51:33 GAFW php-fpm<sup><a href="#fn1682">1682</a></sup>: /rc.newipsecdns: Gateway, NONE AVAILABLE<br />Aug 7 16:51:33 GAFW php-fpm<sup><a href="#fn1682">1682</a></sup>: /rc.newipsecdns: Gateway, NONE AVAILABLE<br />Aug 7 16:51:34 GAFW php-fpm<sup><a href="#fn1682">1682</a></sup>: /rc.newipsecdns: Gateway, NONE AVAILABLE<br />Aug 7 16:51:34 GAFW php-fpm<sup><a href="#fn86524">86524</a></sup>: /rc.filter_configure_sync: New alert found: Unresolvable source alias 'pfB_AllowedCountries_v4' for rule 'Allowed countries to VPN'<br />Aug 7 16:51:34 GAFW php-fpm<sup><a href="#fn86524">86524</a></sup>: /rc.filter_configure_sync: New alert found: Unresolvable source alias 'pfB_AllowedCountries_v4' for rule 'NAT Redirct to Jitsi VCB'<br />Aug 7 16:51:34 GAFW php-fpm<sup><a href="#fn86524">86524</a></sup>: /rc.filter_configure_sync: New alert found: Unresolvable destination alias 'pfB_DNS_4_v4' for rule 'Block DoH and External'<br />Aug 7 16:51:34 GAFW php-fpm<sup><a href="#fn86524">86524</a></sup>: /rc.filter_configure_sync: New alert found: Unresolvable destination alias 'pfB_DNS_4_v4' for rule 'Block DoH and External'<br />Aug 7 16:51:40 GAFW vnstatd<sup><a href="#fn49111">49111</a></sup>: Traffic rate for "ipsec4" higher than set maximum 1000 Mbit (20s->2673868800, r4294889635 t4294888716, 64bit:0), syncing.<br />Aug 7 16:51:40 GAFW vnstatd<sup><a href="#fn49111">49111</a></sup>: Traffic rate for "ipsec3" higher than set maximum 1000 Mbit (20s->2673868800, r4294889368 t4294888849, 64bit:0), syncing.<br />Aug 7 16:51:40 GAFW vnstatd<sup><a href="#fn49111">49111</a></sup>: Traffic rate for "ipsec2" higher than set maximum 1000 Mbit (20s->2673868800, r4294894185 t4294821515, 64bit:0), syncing.<br />Aug 7 16:51:49 GAFW php-cgi<sup><a href="#fn99958">99958</a></sup>: notify_monitor.php: Message sent to <a class="email" href="mailto:admin@networkingtitan.com">admin@networkingtitan.com</a>,<a class="email" href="mailto:michmoor@gmail.com">michmoor@gmail.com</a> OK<br />Aug 7 16:52:00 GAFW newsyslog<sup><a href="#fn18417">18417</a></sup>: logfile turned over due to size>500K</p> pfSense - Bug #14479 (New): unbound doing qname-minimisation when enabled in unbound gui.https://redmine.pfsense.org/issues/144792023-06-16T18:46:14ZJohnPoz _
<p>I have not checked 2.7 or 23.05 yet but this came up in a discussion here</p>
<p><a class="external" href="https://forum.netgate.com/post/1110945">https://forum.netgate.com/post/1110945</a></p>
<p>Seems unbound is now doing qname by default.. So if there is no setting in the conf for qname-minimisation it does it. By default this option in 2.6 is not enabled, but since no entry in the .conf file it is being done. With no way to turn it off without placing an entry in the custom box to set it to no.</p>
<p>Logic should be changed to allow for enable/disable qname from the gui. What it defaults doesn't matter really, but with current logic there is no way to actually turn it off.. And gui reads that it is off by default, but it really isn't since unbound defaults to doing it.</p> pfSense - Bug #13486 (New): stongswan attributes should be comma-separated instead of whitespace-...https://redmine.pfsense.org/issues/134862022-09-12T09:30:48ZAndreas W
<p>The strongswan docs mention that attribute lists need to be "specified as a comma-separated list": <a class="external" href="https://docs.strongswan.org/docs/5.9/plugins/attr.html#_attribute_types">https://docs.strongswan.org/docs/5.9/plugins/attr.html#_attribute_types</a><br />The pfSense UI is using whitespace-separated values and is using them as-is.</p>
<p>This leads to a broken IPSec configuration and is especially relevant since <a class="issue tracker-1 status-3 priority-4 priority-default closed" title="Bug: IKEv2 Mobile IPsec clients do not receive ``INTERNAL_DNS_DOMAIN`` (value ``25``) attribute (Resolved)" href="https://redmine.pfsense.org/issues/12975">#12975</a> - which lead to a broken DNS resolution on 22.05 for my setup.</p>
<p>This applies to all fields that support multiple values - I noticed the issue with <pre>dns_split</pre> and attribute 25 specifically.</p> pfSense Packages - Bug #13141 (New): wrong page squidguard block https://redmine.pfsense.org/issues/131412022-05-09T17:33:52ZRobson Ferreira
<p>when i using squid+squidguard, a few versions before I could use redirect mode external url move.<br />So there i was putting page to redirect and its works.<br />But now when i put page, if i check on squidguard file there are redirect 302, but before wasnt .<br />look the picture</p> pfSense Packages - Bug #12655 (New): telegraf, wireguard plugin failinghttps://redmine.pfsense.org/issues/126552021-12-30T17:51:20ZRussell Morrispfsense@rkmorris.us
<p>Hi,</p>
<p>I'm trying to use the Wireguard plugin for telegraf, more info on the plugin here,<br /><a class="external" href="https://github.com/influxdata/telegraf/tree/master/plugins/inputs/wireguard">https://github.com/influxdata/telegraf/tree/master/plugins/inputs/wireguard</a></p>
<p>So, I added to my telegraf "Additional configuration for Telegraf" <br /><pre>
[[inputs.wireguard]]
</pre><br />But, if I then run a test (output to shell),<br /><pre>
telegraf --test --config /usr/local/etc/telegraf.conf | grep -i wireguard
</pre><br />No output (just the Telegraf "header". So, I checked the Wireguard interface, with <code>wg show</code>, and get,<br /><pre>
interface: tun_wg0
</pre><br />Adding this interface specifically to the pfSense telegraf config, it's now,<br /><pre>
[[inputs.wireguard]]
devices = ["tun_wg0"]
</pre><br />Telegraf (test) does report an output at this point, but it's not happy :-(,<br /><pre>
2021-12-30T23:44:48Z W! [inputs.wireguard] No Wireguard device found with name tun_wg0
</pre><br />So something isn't quite right. I saw a similar thing before in Linux, thinking this may be related? It was tied there to user vs. kernel space implementation and access ... some links that may help here.<br /><a class="external" href="https://github.com/influxdata/telegraf/issues/7307">https://github.com/influxdata/telegraf/issues/7307</a><br /><a class="external" href="https://www.freshports.org/net/wireguard">https://www.freshports.org/net/wireguard</a></p>
<p>Thoughts?</p>
<p>Thanks!</p> pfSense - Bug #10833 (New): unbound exits on configuration error when link status flaps on LAN in...https://redmine.pfsense.org/issues/108332020-08-13T23:53:30ZJohn Hood
<p>I have pfSense installed at home on a small, old, core2duo-based machine. It does pretty typical home-router duty; the most obvious-to-me unusual parts of the configuration are that the internal IPv4 network is 198.206.215.0/24 instead of an RFC1918 network address, and I have an IPv6 tunnel to Hurricane Electric.</p>
<p>This week, the 11-year-old unmanaged GbE switch attached to the LAN port got flaky, and started to fail in some way that caused it to blink all lights on the front and stop passing traffic. Logs show link status flapping on the LAN interface. On power-cycling the switch, it would start working again. But DNS service was gone, though restartable at Status/Services/unbound. I found this in resolver.log:</p>
<pre>
Aug 13 20:28:22 router unbound: [27434:0] fatal error: Could not read config file: /unbound.conf. Maybe try unbound -dd, it stays on the commandline to see more errors, or unbound-checkconf
</pre>
<p>I wrote a little monitoring script that does 'pgrep unbound' and 'ifconfig em1' every 10 seconds. That seems to show link flapping between normal:</p>
<pre>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
</pre><br />and no link:<br /><pre>
media: Ethernet autoselect
status: no carrier
</pre>
<p>It also showed two copies of dhcpleases running after the link starts flapping.</p>
<p>Edited/excerpted logs and the monitoring script are attached, the switch starts flapping at Aug 13 20:27:57 in the logs, and I power-cycled the switch about 20:28:45. I restarted unbound at 20:30:36.</p>
<p>I tried reproducing the problem by manually plugging/unplugging the patch cable involved, and was not able to reproduce the problem. Alas, I destroyed the switch by plugging the wrong power supply in, so it's no longer helpful either. So I have no repro. I suspect connecting a FreeBSD box and running a little script that did things with 'ifconfig down' and 'ifconfig up' and 'ifconfig mediaopt <blah>' combined with some randomized short delays would eventually knock unbound over.</p>
<p>I haven't investigated the code at all, but it smells like some kind of race condition in the link-configuration scripts to me.</p> pfSense Packages - Bug #9999 (New): unbound fatal error if System Domain in DNSBL and System Doma...https://redmine.pfsense.org/issues/99992019-12-25T00:22:36ZViktor Gurov
<p>On System / General Setup I have configured <MYHOST> as hostname and mywire.org (dynu.com dyndns provider) as domain <br />and System Domain Local Zone Type is Redirect on Services \ DNS Resolver page</p>
<p>At the same time, I got another host from this domain during the last DNSBL feeds update:<br /><pre>
[2.4.4-RELEASE][root@<MYHOST>.mywire.org]/var/db/pfblockerng: grep -r servici-android-postali *
dnsbl/OpenPhish.txt:local-data: "servici-android-postali.mywire.org 60 IN A 10.10.10.1"
dnsblalias/DNSBL_Phishing:local-data: "servici-android-postali.mywire.org 60 IN A 10.10.10.1"
dnsblorig/OpenPhish.orig:http://servici-android-postali.mywire.org/B.P.O.L/solo.android/securelogin-html2019postepay
[2.4.4-RELEASE][root@<MYHOST>.mywire.org]/var/db/pfblockerng: grep mywire /var/unbound/*
/var/unbound/pfb_dnsbl.conf:local-data: "servici-android-postali.mywire.org 60 IN A 10.10.10.1"
</pre></p>
<p>After that, unbound does not start:<br /><pre>
unbound: [1232:0] warning: duplicate local-zone <MYHOST>.mywire.org.
unbound: [1232:0] warning: duplicate local-zone localhost.mywire.org.
unbound: [1232:0] error: local-data in redirect zone must reside at top of zone, not at servici-android-postali.mywire.org 60 IN A 10.10.10.1
unbound: [1232:0] fatal error: Could not set up local zones
</pre></p>
<p>pfSense 2.4.4-p3, pfBlockerNG-devel 2.2.5_27</p> pfSense - Bug #9737 (New): traffic-graphs.js shows incorrect units inside the charthttps://redmine.pfsense.org/issues/97372019-09-09T06:35:19ZAlex Kolesnikpfsenseorg3@temp.spb.ru
<p><a class="external" href="https://github.com/pfsense/pfsense/blob/42839d824d51cad3a8a55fccb2dc96368568ce8e/src/usr/local/www/js/traffic-graphs.js#L204">https://github.com/pfsense/pfsense/blob/42839d824d51cad3a8a55fccb2dc96368568ce8e/src/usr/local/www/js/traffic-graphs.js#L204</a></p>
<p>that condition doesn't work (at least) in Chrome - window.size returns a string literal instead of a number.</p> pfSense Packages - Bug #9286 (New): squidGuard - Unable to change IP for sgerror.php URL in confi...https://redmine.pfsense.org/issues/92862019-01-22T12:13:21ZKris Douglas
<p>There is an issue with squidGuard where a user is not able to specify the address that squidGuard provides the client machine on the event that a page has been blocked. If said address differs from the LAN IP on port 80, you are not able to serve errors to users.</p>
<p>(For example in the situation where there is a network being filtered with users on it that differs to the LAN, and you do not wish to have a route through, the error pages do not work). Can be fixed by editing config file but these are reset on reboot.</p> pfSense Packages - Bug #9139 (New): telegraf: add ping for default gateway(s)https://redmine.pfsense.org/issues/91392018-11-20T02:27:31ZTorben Høruptorben@t-hoerup.dk
<p>It would be nice if telegraf plugin could generate config lines for pinging default gateway.</p>
<p>there's a minor issue of finding a ping implementation that works with telegraf <br /><a class="external" href="https://github.com/influxdata/telegraf/tree/release-1.8/plugins/inputs/ping">https://github.com/influxdata/telegraf/tree/release-1.8/plugins/inputs/ping</a></p> pfSense Packages - Bug #9138 (New): telegraf: add section for custom config lineshttps://redmine.pfsense.org/issues/91382018-11-20T02:22:55ZTorben Høruptorben@t-hoerup.dk
<p>there should be a textarea input for adding extra config lines to telegraf config.</p> pfSense Packages - Bug #8909 (New): tinc package makes /rc.newwanip looping foreverhttps://redmine.pfsense.org/issues/89092018-09-18T05:51:51ZAndrew Hotlab
<p>I just realizd that each time the tincd(8) daemon is started, pfSense detects the new IP address on its dedicated interface (in my case /dev/tap0), thus it recalls the script /rc.newwanip, which in turns calls the script /rc.start_packages, generating an infinite loop: in fact restarting the tinc service make the tap0 interface have its IP reassigned, and again and again... :S</p>
<p>I attached the first two occurrences of the loop, which I'm not able to stop but manually killing tincd(8).</p>
<p>I guess that this is a show-stopper issue affecting everyone who wants to run tinc on pfSense.</p>
<p>Maybe there is a way to tell the /rc.start_packages script not to act upon the tinc service?</p> pfSense - Bug #8419 (New): webgui, when menubar is fixed to the top of the screen, the last items...https://redmine.pfsense.org/issues/84192018-04-02T17:36:14ZPi Ba
<p>webgui, when menubar is fixed to the top of the screen, the last items of long menus cannot be seen/used.</p>
<p>fix: <a class="external" href="https://github.com/pfsense/pfsense/pull/3930">https://github.com/pfsense/pfsense/pull/3930</a></p> pfSense - Bug #6026 (New): webinterface, firewall rules, wrapping of columns or visible (horizont...https://redmine.pfsense.org/issues/60262016-03-24T16:39:33ZPi Ba
<p>with some rulesets the 'action buttons' dont show on the screen, so first need to scroll down, then right, then back up again to delete, or move a rules using the anchors.. which isnt convenient when ruleset is several screens long..</p>
<p>Screenshot attached shows this happening on even the widest possible screen/layout..</p>
<p>The screenshot is made of specific testrules, but i first noticed in a production system where it happens to that action buttons are outside the visible area. And horizontal scroll-bar is at the bottom of the ruleset..</p> pfSense - Bug #5306 (New): textarea fields should have linebreaks sanitized automatically on savehttps://redmine.pfsense.org/issues/53062015-10-14T04:13:34ZKill Bill
<p>To avoid nonsense like this: <a class="external" href="https://github.com/doktornotor/pfsense-packages/blob/patch-2/config/squid3/34/squid.inc#L85">https://github.com/doktornotor/pfsense-packages/blob/patch-2/config/squid3/34/squid.inc#L85</a></p>