I am authoring a new book about pfSense written from scratch.
I found various bugs or issues as I read lots of code and used the
many interfaces.
I will work on adding these to the bug tracker.
As I add the bugs to redmine I will link to them with the redmine
issue numbers.
Also I noticed a few were already fixed so mention that
here but don't report them.
A list of my reported issues is
here.
For more details about my new book see
http://www.reedmedia.net/books/pfsense/ .
icon for Related log entries for the DHCPv6 Server is
for logfile=dhcp but that doesn't match anything specific and shows
everything "General".
https://redmine.pfsense.org/issues/6700
the diag_authentication "related status" icon links to same page :)
https://redmine.pfsense.org/issues/6701
THIS WAS RESOLVED BUT ONLY ONE PART WAS FIXED. SHOULD I OPEN NEW TICKET?
syntax error in the PHP execution in Command Prompt menu
should not cause a crash detection to suggest reporting to pfSense
https://redmine.pfsense.org/issues/6702
suggestion for the Edit File have the input box have some
description or label like "Path name" or "File name or directory"
https://redmine.pfsense.org/issues/6703
Edit File "Go to Line" selection box allows negative numbers and
line numbers longer than the file contains
https://redmine.pfsense.org/issues/6704
the diag_routes "Rows to display" is off by one as it includes
the header line too. If you choose 10 you would want ten lines of results
data to display
https://redmine.pfsense.org/issues/6705
diag_routes "Use a regular expression to filter IP address or hostnames" actually works to match any field like flags, mtu, netif; I suggest it is kept the way it works and fix the description to not limit to just the address or hostname
https://redmine.pfsense.org/issues/6706
it appears the diag_smart is broken.
For example, its has
$start_script = "/usr/local/etc/rc.d/smartd.sh";
and it is used once for a stop and start. But that script
doesn't exist. It is at /usr/local/etc/rc.d/smartd (no ".sh" at end).
Anyways, I now see the code there is marked with //FIXME.
The smartd -M test is used to test configuration.
Also in diag_smart, it tries to put email address into
/usr/local/etc/smartd.conf but that file doesn't exist.
Then it does an attempted HUP of smartd but that daemon is not running.
Also the user interface is not intuitive. I'd suggest it
have options to enable the service,
and that the "Send test email" button should be available even
if email address is not saved; I didn't test but I think
can be done like:
echo /dev/sda -m foo@host -M test | smartd -c - -q onecheck
(By the way, it is interesting to have such a detailed
disk monitoring service, so it would be just as important
to have a network device and network in general monitoring service;
I understand sending email may not work, but it could check
for some "predictive" failures and send warning before network is down.)
https://redmine.pfsense.org/issues/6707
the diag_sockets.php info says sockstat uses -L
when using the -l.
It does not use -L and it does show the
the loopback addresses (::1 or 127.0.0.0/8).
Also why there don't use the man page details verbatim, so exclude
the unnecessary ADDRESS and other UNIX sockets documentation.
FIXED https://redmine.pfsense.org/issues/6708
in diag_dump_states.php clicking the Packets or Bytes
header for sorting is not intelligent nor intuitive.
It doesn't really sort packet counts or bytes considering
they may be formatted using acronyms. Also the sort is for just
one part, but each has two counts in/out.
THIS APPEARS TO BE FIXED.
diag_resetstate.php header says "Select States to Reset"
but the docs there says "will remove all entries from the
corresponding tables".
There is nothing to select in this view.
https://redmine.pfsense.org/issues/6709
diag_resetstate.php if the checkbox is UNchecked,
clicking "Reset" still prompts "Are you sure you wish to Reset?"
and Okay does nothing. This is not intuitive.
Get rid the checkbox. The pop-up window is good enough.
https://redmine.pfsense.org/issues/6710
diag_states_summary is not intuitive as each table has two columns
with same "# States" header.
first is for $ipinfo['seen'];
and second is for $protoinfo['seen'];
Maybe have the header say "Protocol counts" over the last three fields
or add a documentation line at top (or bottom) to explain that.
FIXED https://redmine.pfsense.org/issues/6711
services_unbound.php
I cannot get any Host Override to be configured with unbound.
/var/unbound/host_entries.conf lists my /etc/hosts entries but
not my override entries.
My config.xml has my details for but I don't see it
at all in my /var/unbound settings.
I don't see any /etc/inc/unbound.inc code to use it but may be overlooking.
https://redmine.pfsense.org/issues/6712
be consistent in naming or add more doc details
to the diag_tables page as custom tables are called "aliases" elsewhere
also it uses the word "database" in some places for
table or aliases too.
https://redmine.pfsense.org/issues/6713
diag_tables often says "Date of last update of table is unknown."
but table comments at same time shows the date:
last updated 1463027701 (Thu May 12 04:35:01 2016 GMT)
(that was for bogons)
I assume one is for the locate timestamp while the other
is the timestamp as provided in the remote's original file,
but either way using same terminology may be confusing,
so maybe should be explained there.
MAYBE FIXED AS I CANNOT SEE THIS ANYMORE
diag_tables has "Related status" shortcut for "aliases" that
goes to same diag_tables page.
diag_routes and maybe other pages have this too. It was a little
misleading to click through it to realize it was not a
related page. Suggest comparing the target with the link, like
is done for Related settings in shortcuts.inc:
if (!empty($link) && ($_SERVER['REQUEST_URI'] != "/{$link}")) {
(that worked for me)
But maybe there was a reason already this wasn't used?
Also see diag_limiter_info.php links to itself.
I didn't notice problem for Related logs, but maybe there too.
Just added to my existing ticket:
https://redmine.pfsense.org/issues/6701
diag_testport
1) can output error "Cannot connect to an IPv6
address using IPv4." (and vice-versa) But that
is_ipaddrv4 / is_ipaddrv6 is for IP addresses. The "host" field
may be a hostname, so a hostname like ipv6.test-ipv6.com
returns only AAAA, and doesn't give that "Cannot connect" error.
This is misleading. I do understand that the hostname is passed
direct to netcat.
2) In addition, diag_testport has confusing documentation about
mix of IPv4 and AAAA, but I can set IP Protocol to IPv6
and I have NO IPv6 and a test will return "successful."
Also it uses the word "forced" but IPv4 and IPv6 are only options
so one must be selected.
3) since the IP Protocol list only has two choices, maybe
just display as radio instead of drop-down menu
4) the diag_testport code suggests that -4 or -6 should be used,
but that is only done if the host is an IP number and not a hostname.
It is interesting that the code has many checks for setting this
-4 or -6, but the IP Protocol selection is not even used unless
the host is an IP number. If -6 is used on an IPv4 network, even
the getaddrinfo() will fail and netcat will indicate that (but
diag_testport won't do that).
5) Actually the IP Protocol selection as a choice makes no
sense: diag_testport is smart enough to detect that it is
mismatched and smart enough to see an optional sourceip's protocol,
then it is smart enough to select the protocol on its own.
But if it would honor the ipprotocol for hostnames (no IP number),
then maybe a value of having that IP Protocol selection is valid.
diag_testport
It may be useful to run netcat with -v
and provide that output, like "No route to host" or "Succeeded!".
https://redmine.pfsense.org/issues/6714
diag_traceroute.php misspelling for "number":
'Maximum nuber of hops',
ALREADY FIXED
diag_traceroute.php the IPv4 traceroute when
resolving IPs to hostnames outputs both,
but the IPv6 traceroute6 only shows the hostnames and not the
address. My suggestion is to use -l when ipv6 when not using -n.
the max hops for FreeBSD IPv6 traceroute6 is
255, which the max allowed IPv6 "hops limit". Maybe it should
allow that? Then again, the nginx may Time-out beyond 64?
https://redmine.pfsense.org/issues/6715
diag_dns.php
press enter when adding a hostname when "add alias" is first
button will cause the entry to be added as a Firewall Alias
even if just wanted to look it up. IN addition, it will
add the alias even if "could not be resolved." My recommendation would
be to have "Lookup" button be first button.
SUGGESTION: for the DNS Stuff links in diag_dns could also
add links to DNS research and not just the IP
/etc/inc/dyndns.class comment has "dyns.org" but I think that
is dyns.net.
services_dyndns_edit "Verify SSL peer" checkbox
doesn't show its corresponding form label. It is set to "null".
(So when the chexbox is displayed it may appear to be in the
"Verbose logging" section.)
I suggest it be set to "HTTP API options".
By the way, maybe curl_ipresolve_v4 form should be also
called "HTTP API options" as pfsense users shouldn't have to
know what "CURL" is.
https://redmine.pfsense.org/issues/7588
services_unbound has system_domain_local_zone_type type
of redirect but does not have corresponding (second) "local-zone:" line
for it that has the different address record.
Andrelated, when "Redirect" choice is set unbound crashed with:
Aug 11 08:37:20 unbound 27341:0 error: local-data in redirect zone must reside at top of zone, not at Wireless_Broadband_Router.office IN A 172.16.1.4
Aug 11 08:37:20 unbound 27341:0 fatal error: Could not set up local zones
Aug 11 08:38:01 unbound 58991:0 error: local-data in redirect zone must reside at top of zone, not at Wireless_Broadband_Router.office IN A 172.16.1.4
Aug 11 08:38:01 unbound 58991:0 fatal error: Could not set up local zones
BUT no Notices indicated it and no input errors were detected.
When I set System Domain Local Zone Type to Deny or to default Transparent
I get input errors detected:
The generated config file cannot be parsed by unbound. Please correct the following errors:
[1470922977] unbound-checkconf[77900:0] error: local-data in redirect zone must reside at top of zone, not at pfSense.office AAAA fde4:8dba:82e1::
[1470922977] unbound-checkconf[77900:0] fatal error: failed local-zone, local-data configuration
NOTE: it still says "redirect" zone even though using transparent now.
config.xml still had:
redirect
meaning I couldn't change it.
I made it so the test subdirectory wasn't removed.
I removed my Host Override entry and applied the change and it was
successful. unbound process still not running so I clicked the
Start Service action icon.
The status_services page said "unbound had been started" but then showed
below "Stopped" status for it.
I used viconfig to remove the bogus system_domain_local_zone_type entry.
Then the Start service action worked.
I recommend that the "redirect" choice be removed until
it can be configured with additional details.
services_unbound.php has "Register DHCP leases in the DNS Resolver"
unchecked by default but unbound.conf includes dhcpleases_entries.conf
which has them by default.
I played with dnsmasq earlier and it started the
dhcpleases watcher daemon and since unbound was enabled
it included unbound configuration setup.
When I stopped dnsmasq and even though unbound didn't have it enabled,
it still kept running.
The bugs: 1) /etc/inc/system.inc don't configure dhcpleases for unbound
if unbound's regdhcp is not enabled.
2) stop dhcpleases daemon when not used.
3) remove the hostnames from dhcp leases in /dhcpleases_entries.conf
(see comment "dhcpleases automatically entered") when dhcpleases / regdhcp
for unbound is no longer used.
maybe I am overlooking it, but I don't see any code
honoring unbound's regdhcpstatic setting. I do see it for dnsmasq.
move services_unbound.php custom_options to
services_unbound_advanced.php.
This is certainly a dangerous feature so move to "Advanced Settings".
Also it makes it more obvious that some features are already
available via the webConfigurator.
services_unbound_advanced.php
this is a trivial bug here and elsewhere,
but checkbox and other form input names are inconsistently
ending with or without trailing periods.
Also some statements begin with capitalized letter and some don't.
Be consistent.
While in services_unbound_advanced.php change "0x-20" to "0x20".
services_unbound_advanced.php has
Number of Queries per Thread and a few other tunable descriptions
that mention "thread" but the number of threads
isn't displayed. Consider showing the value here.
In some cases the default is only "1" (disabled)
so using this terminology doesn't make sense.
services_unbound_advanced.php shows
Number of Queries per Thread has 512 even though I have:
/var/unbound/unbound.conf:num-queries-per-thread: 4096
which is the default in ./etc/inc/unbound.inc
so if you save that page it will reset it to 512.
Probably 512 is okay, but it shouldn't reset its default.
services_unbound_acls.php
allows a access list rule that doesn't have any name.
So if you have no name, and no description
then the table view will just show the action with
blank fields next to it. So you have a edit and delete icons
with zero reference to what they are for.
This is not intuitive.
I recommend that the address/net is listed in the table view
to be more obvious.
Then you don't need the Access List Name plus a description.
I suggest this be simplified.
If don't show the address/net in the table, then require
some name or description.
In fact, maybe simplify more to just have the
description per network and not per rule.
services_unbound_acls.php and /var/unbound/access_lists.conf
access-control:.
I don't know if this is a bug in pfsense or in unbound,
but from various checks it appears that allow and allow_snoop
behave the same.
I am able to see the same cached entries with allow and
also am able to see the local-data: authoritative (aa) entries from
host_entries.conf with allow. According to docs, allow_snoop
is for nonrecursive too, but I see the authoritative data
with out sending recursion-desired bit with "allow" too.
I cannot get the authoritative data when the DNS Resolver access list
is empty so can confirm that opens it.
If I am checking this wrong, please improve the docs to make it more
clear.
services_unbound_acls.php?act=new has
a Delete button for the Networks even if a single entry.
But if you click on it, it has popup "You may not delete the last row!"
It should not offer a Delete button if it cannot be used.
"row" is wrong word for this anyways and is out of context.
If you click "Add network" and then on either "Delete" button,
both "Delete" buttons will disappear. So that is correct
as it shouldn't have a Delete button for a single required entry.
Another bug there is that when you Delete the entry, it will show the text
"Network/mask Network/mask" (twice) even though there is only one set
of fields for that.
the unbound Domain Override versus the dnsmasq
Domain Override have different behavior. It is a different
feature with same name.
Unbound uses forward-zone/forward-addr (used to use stub-zone)
which queries the defined
auth server and then returns the record from then on from
the resolver cache. This means the unbound answer is not "aa"
and the TTL counts down.
But for the dnsmasq feature, it is always "aa" authoritative
and the TTL never counts down (since dnsmasq re-looks-up
answer in real time each time).
Unbound requires that RD recursion desired bit to set to see
it or it is REFUSED. dnsmasq doesn't refuse it if RD is not set.
This is two very different implementations, but have
same "Domain Override" name.
Either clearly document this. Optionally also change the names
of these pfSense features.
By the way, the code /etc/inc/unbound.inc
still have comment about stub-addr and maybe comment should say forward-addr
instead.
services_unbound_domainoverride_edit.php
"e.g.: testormycompany.localdomainor1.168.192.in-addr.arpa"
I assume spaces were meant for the three examples
in that Form_Input description, like
"e.g.: test or mycompany.localdomain or 1.168.192.in-addr.arpa"
dnsmasq - does it make any sense to use --strict-order
(strict_order option) with pfsense's default --all-servers ?
maybe the /etc/inc/services.inc conditional should have an
"else" to set --all-servers
services_dnsmasq says "Entries in this section override
individual results from the forwarders. Use these for changing DNS
results" , but the forwarders aren't queried for these overrides
nor does it change DNS results. In the case with Host Overrides,
it is simply an authoritative server. I verified this with tcpdump :)
services_dnsmasq doesn't have a delete icon
for an Hosts Override alias entry , please add that.
And another relatedin services_dnsmasq_edit when clicking
Delete on a single alias (additional name) causes a pop-up
"You may not delete the last row!". Please allow removing it.
And thirdif you delete the parent Hosts Override entry
via the delete icon in the table, it will also remove its
aliases (additional names); I suggest that it keep them since
not obvious.
services_dnsmasq_edit.php is overly strict.
It uses is_unqualified_hostname() which doesn't allow a period,
so cannot use hostname "foo.bar" and domain "tld" and will error with
"A valid hostname is specified, but the domain name part should be omitted".
Same thing with the "Additional Names" alias.
in services_dnsmasq_edit.php if click "Add Host Name"
under "Additional Names for this Host" and save, it will error
about the empty field: "The field Alias Domain is required."
The workaround is to click "Delete" button for that new empty field.
It should just ignore the empty entry if all empty.
the services_dnsmasq Host Overrides are misleading
since it has different fields for Host and Domain,
so someone may configure "www" with "apple.com" and
"www" with "ibm.com" and then the "www" will be resolved
in DNS as a round-robin with both addresses returned.
Also the first match, based on alphabetical order, will be
returned for gethostbyname-type lookups using the /etc/hosts
database. In other words, an admin adding an entirely
different DNS label to the Host Overrides but has same first "Host"
part will break other entry.
My recommendation is to get rid of the "Host" part and just have
a single "DNS name" field; if someone wants the old behaviour
they can still add additional entries for it.
services_dnsmasq_domainoverride_edit mentions "#" (pound sign)
for the dnsmasq special server address to forward as usual.
But the gui interface won't accept it and says "Please
match the requested format." I assume it is because it is
using Form_IpAddress.
Same thing for "!" to not forward.
It won't let it Save.
services_dnsmasq_domainoverride_edit
maybe Source IP should use a Form_Select of interfaces
such as done in services_dnsmasq. If not, then better explain this here.
services_dnsmasq_domainoverride_edit.php
Domain Override doesn't require "Apply Changes" button to be used when Saved
and automatically restarts dnsmasq with the --server and
--rebind-domain-ok switches.
This is different behavior versus the Host Overrides and other
Forwarder options which, when Saved, indicates changes must be
applied to take effect.
services_dnsmasq.php or related ...
the DNS overrides will not be placed into /etc/hosts
until the "Enable DNS forwarder" is set.
But if the "Enable DNS forwarder" is unchecked, saved and applied,
the entries will stay in the /etc/hosts file - no dnsmasq will
be running but local programs like ping will still have access
to them. This is inconsistent - either put them
into /etc/hosts regardless, or remove from /etc/hosts if
dnsmasq is not enabled.
I saw muiltiple sentences and paragraphs
in the interface
that were verbatim from the pf.conf manual;
the license.php page should list the copyright and license
document why pfsense_default_state_size()
assumes each state is 10 kB in size?
no where else in the code, dead code?
$ipseccfg['dns-interval']
see dns-interval for similar config
just for code /etc/inc/filter.inc
s/ftp_proxy_entry/tftp_proxy_entry/
because it is TFTP not FTP
no behavior change
By the way, why does xinetd listen on port 6969 and fork tftp-proxy
by default, even if not used?
xinetd logs about "readjusting" this every 15 minutes even if not used.
no choices for video font, screenmap, or keymap, so just
continue by selecting "Accept these Settings" by using down arrow
a few times and press Enter.
Are you sure? menu says choose Custom Installation from the
Main Menu. But if come here from Recovery then that main menu nor
Custom Installation has never been seen before
pressing F10 in the Custom Install menus didn't "Refresh
Display" as shown in the top line, but went to previous menu.
Pressing it repeatedly keeps going to previous menu until out of the
Custom Install.
Also F1 for help in some menus simply goes back to previous step too.
the capacity for swap by default may have so many
places after the fractional megabyte decimal that you cannot see size
at one time; the cursor confusingly scrolls through it. I recommend
just displaying it with no fractional amount.
why untar kernel from cd if already was copied to /mnt disk
tar xzpf /kernels/kernel_*SMP*.gz -C /mnt/boot/
why not just untar it from /mnt
tar xzpf /mnt/kernels/kernel_*SMP*.gz -C /mnt/boot/
why /etc/rmt link to non-existent /usr/sbin/rmt ?
using exec sh causes exit from shell to also close the ssh:
Enter an option: read: read error: Input/output error
ctrl-c in the Developer Shell shouldn't exit ssh session
/usr/local/sbin/pfSsh.php contains
$tccommands[] = "master";
$tccommands[] = "RELENG_1_2";
but this code is unused
also what uses tccommands?
in pfSsh = does nothing as the currentline is replaced
all exclamation marks are escaped if first character has it
listpkg
Warning: Invalid argument supplied for foreach() in /usr/local/sbin/pfSsh.php(345) : eval()'d code on line 11
name is inconsistent: why disabled vs disable?
this config name and script name is used primarily for different
purpose than it is named for
why does it do this twice:
unset($config["interfaces"]["wan"]["blockbogons"]);
unlink_if_exists("/tmp/config.cache");
...
unlink_if_exists("/tmp/config.cache");
unset($config['interfaces']['wan']['blockbogons']);
cannot run twice since
Cannot redeclare get_boot_disk()
via the include of /etc/ecl.php
can this even work?
$locations_to_check = array("/", "/config");
foreach ($locations_to_check as $ltc) {
$tocheck = "/tmp/mnt/cf{$ltc}config.xml";
checks for /tmp/mnt/cf/config.xml and /tmp/mnt/cf/configconfig.xml
but the file would be at /tmp/mnt/cf/conf/config.xml
also get_boot_disk and get_swap_disks don't work
since modern systems use ufsid labels but later try to compare
with device names
does not work, references an array that doesn't exist
Playback of file listpkg started.
Installed packages:
Warning: Invalid argument supplied for foreach() in /usr/local/sbin/pfSsh.php(345) : eval()'d code on line 11
I checked with:
if (!is_array($config['installedpackages']['package'])) {
echo "not an array\n";
return;
}
cannot run twice in the developer shell since
Cannot redeclare usage()
the traffic_shaper_wizard_dedicated.xml scheduler types
drop-down are marked as "Local interface" and "WAN interface".
Change to also say "Schedule Type".
While there note that "interface" is started with lowercase "i"
in some uses and uppercase "I" in other uses.
Also maybe add "speed" or "rate" and maybe "measurement" or "units"
for the upload and download parameters.
minor bug; the traffic_shaper_wizard_dedicated.xml
page has both Penalty Box and PenaltyBox (no space); be consistent?
the traffic_shaper_wizard_dedicated.xml doesn't have a check
to make sure at least the P2P catchall or a specific protocol is selected
minor bug, the traffic_shaper_wizard_dedicated.xml
P2P page has a mix of "Peer to Peer" (no dashes), "Peer-to-Peer",
"p2p" (lowercase) and "P2P"; be consistent?
the traffic_shaper_wizard_dedicated.xml "other Applications"
says "raise or lower ... higher than most". That grammar of "lower...
higher" doesn't read well. Maybe just end the sentence at "protocols."
the Traffic Shaper / Limiters page has the
the "By Interface" info help that is about tree, queues,
buttons. But there is no "tree" by default. Also maybe "queues" should
be called "Limiters". Maybe from /etc/inc/shaper.inc
Click "here" was broken for me on installation wizard screen.
since didn't have my port number.
but I can click on logo to get to the default Dashboard display.
config is called DNS Forwarder but it is not a
DNS Forwarder; tcpdump showed it doing recursive resolution starting at the
gtld-servers and not using any forwarder
firewall_shaper_vinterface.php
action item should link to diag_limiter_info.php for Related Status.
And the diag_limiter_info.php should NOT have a Related status
action item pointing to itself.
vpn_l2tp_configure in /etc/inc/vpn.inc
has killbypid and sleep(8) even if starting it for first time.
I suggest it should check if file_exists() first.
Note that killbypid via sigkillbypid does check for that
but wrap both with it since the sleep(8) is done regardless.
https://redmine.pfsense.org/issues/7558
vpn_l2tp_configure in /etc/inc/vpn.inc
can use $l2tpcfg['wins'] for NetBIOS name server (NBNS) information
but that "wins" is not configured anywhere.
If it is not desired, then remove that stale code?
(I dod see similar for vpn_pptp.php but this bug is about l2tp.)
https://redmine.pfsense.org/issues/7559
vpn_l2tp.php
recommend confirming that DNS servers l2tp_dns1 and l2tp_dns2
are IP addresses. Check this right in vpn_l2tp.php
since vpn_l2tp_configure silently checks it.
Also while there complain if l2tp_dns2 is set but l2tp_dns1
is not, since vpn_l2tp_configure won't use it if the first is not set.
https://redmine.pfsense.org/issues/7560
vpn_l2tp.php says when RADIUS is set "The local user database will
not be used."
and vpn_l2tp_users.php also shows:
"RADIUS is enabled. The local user database will not be used."
I don't see any configuration to turn "internal" off
(like "set auth disable internal").
It is not clear if this is about what type of users
like L2TP mdp.secrets or what?
But if is about mdp.secrets then that is used after RADIUS
and is enabled by default.
(see http://mpd.sourceforge.net/doc/mpd31.html#31)
https://redmine.pfsense.org/issues/7561
in vpn_l2tp.php
Remote address range remoteip is required even if
RADIUS issued IPs radiusissueips is set.
Per vpn_l2tp_configure remoteip is not used if radiusissueips is set.
(as it sets to undocumented 0.0.0.0/0 peer).
Is remoteip really required?
While there only set clientip is not radiusissueips
https://redmine.pfsense.org/issues/7562
vpn_l2tp_users.php
Suggestion: consider allowing IP/Subnet for the user.
mtp supports this for restricting to a range
instead of a specific IP.
https://redmine.pfsense.org/issues/7563
the logging shortcuts for vpn_l2tp.php and vpn_l2tp_users.php
and vpn_l2tp_users_edit.php all go to same:
status_logs_vpn.php?vpntype=l2tp which does not exist.
and takes you to default PPPoE Logins view (instead of best L2TP).
the fix in shortcuts.inc is:
-$shortcuts['l2tps']['log'] = "status_logs_vpn.php?vpntype=l2tp";
+$shortcuts['l2tps']['log'] = "status_logs_vpn.php?logfile=l2tps&vpntype=l2tp";
You could have a new shortcut configuration for the users vs. config
but I think it is fine as is.
https://redmine.pfsense.org/issues/7564
openvpn_validate_port() has:
if (empty($value ...
so when passing zero to it complains
(because empty(0) is FALSE):
"The field 'Local port' must contain a valid port, ranging from 0 to 65535"
While I would want it to check for not 0,
the above says zero is okay and the
vpn_openvpn_server.php addInput form for it allows it.
make fix in both places.
https://redmine.pfsense.org/issues/7565
/etc/inc/openvpn.inc
used vpn_openvpn_server.php to set dh_length
but only three /etc/dh-parameters.NUM files are available,
but drop-down allows others resulting in:
openvpn[34890]: Options error: --dh fails with '/etc/dh-parameters.3072': No such file or directory
Note that code for other dh-parameters is commented out.
https://redmine.pfsense.org/issues/7566
vpn_openvpn_server.php
Address Pool
sets pool_enable.
I don't see any code that uses it, like not in /etc/inc/openvpn.inc
What uses this code?
Also this is for addrpool in the wizard. What uses it?
https://redmine.pfsense.org/issues/7567
vpn_openvpn_server.php
configures client_mgmt_port
but as far as I can tell this number is not used
and the management is using a Unix domain socket and not a TCP port.
https://redmine.pfsense.org/issues/7568
wizards/openvpn_wizard.xml
This is a wizards behavior which can cause confusion or mistake.
A wizard saves its settings to config.xml
and if you use the wizard again it may prepopulate fields.
So if you use the wizard once to setup an LDAP server
the later setup a RADIUS server, it may have the 389 port number
(for LDAP) for the RADIUS port setup. Even though it has
the correct number in note below, the common usage for pfSense is
to prepopulate with defaults. In this case, the field is wrong.
https://redmine.pfsense.org/issues/7569
openvpn_wizard.xml
skipped creating a cert and when finished it took me back to
select or add a certificate. After creating one.
it took me to next wizard screen but still has error message
"Please choose a Certificate." at top.
https://redmine.pfsense.org/issues/7570
vpn_openvpn_client.php has Related settings shortcut to
vpn_openvpn_server.php
but that is misleading and for normal pfSense use it is not
"Related".
As an example, the server's page doesn't have a related settings
shortcut pointing to clients (as it should not).
https://redmine.pfsense.org/issues/7571
vpn_openvpn_client.php and /etc/inc/openvpn.inc
Has checkbox to enable "Infinitely resolve server"
but the resolv-retry infinite config is used also if is a client.
This is a client. In addition, OpenVPN 2.3 has this enabled
by default. I don't see anything here to set it to 0 (zero) to
disable. To explain a different way, the config.xml has:
while the openvpn$NUM.conf still has:
"resolv-retry infinite".
I suggest getting rid of it of the feature since is default behavior
and is always set here.
Or if youkeep make it so unchecked means is "0" and don't set by
default for client too.
https://redmine.pfsense.org/issues/7572
vpn_openvpn_client.php
shows the Peer Certificate Revocation list option
when non-TLS shared key server mode is selected but not when TLS
mode is selected.
See the hideLabel definitions for it. Is this reversed?
See vpn_openvpn_server.php as the (correct) opposite approach.
If this is already as desired, add some hint why it is useful that way.
While there consider having this option displayed after the certref option.
ALREADY FIXED in be4acfd167788719d16b795d5491646fd88bd23f ticket #7331
vpn_openvpn_client.php
text for Tunnel Networks says "The second network address will be assigned".
It uses openvpn_get_interface_ip() which uses gen_subnetv4()
and then ip_after(). This misleadiing as it could be considered
that the first address is the address returned by gen_subnetv4()
so really the "third" netwok address will be assigned by some
understandings.
Some say the first is the "network address" but that is the
terminology used here and the second is the "first IP".
My recommendation is simply to clarify the help text.
This may be needed for IPV6 and the other openvpn pages too.
https://redmine.pfsense.org/issues/7573
vpn_openvpn_client.php
compression defaults to No Preference so "comp-lzo" is not
set in configuration.
But the openvpn manual says "make sure the client-side config file
enables selective compression by having at least one --comp-lzo
directive ... this will ... allow a future directive push from the
server to dynamically change the on/off/adaptive setting."
The manpage is confusing as also hints that adaptive is the default.
I recommend you change the user interface default to
"adaptive" so it sets "comp-lzo adaptive" to make sure.
"No Preference" seems to imply there is a preference
so maybe reword or fix this (in /etc/inc/openvpn.inc and for
vpn_openvpn_server.php too).
PROBABLY FIXED IN a4b3624650 bug #7064
/etc/inc/openvpn.inc
The openvpn manual says:
Note: Using --topology subnet changes the interpretation of the
arguments of --ifconfig to mean "address netmask", no longer "local
remote".
And also says:
TUN devices in --topology subnet mode (which create virtual
"multipoint networks"), --ifconfig is used to set an IP address
and subnet mask ...
(The manual example also shows it.)
But openvpn.inc when using tun still sets ifconfig (conf option)
using $ip1 for client and $ip2 for server instead of the $mask.
I didn't test this but doesn't follow the docs.
This may need fixed so second argument is the mask.
I did read
https://forum.pfsense.org/index.php?topic=103331.0
https://redmine.pfsense.org/issues/7574
vpn_openvpn_client.php
Does the route_no_exec feature for "Don't add/remove routes"
even work? I don't see any use of route-up script.
Also while here see the setHelp text shows "--route-upscript"
which should have a space between up and script.
This text is just verbatim from the man page (which has the space).
(I also see missing space in the locale files.)
https://redmine.pfsense.org/issues/7575
system_advanced_sysctl.php allows adding a tunable with
a bogus name (like a space in it or doesn't exist) or bogus value.
Maybe report sysctl output?
https://redmine.pfsense.org/issues/7576
system_advanced_notifications.php has a button to test
growl, but no indication locally (in the GUI) if used or not. In
particular shouldn't it warn if the IP address and password is blank?
In addition, there is no indication locally (in the GUI) if the
Test SMTP Settings button did anything.
Since it says uses the currently stored configurations,
it should show what they are here just in case changed above,
or when the test is done it could display what settings were used.
or could use multiple submit buttons and call this one
Save and Test SMTP Settings?
https://redmine.pfsense.org/issues/7577
diag_edit.php will give warning "Loading a directory is not supported."
but after clicking Browse and getting a directory listing, that
warning is not cleared; it still displays same warning even though is now
irrelevant. Maybe update print_info_box after successes.
https://redmine.pfsense.org/issues/7589
diag_edit.php
if you are browsing directory hiererchy, and enter a filename
and click save, it will write a zero byte file to that filename.
Note there was no data to write but the edit display was showing
the directory layout.
I suggest if a browse directory view is displayed then
the Save button should be disabled
or the save should indicate no data to save while in directory
browsing view and to not do anything.
https://redmine.pfsense.org/issues/7590
diag_packet_capture.php
link to tcpdump manpage is different version than FreeBSD version.
I did a quick look with wdiff and the manuals are about 6% different.
diag_pftop.php has "Size" for sorttype which is not a order type
known by pftop. (sort_size_callback in pftop is "Bytes".)
Size is not a sort option and is same as "none".
https://redmine.pfsense.org/issues/7579
diag_pftop.php should not have sort options choices of Peak
and Rate since only useful
if have cached information as available
in interactive mode (see text console version)
to calculate the instantaneous speed and peak speed.
https://redmine.pfsense.org/issues/7580
/etc/pfSense.obsoletedfiles
has wrong path for diag_system_pftop.php
(missing www)
see 1af5edbf04e0e3bbbc55981f6fc404b60ff33f2b
(note different php file now)
https://redmine.pfsense.org/issues/7581
diag_dump_states.php
enter a non-existent but valid IP address and will get a Kill States
button but no states listed. This is not intuitive to remove
states that don't exist.
https://redmine.pfsense.org/issues/7582
top is missing the CPU: header like
CPU: 3.9% user, 0.0% nice, 2.4% system, 0.4% interrupt, 93.3% idle
This is a limitation in the top implementation on FreeBSD
(seen outside of pfsense).
In it filled out in interactive mode after the rest of the display
is draw, but in batch mode the line is blank.
I filed a bug report against it in FreeBSD:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=218889
pkg_mgr.php
The table shows Version for the package then
the dependencies show same package name with different version.
This is confusing.
For example shows: arping 1.2.2_1 depends on arping-2.15_1
To clarify, I recommend the Version column be renamed to
"pfSense pkg Version"
and the "Package Dependencies:" be changed to "FreeBSD Package Dependencies:"
(I assume all are from FreeBSD packages.)
https://redmine.pfsense.org/issues/7583
my user has
page-diagnostics-dns privilege which provides DNS lookups
but also allowed the user to create an alias
"Created from Diagnostics-> DNS Lookup".
But now the user cannot see this alias nor has any way to remove it
(because needs page-firewall-aliases privilege).
I'd suggest that capability to do DNS lookups diagnostics shouldn't
also allow addition of aliases.
https://redmine.pfsense.org/issues/7584
I entered an ampersand & in the Full name
and it got expanded to master.passwd and /etc/passwd to
&
note this is HTML entity encoding, done twice.
This is also shown in the Users table.
system_usermanager.php
The checkbox for showcert "Click to create a user certificate"
when adding a new user does nothing, the cert-options class is not displayed.
Or what is that checkbox supposed to do?
https://redmine.pfsense.org/issues/7585
feature request: system_usermanager_addprivs.php
should say what user and fullname is having the privileges added to
for the userid (like the system_groupmanager_addprivs.php does)
easy fix:
$section = new Form_Section('User Privileges for '. $a_user['name']);
https://redmine.pfsense.org/issues/7586
system_usermanager.php
User Certificates view is missing the "Action" table header.
Also as a feature request have link to the
certificate management page to actually see the cert details
(and maybe remove the certificate).
feature request
system_certmanager.php?act=new&userid=n
when adding a certificate specifically assigned to a user,
have the system_certmanager.php page say the the username at the top.
(Especially since it is different than when the page is not
for a userid.)
system_certmanager.php?act=new&userid=n
when selecting method of choose "existing",
the descr field is not used (and is ignored and confusing since is different).
Maybe only display the descr input box for the forms that need it.
feature request
system_groupmanager.php
allow configuring the Assigned Privileges for a new "Add" group
and not just when editing an existing group
feature request
system_groupmanager.php via is ?act=edit view
when deleting a single privileges go back to the edit view
so you can see the change.
Currently it takes you back to the all groups view where you have to
click edit again to see the privilege changed.
system_groupmanager.php via is ?act=edit view
when removing a provilege it uses a local privid
which gets reassigned each time a list of privileges for a group
changes.
So if an pfsense admin mistakenly presses a back button in browser
or otherwise reloads the same delpriv action webpage, it may have a
consequence of removing an unrelated privilege (because has new privid).
(If the privid is the last number then it wouldn't matter then.)
This simple mistake could lock out some pfsense user
or make them lose some capability that is not noticed for some time.
(I didn't check if this problem exists of the user view too.)
My suggestion is to use the unique identifiers that
already exist (like "page-xmlrpclibrary") instead of an arbitrary
number that changes.
feature request
system_authservers.php
the text-danger feedback from "Select a container"
such as "Could not connect ..."
will go to bottom of the page and mayi be overlooked.
Suggest having that output go next to the button.
The pagenamefirst option (Display page name first in browser tab)
is available for user's customization
(system_usermanager.php or
system_user_settings.php) but is not included
with the same customizations done by admins on system.php.
Instead it is at system_advanced_admin.php.
This is inconsistent. This is a general setting and should be
on the system.php page (and not system_advanced_admin.php).
See gen_pagenamefirst_field.
SUGGESTION: status_captiveportal.php
show the username in the disconnect popup?
services_captiveportal.php
If don't select radio button for "Authentication method"
it stays empty
so no authentication is default. (auth_method is none.)
Show the radio for it -- that is show the default selection.
Then click Continue should just work then.
Or if you really want this to be selected make sure setHelp text says so.
While there the docs links to services_captiveportal_mac.php
but that redirects to services_captiveportal_zones.php
(What is _mac page?) Fix links?
https://redmine.pfsense.org/issues/7591
login for some users with limited privileges which takes me to just
/.widget.php
which is 404 not found
system_groupmanager_addprivs.php
feature request.
Please sort the list of privileges in the form
like is done in the system_usermanager_addprivs.php form using
uasort and its admusercmp function.
There is a comment saying "sort it" but does not appear to be done.
https://redmine.pfsense.org/issues/7587
feature request:
add the username to the Are you sure you wish to delete user? prompt
feature request
system_authservers.php
change order of LDAP Server Settings
so Transport
is before
Port value
since it changes the Port value.
Note that selecting the transport resets any custom port also.
system_advanced_admin.php
maybe suggest as feature request to have the settings for admin
and user match up and then have a different section
for the admin only settings
openvpn tunnel network.
ipv4 tunnel_network is still required even when tunnel_networkv6 is set.