I am authoring a new book about pfSense written from scratch. I found various bugs or issues as I read lots of code and used the many interfaces. I will work on adding these to the bug tracker. As I add the bugs to redmine I will link to them with the redmine issue numbers. Also I noticed a few were already fixed so mention that here but don't report them.

A list of my reported issues is here.

For more details about my new book see http://www.reedmedia.net/books/pfsense/ .

icon for Related log entries for the DHCPv6 Server is for logfile=dhcp but that doesn't match anything specific and shows everything "General".
the diag_authentication "related status" icon links to same page :)
syntax error in the PHP execution in Command Prompt menu should not cause a crash detection to suggest reporting to pfSense
suggestion for the Edit File have the input box have some description or label like "Path name" or "File name or directory"
Edit File "Go to Line" selection box allows negative numbers and line numbers longer than the file contains
the diag_routes "Rows to display" is off by one as it includes the header line too. If you choose 10 you would want ten lines of results data to display
diag_routes "Use a regular expression to filter IP address or hostnames" actually works to match any field like flags, mtu, netif; I suggest it is kept the way it works and fix the description to not limit to just the address or hostname
it appears the diag_smart is broken. For example, its has $start_script = "/usr/local/etc/rc.d/smartd.sh"; and it is used once for a stop and start. But that script doesn't exist. It is at /usr/local/etc/rc.d/smartd (no ".sh" at end). Anyways, I now see the code there is marked with //FIXME. The smartd -M test is used to test configuration. Also in diag_smart, it tries to put email address into /usr/local/etc/smartd.conf but that file doesn't exist. Then it does an attempted HUP of smartd but that daemon is not running. Also the user interface is not intuitive. I'd suggest it have options to enable the service, and that the "Send test email" button should be available even if email address is not saved; I didn't test but I think can be done like: echo /dev/sda -m foo@host -M test | smartd -c - -q onecheck (By the way, it is interesting to have such a detailed disk monitoring service, so it would be just as important to have a network device and network in general monitoring service; I understand sending email may not work, but it could check for some "predictive" failures and send warning before network is down.)
the diag_sockets.php info says sockstat uses -L when using the -l. It does not use -L and it does show the the loopback addresses (::1 or Also why there don't use the man page details verbatim, so exclude the unnecessary ADDRESS and other UNIX sockets documentation.
FIXED https://redmine.pfsense.org/issues/6708
in diag_dump_states.php clicking the Packets or Bytes header for sorting is not intelligent nor intuitive. It doesn't really sort packet counts or bytes considering they may be formatted using acronyms. Also the sort is for just one part, but each has two counts in/out.
diag_resetstate.php header says "Select States to Reset" but the docs there says "will remove all entries from the corresponding tables". There is nothing to select in this view.
diag_resetstate.php if the checkbox is UNchecked, clicking "Reset" still prompts "Are you sure you wish to Reset?" and Okay does nothing. This is not intuitive. Get rid the checkbox. The pop-up window is good enough.
diag_states_summary is not intuitive as each table has two columns with same "# States" header. first is for $ipinfo['seen']; and second is for $protoinfo['seen']; Maybe have the header say "Protocol counts" over the last three fields or add a documentation line at top (or bottom) to explain that.
FIXED https://redmine.pfsense.org/issues/6711
services_unbound.php I cannot get any Host Override to be configured with unbound. /var/unbound/host_entries.conf lists my /etc/hosts entries but not my override entries. My config.xml has my details for but I don't see it at all in my /var/unbound settings. I don't see any /etc/inc/unbound.inc code to use it but may be overlooking.
be consistent in naming or add more doc details to the diag_tables page as custom tables are called "aliases" elsewhere also it uses the word "database" in some places for table or aliases too.
diag_tables often says "Date of last update of table is unknown." but table comments at same time shows the date: last updated 1463027701 (Thu May 12 04:35:01 2016 GMT) (that was for bogons) I assume one is for the locate timestamp while the other is the timestamp as provided in the remote's original file, but either way using same terminology may be confusing, so maybe should be explained there.
diag_tables has "Related status" shortcut for "aliases" that goes to same diag_tables page. diag_routes and maybe other pages have this too. It was a little misleading to click through it to realize it was not a related page. Suggest comparing the target with the link, like is done for Related settings in shortcuts.inc: if (!empty($link) && ($_SERVER['REQUEST_URI'] != "/{$link}")) { (that worked for me) But maybe there was a reason already this wasn't used? Also see diag_limiter_info.php links to itself. I didn't notice problem for Related logs, but maybe there too.
Just added to my existing ticket: https://redmine.pfsense.org/issues/6701
diag_testport 1) can output error "Cannot connect to an IPv6 address using IPv4." (and vice-versa) But that is_ipaddrv4 / is_ipaddrv6 is for IP addresses. The "host" field may be a hostname, so a hostname like ipv6.test-ipv6.com returns only AAAA, and doesn't give that "Cannot connect" error. This is misleading. I do understand that the hostname is passed direct to netcat. 2) In addition, diag_testport has confusing documentation about mix of IPv4 and AAAA, but I can set IP Protocol to IPv6 and I have NO IPv6 and a test will return "successful." Also it uses the word "forced" but IPv4 and IPv6 are only options so one must be selected. 3) since the IP Protocol list only has two choices, maybe just display as radio instead of drop-down menu 4) the diag_testport code suggests that -4 or -6 should be used, but that is only done if the host is an IP number and not a hostname. It is interesting that the code has many checks for setting this -4 or -6, but the IP Protocol selection is not even used unless the host is an IP number. If -6 is used on an IPv4 network, even the getaddrinfo() will fail and netcat will indicate that (but diag_testport won't do that). 5) Actually the IP Protocol selection as a choice makes no sense: diag_testport is smart enough to detect that it is mismatched and smart enough to see an optional sourceip's protocol, then it is smart enough to select the protocol on its own. But if it would honor the ipprotocol for hostnames (no IP number), then maybe a value of having that IP Protocol selection is valid.
diag_testport It may be useful to run netcat with -v and provide that output, like "No route to host" or "Succeeded!".
diag_traceroute.php misspelling for "number": 'Maximum nuber of hops',
diag_traceroute.php the IPv4 traceroute when resolving IPs to hostnames outputs both, but the IPv6 traceroute6 only shows the hostnames and not the address. My suggestion is to use -l when ipv6 when not using -n.
the max hops for FreeBSD IPv6 traceroute6 is 255, which the max allowed IPv6 "hops limit". Maybe it should allow that? Then again, the nginx may Time-out beyond 64?
diag_dns.php press enter when adding a hostname when "add alias" is first button will cause the entry to be added as a Firewall Alias even if just wanted to look it up. IN addition, it will add the alias even if "could not be resolved." My recommendation would be to have "Lookup" button be first button.

SUGGESTION: for the DNS Stuff links in diag_dns could also add links to DNS research and not just the IP

/etc/inc/dyndns.class comment has "dyns.org" but I think that is dyns.net.

services_dyndns_edit "Verify SSL peer" checkbox doesn't show its corresponding form label. It is set to "null". (So when the chexbox is displayed it may appear to be in the "Verbose logging" section.) I suggest it be set to "HTTP API options". By the way, maybe curl_ipresolve_v4 form should be also called "HTTP API options" as pfsense users shouldn't have to know what "CURL" is.
services_unbound has system_domain_local_zone_type type of redirect but does not have corresponding (second) "local-zone:" line for it that has the different address record. Andrelated, when "Redirect" choice is set unbound crashed with: Aug 11 08:37:20 unbound 27341:0 error: local-data in redirect zone must reside at top of zone, not at Wireless_Broadband_Router.office IN A Aug 11 08:37:20 unbound 27341:0 fatal error: Could not set up local zones Aug 11 08:38:01 unbound 58991:0 error: local-data in redirect zone must reside at top of zone, not at Wireless_Broadband_Router.office IN A Aug 11 08:38:01 unbound 58991:0 fatal error: Could not set up local zones BUT no Notices indicated it and no input errors were detected. When I set System Domain Local Zone Type to Deny or to default Transparent I get input errors detected: The generated config file cannot be parsed by unbound. Please correct the following errors: [1470922977] unbound-checkconf[77900:0] error: local-data in redirect zone must reside at top of zone, not at pfSense.office AAAA fde4:8dba:82e1:: [1470922977] unbound-checkconf[77900:0] fatal error: failed local-zone, local-data configuration NOTE: it still says "redirect" zone even though using transparent now. config.xml still had: redirect meaning I couldn't change it. I made it so the test subdirectory wasn't removed. I removed my Host Override entry and applied the change and it was successful. unbound process still not running so I clicked the Start Service action icon. The status_services page said "unbound had been started" but then showed below "Stopped" status for it. I used viconfig to remove the bogus system_domain_local_zone_type entry. Then the Start service action worked. I recommend that the "redirect" choice be removed until it can be configured with additional details.

services_unbound.php has "Register DHCP leases in the DNS Resolver" unchecked by default but unbound.conf includes dhcpleases_entries.conf which has them by default. I played with dnsmasq earlier and it started the dhcpleases watcher daemon and since unbound was enabled it included unbound configuration setup. When I stopped dnsmasq and even though unbound didn't have it enabled, it still kept running. The bugs: 1) /etc/inc/system.inc don't configure dhcpleases for unbound if unbound's regdhcp is not enabled. 2) stop dhcpleases daemon when not used. 3) remove the hostnames from dhcp leases in /dhcpleases_entries.conf (see comment "dhcpleases automatically entered") when dhcpleases / regdhcp for unbound is no longer used.

maybe I am overlooking it, but I don't see any code honoring unbound's regdhcpstatic setting. I do see it for dnsmasq.

move services_unbound.php custom_options to services_unbound_advanced.php. This is certainly a dangerous feature so move to "Advanced Settings". Also it makes it more obvious that some features are already available via the webConfigurator.

services_unbound_advanced.php this is a trivial bug here and elsewhere, but checkbox and other form input names are inconsistently ending with or without trailing periods. Also some statements begin with capitalized letter and some don't. Be consistent. While in services_unbound_advanced.php change "0x-20" to "0x20".

services_unbound_advanced.php has Number of Queries per Thread and a few other tunable descriptions that mention "thread" but the number of threads isn't displayed. Consider showing the value here. In some cases the default is only "1" (disabled) so using this terminology doesn't make sense.

services_unbound_advanced.php shows Number of Queries per Thread has 512 even though I have: /var/unbound/unbound.conf:num-queries-per-thread: 4096 which is the default in ./etc/inc/unbound.inc so if you save that page it will reset it to 512. Probably 512 is okay, but it shouldn't reset its default.

services_unbound_acls.php allows a access list rule that doesn't have any name. So if you have no name, and no description then the table view will just show the action with blank fields next to it. So you have a edit and delete icons with zero reference to what they are for. This is not intuitive. I recommend that the address/net is listed in the table view to be more obvious. Then you don't need the Access List Name plus a description. I suggest this be simplified. If don't show the address/net in the table, then require some name or description. In fact, maybe simplify more to just have the description per network and not per rule.

services_unbound_acls.php and /var/unbound/access_lists.conf access-control:. I don't know if this is a bug in pfsense or in unbound, but from various checks it appears that allow and allow_snoop behave the same. I am able to see the same cached entries with allow and also am able to see the local-data: authoritative (aa) entries from host_entries.conf with allow. According to docs, allow_snoop is for nonrecursive too, but I see the authoritative data with out sending recursion-desired bit with "allow" too. I cannot get the authoritative data when the DNS Resolver access list is empty so can confirm that opens it. If I am checking this wrong, please improve the docs to make it more clear.

services_unbound_acls.php?act=new has a Delete button for the Networks even if a single entry. But if you click on it, it has popup "You may not delete the last row!" It should not offer a Delete button if it cannot be used. "row" is wrong word for this anyways and is out of context. If you click "Add network" and then on either "Delete" button, both "Delete" buttons will disappear. So that is correct as it shouldn't have a Delete button for a single required entry. Another bug there is that when you Delete the entry, it will show the text "Network/mask Network/mask" (twice) even though there is only one set of fields for that.

the unbound Domain Override versus the dnsmasq Domain Override have different behavior. It is a different feature with same name. Unbound uses forward-zone/forward-addr (used to use stub-zone) which queries the defined auth server and then returns the record from then on from the resolver cache. This means the unbound answer is not "aa" and the TTL counts down. But for the dnsmasq feature, it is always "aa" authoritative and the TTL never counts down (since dnsmasq re-looks-up answer in real time each time). Unbound requires that RD recursion desired bit to set to see it or it is REFUSED. dnsmasq doesn't refuse it if RD is not set. This is two very different implementations, but have same "Domain Override" name. Either clearly document this. Optionally also change the names of these pfSense features. By the way, the code /etc/inc/unbound.inc still have comment about stub-addr and maybe comment should say forward-addr instead.

services_unbound_domainoverride_edit.php "e.g.: testormycompany.localdomainor1.168.192.in-addr.arpa" I assume spaces were meant for the three examples in that Form_Input description, like "e.g.: test or mycompany.localdomain or 1.168.192.in-addr.arpa"

dnsmasq - does it make any sense to use --strict-order (strict_order option) with pfsense's default --all-servers ? maybe the /etc/inc/services.inc conditional should have an "else" to set --all-servers

services_dnsmasq says "Entries in this section override individual results from the forwarders. Use these for changing DNS results" , but the forwarders aren't queried for these overrides nor does it change DNS results. In the case with Host Overrides, it is simply an authoritative server. I verified this with tcpdump :)

services_dnsmasq doesn't have a delete icon for an Hosts Override alias entry , please add that. And another relatedin services_dnsmasq_edit when clicking Delete on a single alias (additional name) causes a pop-up "You may not delete the last row!". Please allow removing it. And thirdif you delete the parent Hosts Override entry via the delete icon in the table, it will also remove its aliases (additional names); I suggest that it keep them since not obvious.

services_dnsmasq_edit.php is overly strict. It uses is_unqualified_hostname() which doesn't allow a period, so cannot use hostname "foo.bar" and domain "tld" and will error with "A valid hostname is specified, but the domain name part should be omitted". Same thing with the "Additional Names" alias.

in services_dnsmasq_edit.php if click "Add Host Name" under "Additional Names for this Host" and save, it will error about the empty field: "The field Alias Domain is required." The workaround is to click "Delete" button for that new empty field. It should just ignore the empty entry if all empty.

the services_dnsmasq Host Overrides are misleading since it has different fields for Host and Domain, so someone may configure "www" with "apple.com" and "www" with "ibm.com" and then the "www" will be resolved in DNS as a round-robin with both addresses returned. Also the first match, based on alphabetical order, will be returned for gethostbyname-type lookups using the /etc/hosts database. In other words, an admin adding an entirely different DNS label to the Host Overrides but has same first "Host" part will break other entry. My recommendation is to get rid of the "Host" part and just have a single "DNS name" field; if someone wants the old behaviour they can still add additional entries for it.

services_dnsmasq_domainoverride_edit mentions "#" (pound sign) for the dnsmasq special server address to forward as usual. But the gui interface won't accept it and says "Please match the requested format." I assume it is because it is using Form_IpAddress. Same thing for "!" to not forward. It won't let it Save.

services_dnsmasq_domainoverride_edit maybe Source IP should use a Form_Select of interfaces such as done in services_dnsmasq. If not, then better explain this here.

services_dnsmasq_domainoverride_edit.php Domain Override doesn't require "Apply Changes" button to be used when Saved and automatically restarts dnsmasq with the --server and --rebind-domain-ok switches. This is different behavior versus the Host Overrides and other Forwarder options which, when Saved, indicates changes must be applied to take effect.

services_dnsmasq.php or related ... the DNS overrides will not be placed into /etc/hosts until the "Enable DNS forwarder" is set. But if the "Enable DNS forwarder" is unchecked, saved and applied, the entries will stay in the /etc/hosts file - no dnsmasq will be running but local programs like ping will still have access to them. This is inconsistent - either put them into /etc/hosts regardless, or remove from /etc/hosts if dnsmasq is not enabled.

I saw muiltiple sentences and paragraphs in the interface that were verbatim from the pf.conf manual; the license.php page should list the copyright and license

document why pfsense_default_state_size() assumes each state is 10 kB in size?

no where else in the code, dead code? $ipseccfg['dns-interval'] see dns-interval for similar config

just for code /etc/inc/filter.inc s/ftp_proxy_entry/tftp_proxy_entry/ because it is TFTP not FTP no behavior change By the way, why does xinetd listen on port 6969 and fork tftp-proxy by default, even if not used? xinetd logs about "readjusting" this every 15 minutes even if not used.

no choices for video font, screenmap, or keymap, so just continue by selecting "Accept these Settings" by using down arrow a few times and press Enter.

Are you sure? menu says choose Custom Installation from the Main Menu. But if come here from Recovery then that main menu nor Custom Installation has never been seen before

pressing F10 in the Custom Install menus didn't "Refresh Display" as shown in the top line, but went to previous menu. Pressing it repeatedly keeps going to previous menu until out of the Custom Install. Also F1 for help in some menus simply goes back to previous step too.

the capacity for swap by default may have so many places after the fractional megabyte decimal that you cannot see size at one time; the cursor confusingly scrolls through it. I recommend just displaying it with no fractional amount.

why untar kernel from cd if already was copied to /mnt disk tar xzpf /kernels/kernel_*SMP*.gz -C /mnt/boot/ why not just untar it from /mnt tar xzpf /mnt/kernels/kernel_*SMP*.gz -C /mnt/boot/

why /etc/rmt link to non-existent /usr/sbin/rmt ?

using exec sh causes exit from shell to also close the ssh: Enter an option: read: read error: Input/output error

ctrl-c in the Developer Shell shouldn't exit ssh session

/usr/local/sbin/pfSsh.php contains $tccommands[] = "master"; $tccommands[] = "RELENG_1_2"; but this code is unused also what uses tccommands?

in pfSsh = does nothing as the currentline is replaced

all exclamation marks are escaped if first character has it

listpkg Warning: Invalid argument supplied for foreach() in /usr/local/sbin/pfSsh.php(345) : eval()'d code on line 11

name is inconsistent: why disabled vs disable?

this config name and script name is used primarily for different purpose than it is named for

why does it do this twice: unset($config["interfaces"]["wan"]["blockbogons"]); unlink_if_exists("/tmp/config.cache"); ... unlink_if_exists("/tmp/config.cache"); unset($config['interfaces']['wan']['blockbogons']);

cannot run twice since Cannot redeclare get_boot_disk() via the include of /etc/ecl.php

can this even work? $locations_to_check = array("/", "/config"); foreach ($locations_to_check as $ltc) { $tocheck = "/tmp/mnt/cf{$ltc}config.xml"; checks for /tmp/mnt/cf/config.xml and /tmp/mnt/cf/configconfig.xml but the file would be at /tmp/mnt/cf/conf/config.xml

also get_boot_disk and get_swap_disks don't work since modern systems use ufsid labels but later try to compare with device names

does not work, references an array that doesn't exist Playback of file listpkg started. Installed packages: Warning: Invalid argument supplied for foreach() in /usr/local/sbin/pfSsh.php(345) : eval()'d code on line 11 I checked with: if (!is_array($config['installedpackages']['package'])) { echo "not an array\n"; return; }

cannot run twice in the developer shell since Cannot redeclare usage()

the traffic_shaper_wizard_dedicated.xml scheduler types drop-down are marked as "Local interface" and "WAN interface". Change to also say "Schedule Type". While there note that "interface" is started with lowercase "i" in some uses and uppercase "I" in other uses. Also maybe add "speed" or "rate" and maybe "measurement" or "units" for the upload and download parameters.

minor bug; the traffic_shaper_wizard_dedicated.xml page has both Penalty Box and PenaltyBox (no space); be consistent?

the traffic_shaper_wizard_dedicated.xml doesn't have a check to make sure at least the P2P catchall or a specific protocol is selected

minor bug, the traffic_shaper_wizard_dedicated.xml P2P page has a mix of "Peer to Peer" (no dashes), "Peer-to-Peer", "p2p" (lowercase) and "P2P"; be consistent?

the traffic_shaper_wizard_dedicated.xml "other Applications" says "raise or lower ... higher than most". That grammar of "lower... higher" doesn't read well. Maybe just end the sentence at "protocols."

the Traffic Shaper / Limiters page has the the "By Interface" info help that is about tree, queues, buttons. But there is no "tree" by default. Also maybe "queues" should be called "Limiters". Maybe from /etc/inc/shaper.inc

Click "here" was broken for me on installation wizard screen. since didn't have my port number. but I can click on logo to get to the default Dashboard display.

config is called DNS Forwarder but it is not a DNS Forwarder; tcpdump showed it doing recursive resolution starting at the gtld-servers and not using any forwarder

firewall_shaper_vinterface.php action item should link to diag_limiter_info.php for Related Status. And the diag_limiter_info.php should NOT have a Related status action item pointing to itself.

vpn_l2tp_configure in /etc/inc/vpn.inc has killbypid and sleep(8) even if starting it for first time. I suggest it should check if file_exists() first. Note that killbypid via sigkillbypid does check for that but wrap both with it since the sleep(8) is done regardless.
vpn_l2tp_configure in /etc/inc/vpn.inc can use $l2tpcfg['wins'] for NetBIOS name server (NBNS) information but that "wins" is not configured anywhere. If it is not desired, then remove that stale code? (I dod see similar for vpn_pptp.php but this bug is about l2tp.)
vpn_l2tp.php recommend confirming that DNS servers l2tp_dns1 and l2tp_dns2 are IP addresses. Check this right in vpn_l2tp.php since vpn_l2tp_configure silently checks it. Also while there complain if l2tp_dns2 is set but l2tp_dns1 is not, since vpn_l2tp_configure won't use it if the first is not set.
vpn_l2tp.php says when RADIUS is set "The local user database will not be used." and vpn_l2tp_users.php also shows: "RADIUS is enabled. The local user database will not be used." I don't see any configuration to turn "internal" off (like "set auth disable internal"). It is not clear if this is about what type of users like L2TP mdp.secrets or what? But if is about mdp.secrets then that is used after RADIUS and is enabled by default. (see http://mpd.sourceforge.net/doc/mpd31.html#31)
in vpn_l2tp.php Remote address range remoteip is required even if RADIUS issued IPs radiusissueips is set. Per vpn_l2tp_configure remoteip is not used if radiusissueips is set. (as it sets to undocumented peer). Is remoteip really required? While there only set clientip is not radiusissueips
vpn_l2tp_users.php Suggestion: consider allowing IP/Subnet for the user. mtp supports this for restricting to a range instead of a specific IP.
the logging shortcuts for vpn_l2tp.php and vpn_l2tp_users.php and vpn_l2tp_users_edit.php all go to same: status_logs_vpn.php?vpntype=l2tp which does not exist. and takes you to default PPPoE Logins view (instead of best L2TP). the fix in shortcuts.inc is: -$shortcuts['l2tps']['log'] = "status_logs_vpn.php?vpntype=l2tp"; +$shortcuts['l2tps']['log'] = "status_logs_vpn.php?logfile=l2tps&vpntype=l2tp"; You could have a new shortcut configuration for the users vs. config but I think it is fine as is.
openvpn_validate_port() has: if (empty($value ... so when passing zero to it complains (because empty(0) is FALSE): "The field 'Local port' must contain a valid port, ranging from 0 to 65535" While I would want it to check for not 0, the above says zero is okay and the vpn_openvpn_server.php addInput form for it allows it. make fix in both places.
/etc/inc/openvpn.inc used vpn_openvpn_server.php to set dh_length but only three /etc/dh-parameters.NUM files are available, but drop-down allows others resulting in: openvpn[34890]: Options error: --dh fails with '/etc/dh-parameters.3072': No such file or directory Note that code for other dh-parameters is commented out.
vpn_openvpn_server.php Address Pool sets pool_enable. I don't see any code that uses it, like not in /etc/inc/openvpn.inc What uses this code? Also this is for addrpool in the wizard. What uses it?
vpn_openvpn_server.php configures client_mgmt_port but as far as I can tell this number is not used and the management is using a Unix domain socket and not a TCP port.
wizards/openvpn_wizard.xml This is a wizards behavior which can cause confusion or mistake. A wizard saves its settings to config.xml and if you use the wizard again it may prepopulate fields. So if you use the wizard once to setup an LDAP server the later setup a RADIUS server, it may have the 389 port number (for LDAP) for the RADIUS port setup. Even though it has the correct number in note below, the common usage for pfSense is to prepopulate with defaults. In this case, the field is wrong.
openvpn_wizard.xml skipped creating a cert and when finished it took me back to select or add a certificate. After creating one. it took me to next wizard screen but still has error message "Please choose a Certificate." at top.
vpn_openvpn_client.php has Related settings shortcut to vpn_openvpn_server.php but that is misleading and for normal pfSense use it is not "Related". As an example, the server's page doesn't have a related settings shortcut pointing to clients (as it should not).
vpn_openvpn_client.php and /etc/inc/openvpn.inc Has checkbox to enable "Infinitely resolve server" but the resolv-retry infinite config is used also if is a client. This is a client. In addition, OpenVPN 2.3 has this enabled by default. I don't see anything here to set it to 0 (zero) to disable. To explain a different way, the config.xml has: while the openvpn$NUM.conf still has: "resolv-retry infinite". I suggest getting rid of it of the feature since is default behavior and is always set here. Or if youkeep make it so unchecked means is "0" and don't set by default for client too.
vpn_openvpn_client.php shows the Peer Certificate Revocation list option when non-TLS shared key server mode is selected but not when TLS mode is selected. See the hideLabel definitions for it. Is this reversed? See vpn_openvpn_server.php as the (correct) opposite approach. If this is already as desired, add some hint why it is useful that way. While there consider having this option displayed after the certref option.
ALREADY FIXED in be4acfd167788719d16b795d5491646fd88bd23f ticket #7331
vpn_openvpn_client.php text for Tunnel Networks says "The second network address will be assigned". It uses openvpn_get_interface_ip() which uses gen_subnetv4() and then ip_after(). This misleadiing as it could be considered that the first address is the address returned by gen_subnetv4() so really the "third" netwok address will be assigned by some understandings. Some say the first is the "network address" but that is the terminology used here and the second is the "first IP". My recommendation is simply to clarify the help text. This may be needed for IPV6 and the other openvpn pages too.
vpn_openvpn_client.php compression defaults to No Preference so "comp-lzo" is not set in configuration. But the openvpn manual says "make sure the client-side config file enables selective compression by having at least one --comp-lzo directive ... this will ... allow a future directive push from the server to dynamically change the on/off/adaptive setting." The manpage is confusing as also hints that adaptive is the default. I recommend you change the user interface default to "adaptive" so it sets "comp-lzo adaptive" to make sure. "No Preference" seems to imply there is a preference so maybe reword or fix this (in /etc/inc/openvpn.inc and for vpn_openvpn_server.php too).
PROBABLY FIXED IN a4b3624650 bug #7064
/etc/inc/openvpn.inc The openvpn manual says: Note: Using --topology subnet changes the interpretation of the arguments of --ifconfig to mean "address netmask", no longer "local remote". And also says: TUN devices in --topology subnet mode (which create virtual "multipoint networks"), --ifconfig is used to set an IP address and subnet mask ... (The manual example also shows it.) But openvpn.inc when using tun still sets ifconfig (conf option) using $ip1 for client and $ip2 for server instead of the $mask. I didn't test this but doesn't follow the docs. This may need fixed so second argument is the mask. I did read https://forum.pfsense.org/index.php?topic=103331.0
vpn_openvpn_client.php Does the route_no_exec feature for "Don't add/remove routes" even work? I don't see any use of route-up script. Also while here see the setHelp text shows "--route-upscript" which should have a space between up and script. This text is just verbatim from the man page (which has the space). (I also see missing space in the locale files.)
system_advanced_sysctl.php allows adding a tunable with a bogus name (like a space in it or doesn't exist) or bogus value. Maybe report sysctl output?
system_advanced_notifications.php has a button to test growl, but no indication locally (in the GUI) if used or not. In particular shouldn't it warn if the IP address and password is blank? In addition, there is no indication locally (in the GUI) if the Test SMTP Settings button did anything. Since it says uses the currently stored configurations, it should show what they are here just in case changed above, or when the test is done it could display what settings were used. or could use multiple submit buttons and call this one Save and Test SMTP Settings?
diag_edit.php will give warning "Loading a directory is not supported." but after clicking Browse and getting a directory listing, that warning is not cleared; it still displays same warning even though is now irrelevant. Maybe update print_info_box after successes.
diag_edit.php if you are browsing directory hiererchy, and enter a filename and click save, it will write a zero byte file to that filename. Note there was no data to write but the edit display was showing the directory layout. I suggest if a browse directory view is displayed then the Save button should be disabled or the save should indicate no data to save while in directory browsing view and to not do anything.
diag_packet_capture.php link to tcpdump manpage is different version than FreeBSD version. I did a quick look with wdiff and the manuals are about 6% different.

diag_pftop.php has "Size" for sorttype which is not a order type known by pftop. (sort_size_callback in pftop is "Bytes".) Size is not a sort option and is same as "none".
diag_pftop.php should not have sort options choices of Peak and Rate since only useful if have cached information as available in interactive mode (see text console version) to calculate the instantaneous speed and peak speed.
/etc/pfSense.obsoletedfiles has wrong path for diag_system_pftop.php (missing www) see 1af5edbf04e0e3bbbc55981f6fc404b60ff33f2b (note different php file now)
diag_dump_states.php enter a non-existent but valid IP address and will get a Kill States button but no states listed. This is not intuitive to remove states that don't exist.
top is missing the CPU: header like CPU: 3.9% user, 0.0% nice, 2.4% system, 0.4% interrupt, 93.3% idle This is a limitation in the top implementation on FreeBSD (seen outside of pfsense). In it filled out in interactive mode after the rest of the display is draw, but in batch mode the line is blank. I filed a bug report against it in FreeBSD: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=218889

pkg_mgr.php The table shows Version for the package then the dependencies show same package name with different version. This is confusing. For example shows: arping 1.2.2_1 depends on arping-2.15_1 To clarify, I recommend the Version column be renamed to "pfSense pkg Version" and the "Package Dependencies:" be changed to "FreeBSD Package Dependencies:" (I assume all are from FreeBSD packages.)
my user has page-diagnostics-dns privilege which provides DNS lookups but also allowed the user to create an alias "Created from Diagnostics-> DNS Lookup". But now the user cannot see this alias nor has any way to remove it (because needs page-firewall-aliases privilege). I'd suggest that capability to do DNS lookups diagnostics shouldn't also allow addition of aliases.
I entered an ampersand & in the Full name and it got expanded to master.passwd and /etc/passwd to & note this is HTML entity encoding, done twice. This is also shown in the Users table.

system_usermanager.php The checkbox for showcert "Click to create a user certificate" when adding a new user does nothing, the cert-options class is not displayed. Or what is that checkbox supposed to do?
feature request: system_usermanager_addprivs.php should say what user and fullname is having the privileges added to for the userid (like the system_groupmanager_addprivs.php does) easy fix: $section = new Form_Section('User Privileges for '. $a_user['name']);
system_usermanager.php User Certificates view is missing the "Action" table header. Also as a feature request have link to the certificate management page to actually see the cert details (and maybe remove the certificate).

feature request system_certmanager.php?act=new&userid=n when adding a certificate specifically assigned to a user, have the system_certmanager.php page say the the username at the top. (Especially since it is different than when the page is not for a userid.)

system_certmanager.php?act=new&userid=n when selecting method of choose "existing", the descr field is not used (and is ignored and confusing since is different). Maybe only display the descr input box for the forms that need it.

feature request system_groupmanager.php allow configuring the Assigned Privileges for a new "Add" group and not just when editing an existing group

feature request system_groupmanager.php via is ?act=edit view when deleting a single privileges go back to the edit view so you can see the change. Currently it takes you back to the all groups view where you have to click edit again to see the privilege changed.

system_groupmanager.php via is ?act=edit view when removing a provilege it uses a local privid which gets reassigned each time a list of privileges for a group changes. So if an pfsense admin mistakenly presses a back button in browser or otherwise reloads the same delpriv action webpage, it may have a consequence of removing an unrelated privilege (because has new privid). (If the privid is the last number then it wouldn't matter then.) This simple mistake could lock out some pfsense user or make them lose some capability that is not noticed for some time. (I didn't check if this problem exists of the user view too.) My suggestion is to use the unique identifiers that already exist (like "page-xmlrpclibrary") instead of an arbitrary number that changes.

feature request system_authservers.php the text-danger feedback from "Select a container" such as "Could not connect ..." will go to bottom of the page and mayi be overlooked. Suggest having that output go next to the button.

The pagenamefirst option (Display page name first in browser tab) is available for user's customization (system_usermanager.php or system_user_settings.php) but is not included with the same customizations done by admins on system.php. Instead it is at system_advanced_admin.php. This is inconsistent. This is a general setting and should be on the system.php page (and not system_advanced_admin.php). See gen_pagenamefirst_field.

SUGGESTION: status_captiveportal.php show the username in the disconnect popup?

services_captiveportal.php If don't select radio button for "Authentication method" it stays empty so no authentication is default. (auth_method is none.) Show the radio for it -- that is show the default selection. Then click Continue should just work then. Or if you really want this to be selected make sure setHelp text says so. While there the docs links to services_captiveportal_mac.php but that redirects to services_captiveportal_zones.php (What is _mac page?) Fix links?
login for some users with limited privileges which takes me to just /.widget.php which is 404 not found

system_groupmanager_addprivs.php feature request. Please sort the list of privileges in the form like is done in the system_usermanager_addprivs.php form using uasort and its admusercmp function. There is a comment saying "sort it" but does not appear to be done.
feature request: add the username to the Are you sure you wish to delete user? prompt

feature request system_authservers.php change order of LDAP Server Settings so Transport is before Port value since it changes the Port value. Note that selecting the transport resets any custom port also.

system_advanced_admin.php maybe suggest as feature request to have the settings for admin and user match up and then have a different section for the admin only settings

openvpn tunnel network. ipv4 tunnel_network is still required even when tunnel_networkv6 is set.