I authored a new book about pfSense written from scratch. I found various bugs or issues as I read lots of code and used the many interfaces. I may work on adding these to the bug tracker. As I add the bugs to redmine I will link to them with the redmine issue numbers. Also I noticed a few were already fixed so mention that here but don't report them.

A list of my reported issues is here.

For more details about my new book see http://www.reedmedia.net/books/pfsense/ .

How much time does it take to fix a software bug? A common average estimate is 1.5 days. Even a minor bug takes communication time, code checkout, verification, code test, fix, run tests, peer-review, changelog, back-and-forth feedback to reporter, etc. Sadly, I don't have the time to report let alone fix all these 350+ pfSense bugs:

May 2019 Version: 2.4.4-p1 /etc/inc/acb.inc The config upload service to https://acb.netgate.com/save has curl_setopt($curl_session, CURLOPT_SSL_VERIFYPEER, 0); hardcoded. That zero means that curl doesn't care about the authenticity of acb.netgate.com's certificate. Maybe a bad precendent for uploads. The services_acb.php routines do verify. (The test_connection code does verify the peer. This is inconsistent. No user interface for testconnection and acb_custom_php_validation_command so I assume those are for dev use only.)

May 2019 Version: 2.4.4-p1 /etc/inc/acb.inc If upload results in HTTP 500, it links to /pkg_edit.php?xml=autoconfigbackup.xml&id=0 but this is not a package anymore but in official pfSense.

May 2019 Version: 2.4.4-p1 /etc/inc/acb.inc comment says firewall identifier is MD5 has (sic). but code below shows it is sha256. Fix the code or fix the comment. I suspect sha256 is what you want. Also change "has" to "hash".

May 2019 Version: 2.4.4-p1 services_acb.php says "the encryption key is neither transmitted, nor known outside of the firewall" but this is misleading. It may be part of the configuration itself. No security issue with that since the encryption key is encrypted.

May 2019 Version: 2.4.4-p1 services_acb.php deadcode for "myhostname" (see "my")

May 2019 Version: 2.4.4-p1 services_acb_backup.php My settings have enabled unchecked but I do have a encryption_password. Backup now: Backup button results in "Backup completed successfully." displayed. But the upload_config() code checks for it to be enabled. ("Do noting ... when not enabled".) It was not successful. Nothing happened. The logs show that it didn't happen. And the "Restore" tab shows there is no new backup. Also when the encryption_password is not set, the acb.inc code to mention that didn't result in anything as the log_error and file_notice are commented out. Again Backup Now says "successful" but I have no encryption_password in config.xml. Also maybe consider having a frequency Form_MultiCheckboxGroup option for manual only. I see code is commented out.

Jan 2018 Version: 2.3.3 /etc/inc//captiveportal.inc the line <tr><td colspan="2"><center>{$translated_text2}</td></tr> is missing the closing </center> tag and firefox may not display it centered and its view source indicates this error.

Jan 2019 Version: 2.4.3 /etc/inc/captiveportal.inc portal_allow() uses $_POST['replacemacpassthru'] but I don't see any form that provides that "replacemacpassthru"

FIXED: Jan 2018 Version: 2.3.3 captive portal passthrumacaddusername doesn't auto-add without passthrumacadd also checked. If passthrumacadd is not checked but passthrumacaddusername is checked, the captive portal doesn't load. While it is documented, maybe the passthrumacaddusername checkbox should not even be allowed to be checked by itself. NOT FIXED. BUT this was removed in version 2.4.4.

Jan 2019 Version: 2.4.3 services_captiveportal_mac.php has: if ($_POST['username']) { but I cannot find any captive portal related code that submits a name called "username"

Jan 2019 Version: 2.4.3 captive portal MAC-based pass-through visitors aren't listed on the Status - Captive Portal page as logged in nor in the number of users counter on the zone's page even if they have working captive portal connectivity.

Jan 2019 Version: 2.4.3 /etc/inc/captiveportal.inc in captiveportal_configure_zone() $errtext = str_replace("\$PORTAL_REDIRURL\$", "#PORTAL_REDIRURL#", $errtext); is followed by if ($cpcfg['preauthurl']) { $errtext = str_replace("\$PORTAL_REDIRURL\$", "{$cpcfg['preauthurl']}", $errtext); How can that $PORTAL_REDIRURL$ exist if just replaced?

Jan 2019 Version: 2.4.3 /etc/inc/captiveportal.inc depending on the context portal_reply_page is called with different values, so some error / reply pages don't have all the values for macros. For example some have clientip and some don't.

Jan 2019 Version: 2.4.3 captive portal have a checkbox option to just use the same template for login and error reply page. It does work to use the same template.

Jan 2019 Version: 2.4.3 /etc/inc/captiveportal.inc Use of portal_reply_page() function with type set to "redir" which also have a message won't use the message. portal_reply_page($my_redirurl, "redir", "Just redirect the user."); That message is not used. This is misleading to the developer. If it is a comment to the developer then just use a comment. There are other cases where type is set to redir but it is not hardcoded so maybe okay.

May 2019 Version: 2.4.4-p1 2.2.4 services_captiveportal.php The grammar for the includeidletime description has mistakes in multiple places.. "This setting change the stop time that will be send in the Accounting Stop request, when a user get disconnected after exceeding the idle timeout." This may cause the meaning to be confused. All the help should be double-checked on this page.

Jan 2018 Version: 2.3.3 using captive portal max rules set upload bandwidth to 1 and the I was locked out even from webconfigurator. Couldn't ping system, but could use console to revert. I didn't troubleshoot further.

Jan 2018 Version: 2.3.3 captive portal mac blocking. Why have captive portal login page fields when it says "This MAC address has been blocked"? Suggest no welcome line, no input fields, and no submit (Continue) button.

Jan 2018 Version: 2.3.3 csptive portal allowed hostnames Directions both, from, and to all have same behavior. Allowing access "to" destination also opens up access "from" it, and vice-versa. See the ipfw tables shows them in both tables (3 and 4) regardless. and the rules allow for both seen in /etc/inc/captiveportal.inc.

Jan 2018 Version: 2.3.3 status_captiveportal_test.php if an invalid token or an expired token is entered on the captive portal test with valid tokens it won't show the "Access granted for ... minutes in total." line but will show the "Access denied!" line at bottom of the output instead. I suggest if has valid tokens it should still show the total minutes and put the access denied message only with the bad or expired tokens.

Jan 2018 Version: 2.3.3 /status_captiveportal_expire.php says "Voucher(s) successfully marked." for bogus or unknown entered vouchers.

Aug 2016 Version: 2.3 status_captiveportal.php SUGGESTION: show the username in the disconnect popup?

Jan 2018 Version: 2.3.3 captiveportal_disconnect_all() I used Disconnect All Users from status_captiveportal.php and the table changed to show 0 (zero) users logged in. Then the users could use the network without authentication. To restart I unchecked enable captive portal checkbox, saved, re-checked and saved. This Disconnect All Users doesn't do what I would expect as it opens up full usage. I thought it would make them authenticate again.

Jan 2018 Version: 2.3.3 various php pages The ##|*NAME= value doesn't match up to the page's real link naming. Maybe an audit should be done.

Jan 2018 Version: 2.3.3 captive portal suggestion: log with captiveportal_syslog when a zone is disabled. There are several log lines when enabled, but none when a captive portal zone is turned off.

Aug 2016 Version: 2.3 services_captiveportal.php docs link to but that redirects to /services_captiveportal_zones.php what is _mac page?

Aug 2016 Version: 2.3 FIXED services_captiveportal.php If don't select radio button for Authentication method it stays empty so no authentication is default. (auth_method is none.) Show the radio for it -- that is show the default selection. Then click Continue should just work then. Or if you really want this to be selected make sure setHelp text says so. While there the docs links to services_captiveportal_mac.php but that redirects to services_captiveportal_zones.php (What is _mac page?) Fix links? https://redmine.pfsense.org/issues/7591

Jan 2018 Version: 2.3.3 /usr/local/libexec/pfSense-upgrade saw at boot up twice: gnid: not found (something like that)

Jan 2018 Version: 2.3.3 system_crlmanager.php Suggest that the "Add or Import CRL" button only be "Import CA" for non-internal CA (see that it is importonly already).

Mar 2019 Version: 2.4.3 services_dhcp.php SUGGEST: add "ip6-address" as a "type" custom option definition.

Mar 2019 Version: 2.4.3 services_dhcp_edit.php and services_dhcp.php SUGGESTION: these have lots of duplicated code and forms. This should be simplified to use a single php script or put the shared code into a single include file.

Sep 2017 Version: 2.3.3 status_dhcp_leases.php Leases in Use summary # of leases in use changes based if "Show all configured leases" button is enabled. This may be misleading since the column header explanation doesn't change. I suggest having two columns (that do not change based on the button at the bottom): # of online leases and total # of leases

Sep 2017 Version: 2.3.3 services_dhcp_relay.php for Destination server each line has duplicate buttons: Delete Add Delete Add (and all appear to work the same) I didn't see on the ipv6 page too, maybe caused by overriding if I had dhcp enabled already. Also related the delete button when only have one field will remove the only field and nothing to bring it back there, so need to reopen same webpage and enable again.

Apr 2019 Version: 2.4.3 services_dhcpv6.php suggestion like services_dhcp.php has icons to restart and stop the server, do the same thing for the DHCPv6 page.

Apr 2019 Version: 2.4.3 services_router_advertisements.php add icons to start, restart radvd and to the logs (router)

Sep 2017 Version: 2.3.3 services_router_advertisements.php?if=lan should have the warning displayed if interface does not have an IPv6 static address. It is just a blank page. This could happen if changes made and then you have a link direct to this page. Also if go to the same page without GET argument ?if= on URI, it says "Only interfaces configured with a static IP will be shown." But nothing is shown, so maybe it should have a warning to be more clear.

Apr 2019 Version: 2.4.3 services_router_advertisements.php rapreferredlifetime suggest using "number" Form_Input method like the previous field and following field. Also the setHelp starts with "Seconds." which is repeated a moment later. See previous field as a comparison.

Apr 2019 Version: 2.4.3 services_router_advertisements.php uses Form_IpAddress with 'V6' for the RA Subnets address. but when saved it is checked with is_alias() for the name (to know to add the bits or not). It cannot be an alias if is an IP address.

Apr 2019 Version: 2.4.3 /etc/inc/services.inc "Use same settings as DHCPv6 server" rasamednsasdhcp6 setup is incomplete. When checked it also doesn't define the DNSSL search list string. If rasamednsasdhcp6 is checked, it should also use $dhcpv6ifconf['domain'] and $dhcpv6ifconf['dnsserverdomainsearchlist']

Jun 2016 Version: 2.3 FIXED services_dhcpv6.php icon for Related log entries for the DHCPv6 Server is for logfile=dhcp but that doesn't match anything specific and shows everything "General". https://redmine.pfsense.org/issues/6700

Mar 2019 Version: 2.4.3 services_dhcpv6.php it allows a dhcpv6 server configuration without any interface selected and enabled. Says "The changes have been applied successfully." but nothing changed in config.xml. It did end up in /conf/config.xml.bad Mar 23 18:19:28 pfSense php-fpm[23877]: /services_dhcpv6.php: XML error: XML_ERR_NAME_REQUIRED at line 243 in /conf/config.xml See this broken xml: <dhcpdv6> ... <> <range> ... </> </dhcpdv6> Plus it had a <lan> config even though the user interface doesn't show it.

Mar 2019 Version: 2.4.3 services_dhcpv6.php allowed saving and attempt enabling a dhcpv6 configuration without even an interface. "Enable DHCPv6 server on interface" checkbox didn't even list the interface name. Available range was not shown. I am not using IPv6 but was just experimenting with it I happened to have a PPPOE setup for IPv4 but the DHCPv6 listed it but was not selected. No message about needing a static IPv6. The generated config.xml had empty tag for the interface <> and </>. This resulted in XML_ERR_NAME_REQUIRE and config.xml.bad.

FIXED Mar 2019 Version: 2.4.3 /etc/inc/services.inc and ./services_dhcpv6.php netmask can be defined if OSLRD but no code uses it for DHCPv6 I see forms removed in 2.4.4-p2.

Mar 2019 Version: 2.4.3 services_dhcpv6.php the zone primary address for DDNS for DHCPv6 should not require IPv4 address. If this is a IPv6 only network, please don't force IPv4 only.

Mar 2019 Version: 2.4.3 services_dhcpv6.php FIXED bootfile doesn't get into the dhcpd.conf. And it doesn't look like "Enable Network Booting" checkbox does anything useful. Maybe it was from some old code prior to "Display Advanced" for the same? Notice that /etc/inc/services.inc uses "netboot" while services_dhcpv6.php doesn't have a knob for netboot. Looks like the fix is to change shownetboot to netboot.

Mar 2019 Version: 2.4.3 services_dhcpv6.php code has references to tftp, winsserver, and wins but there is no form for it for dhcpv6 server like there is for dhcp (v4) Stale code? Missing feature?

Sep 2017 Version: 2.3.3 services_dhcpv6_relay.php has agentoption configuration, but the services_dhcrelay6_configure() function in /etc/inc/services.inc does not use it. (That is fine, because -a and -m are v4 options.) Renove this setting from the v6 page.

Apr 2019 Version: 2.4.3 services_dhcpv6_relay.php if no interfaces have IPv6 then DHCPv6 relay makes no sense and cannot be configured since there will be no choices and The field Interface is required. Suggestion: don't allow it to be configured or warn up front that IPv6 is required.

Apr 2019 Version: 2.4.3 services_dhcpv6_relay.php has form to set agentoption but services_dhcrelay6_configure doesn't use agentoption maybe copy and paste from the old dhcrelay code missed it? Note this is not the historical dhcrelay with FreeBSD. That was removed. This is the newer dhcrelay that supports DHCPv6. That version's -a -m flags are only the DHCPv4 mode.

Jun 2016 Version: 2.3 diag_smart FIXED it appears the diag_smart is broken. For example, its has $start_script = "/usr/local/etc/rc.d/smartd.sh"; and it is used once for a stop and start. But that script doesn't exist. It is at /usr/local/etc/rc.d/smartd (no ".sh" at end). Anyways, I now see the code there is marked with //FIXME. The smartd -M test is used to test configuration. Also in diag_smart, it tries to put email address into /usr/local/etc/smartd.conf but that file doesn't exist. Then it does an attempted HUP of smartd but that daemon is not running. Also the user interface is not intuitive. I'd suggest it have options to enable the service, and that the "Send test email" button should be available even if email address is not saved; I didn't test but I think can be done like: echo /dev/sda -m foo@host -M test | smartd -c - -q onecheck (By the way, it is interesting to have such a detailed disk monitoring service, so it would be just as important to have a network device and network in general monitoring service; I understand sending email may not work, but it could check for some "predictive" failures and send warning before network is down.) *** It may be fixed as this code is now gone. *** See #6393 https://redmine.pfsense.org/issues/6707

Jun 2019 Version: 2.4.4-p3 diag_smart.php commit ad477ffafc4491ccc7a9c69686cfdb404e6a7bca was incomplete as it still had Information and Tests subpage link even though Config is removed. See it still has unused code: pgtitle[] = gettext('Config');

Jun 2019 Version: 2.4.4-p3 diag_smart.php SUGGESTION: have the Abort, SMART View Logs, Test Results, and Information pages show the device name on the page. (The device name is currently selected on previous page so show it on these output results pages too.)

May 2019 Version: 2.4.4-p1 system_advanced_misc.php harddiskstandby says "minutes" but the form shows numbers that look like seconds. camcontrol standby -t uses seconds. The opts/vals doesn't seem right at all for camcontrol standby -t. For example, I set to 90 which resulted in 7.5 and I have standby state within 10 seconds. Also I don't see how to revert a change (disable it) as "Always on" is not numeric, so camcontrol standby not called. Value 0 disables timer. But I don't see how that is set. Even after I put back to "Always on" it was in standby state. So I chose 90 and saved. Then chose Always on and saved. But have: # while : ; do camcontrol cmd ada0 -a "E5 00 00 00 00 00 00 00 00 00 00 00" -r - ; sleep 1 ; done 50 00 00 00 00 00 00 00 00 FF 00 50 00 00 00 00 00 00 00 00 FF 00 50 00 00 00 00 00 00 00 00 FF 00 50 00 00 00 00 00 00 00 00 FF 00 50 00 00 00 00 00 00 00 00 FF 00 50 00 00 00 00 00 00 00 00 FF 00 50 00 00 00 00 00 00 00 00 FF 00 50 00 00 00 00 00 00 00 00 FF 00 50 00 00 00 00 00 00 00 00 FF 00 50 00 00 00 00 00 00 00 00 FF 00 50 00 00 00 00 00 00 00 00 FF 00 50 00 00 00 00 00 00 00 00 FF 00 50 00 00 00 00 00 00 00 00 00 00 50 00 00 00 00 00 00 00 00 00 00 50 00 00 00 00 00 00 00 00 00 00 50 00 00 00 00 00 00 00 00 00 00 ^C See the field #10 changed from running FF to standby 00. I manually turned off with: camcontrol standby ada0 -t 0

Jun 2016 Version: 2.3 diag_dns.php press enter when adding a hostname when "add alias" is first button will cause the entry to be added as a Firewall Alias even if just wanted to look it up. IN addition, it will add the alias even if "could not be resolved." My recommendation would be to have "Lookup" button be first button.

FIXED: Jun 2016 Version: 2.3 diag_dns SUGGESTION: for the DNS Stuff links in diag_dns could also add links to DNS research and not just the IP. Ignore this since those links were removed so no need to link to anything outside.

Aug 2016 Version: 2.3 services_unbound has system_domain_local_zone_type type of redirect but does not have corresponding (second) "local-zone:" line for it that has the different address record. And related, when "Redirect" choice is set unbound crashed with: Aug 11 08:37:20 unbound 27341:0 error: local-data in redirect zone must reside at top of zone, not at Wireless_Broadband_Router.office IN A Aug 11 08:37:20 unbound 27341:0 fatal error: Could not set up local zones Aug 11 08:38:01 unbound 58991:0 error: local-data in redirect zone must reside at top of zone, not at Wireless_Broadband_Router.office IN A Aug 11 08:38:01 unbound 58991:0 fatal error: Could not set up local zones BUT no Notices indicated it and no input errors were detected. When I set System Domain Local Zone Type to Deny or to default Transparent I get input errors detected: The generated config file cannot be parsed by unbound. Please correct the following errors: [1470922977] unbound-checkconf[77900:0] error: local-data in redirect zone must reside at top of zone, not at pfSense.office AAAA fde4:8dba:82e1:: [1470922977] unbound-checkconf[77900:0] fatal error: failed local-zone, local-data configuration NOTE: it still says "redirect" zone even though using transparent now. config.xml still had: <system_domain_local_zone_type>redirect</system_domain_local_zone_type> meaning I couldn't change it. I made it so the test subdirectory wasn't removed. I removed my Host Override entry and applied the change and it was successful. unbound process still not running so I clicked the Start Service action icon. The status_services page said "unbound had been started" but then showed below "Stopped" status for it. I used viconfig to remove the bogus system_domain_local_zone_type entry. Then the Start service action worked. I recommend that the "redirect" choice be removed until it can be configured with additional details.

Aug 2016 Version: 2.3 services_unbound.php has "Register DHCP leases in the DNS Resolver" unchecked by default but unbound.conf includes dhcpleases_entries.conf which has them by default. I played with dnsmasq earlier and it started the dhcpleases watcher daemon and since unbound was enabled it included unbound configuration setup. When I stopped dnsmasq and even though unbound didn't have it enabled, it still kept running. The bugs: 1) /etc/inc/system.inc don't configure dhcpleases for unbound if unbound's regdhcp is not enabled. 2) stop dhcpleases daemon when not used. 3) remove the hostnames from dhcp leases in /dhcpleases_entries.conf (see comment "dhcpleases automatically entered") when dhcpleases / regdhcp for unbound is no longer used.

Aug 2016 Version: 2.3 FIXED maybe I am overlooking it, but I don't see any code honoring unbound's regdhcpstatic setting. I do see it for dnsmasq.

Aug 2016 Version: 2.3 move services_unbound.php custom_options to services_unbound_advanced.php. This is certainly a dangerous feature so move to "Advanced Settings". Also it makes it more obvious that some features are already available via the webConfigurator.

Aug 2016 Version: 2.3 services_unbound_advanced.php this is a trivial bug here and elsewhere, but checkbox and other form input names are inconsistently ending with or without trailing periods. Also some statements begin with capitalized letter and some don't. Be consistent. While in services_unbound_advanced.php change "0x-20" to "0x20".

Aug 2016 Version: 2.3 services_unbound_advanced.php has Number of Queries per Thread and a few other tunable descriptions that mention "thread" but the number of threads isn't displayed. Consider showing the value here. In some cases the default is only "1" (disabled) so using this terminology doesn't make sense.

Aug 2016 Version: 2.3 services_unbound_advanced.php shows Number of Queries per Thread has 512 even though I have: /var/unbound/unbound.conf:num-queries-per-thread: 4096 which is the default in ./etc/inc/unbound.inc so if you save that page it will reset it to 512. Probably 512 is okay, but it shouldn't reset its default.

Aug 2016 Version: 2.3 services_unbound_acls.php allows an access list rule that doesn't have any name. So if you have no name, and no description then the table view will just show the action with blank fields next to it. So you have edit and delete icons with zero reference to what they are for. This is not intuitive. I recommend that the address/net is listed in the table view to be more obvious. Then you don't need the Access List Name plus a description. I suggest this be simplified. If don't show the address/net in the table, then require some name or description. In fact, maybe simplify more to just have the description per network and not per rule.

Aug 2016 Version: 2.3 services_unbound_acls.php and /var/unbound/access_lists.conf access-control:. I don't know if this is a bug in pfsense or in unbound, but from various checks it appears that allow and allow_snoop behave the same. I am able to see the same cached entries with allow and also am able to see the local-data: authoritative (aa) entries from host_entries.conf with allow. According to docs, allow_snoop is for nonrecursive too, but I see the authoritative data with out sending recursion-desired bit with "allow" too. I cannot get the authoritative data when the DNS Resolver access list is empty so can confirm that opens it. If I am checking this wrong, please improve the docs to make it more clear.

Aug 2016 Version: 2.3 services_unbound_acls.php?act=new has a Delete button for the Networks even if a single entry. But if you click on it, it has popup "You may not delete the last row!" It should not offer a Delete button if it cannot be used. "row" is wrong word for this anyways and is out of context. If you click "Add network" and then on either "Delete" button, both "Delete" buttons will disappear. So that is correct as it shouldn't have a Delete button for a single required entry. Another BUG there is that when you Delete the entry, it will show the text "Network/mask Network/mask" (twice) even though there is only one set of fields for that.

Aug 2016 Version: 2.3 services_unbound.php FIXED I cannot get any Host Override to be configured with unbound. /var/unbound/host_entries.conf lists my /etc/hosts entries but not my override entries. My config.xml has my <hosts> details for <unbound> but I don't see it at all in my /var/unbound settings. I don't see any /etc/inc/unbound.inc code to use it but may be overlooking. https://redmine.pfsense.org/issues/6712 Maybe this bug no longer exists. Seems to work now as they are in /var/unbound/host_entries.conf and it works. I now see code in system_hosts_override_entries in system.inc and unbound_add_host_entries in unbound.inc.

Apr 2019 Version: 2.4.3 /etc/inc/unbound.inc domain overrides is not documented that it will do domain-insecure: by default. This seems like a wrong hidden option that could have a choice. While there see comment about "stub-addr:" which has no corresponding code.

Aug 2016 Version: 2.3 the unbound Domain Override versus the dnsmasq Domain Override have different behavior. It is a different feature with same name. Unbound uses stub-zone which queries the defined auth server and then returns the record from then on from the resolver cache. This means the unbound answer is not "aa" and the TTL counts down. But for the dnsmasq feature, it is always "aa" authoritative and the TTL never counts down (since dnsmasq re-looks-up answer in real time each time). Unbound requires that RD recursion desired bit to set to see it or it is REFUSED. dnsmasq doesn't refuse it if RD is not set. This is two very different implementations, but have same "Domain Override" name. Either clearly document this. Optionally also change the names of these pfSense features.

Aug 2016 Version: 2.3 services_unbound_domainoverride_edit.php "e.g.: testormycompany.localdomainor1.168.192.in-addr.arpa" I assume spaces were meant for the three examples in that Form_Input description, like "e.g.: test or mycompany.localdomain or 1.168.192.in-addr.arpa"

Jul 2016 Version: 2.3 dnsmasq does it make any sense to use -\-strict-order (strict_order option) with pfsense's default -\-all-servers ? maybe the /etc/inc/services.inc conditional should have an "else" to set -\-all-servers

Aug 2016 Version: 2.3 services_dnsmasq says "Entries in this section override individual results from the forwarders. Use these for changing DNS results" , but the forwarders aren't queried for these overrides nor does it change DNS results. In the case with Host Overrides, it is simply an authoritative server. I verified this with tcpdump :)

Aug 2016 Version: 2.3 services_dnsmasq doesn't have a delete icon for an Hosts Override alias entry , please add that. And another related in services_dnsmasq_edit when clicking Delete on a single alias (additional name) causes a pop-up "You may not delete the last row!". Please allow removing it. And third if you delete the parent Hosts Override entry via the delete icon in the table, it will also remove its aliases (additional names); I suggest that it keep them since not obvious.

Jul 2016 Version: 2.3 services_dnsmasq_edit.php is overly strict. It uses is_unqualified_hostname() which doesn't allow a period, so cannot use hostname "foo.bar" and domain "tld" and will error with "A valid hostname is specified, but the domain name part should be omitted". Same thing with the "Additional Names" alias.

Jul 2016 Version: 2.3 in services_dnsmasq_edit.php if click "Add Host Name" under "Additional Names for this Host" and save, it will error abou the empty field: "The field Alias Domain is required." The workaround is to click "Delete" button for that new empty field. It should just ignore the empty entry if all empty.

Jul 2016 Version: 2.3 services_dnsmasq the services_dnsmasq Host Overrides are misleading since it has different fields for Host and Domain, so someone may configure "www" with "apple.com" and "www" with "ibm.com" and then the "www" will be resolved in DNS as a round-robin with both addresses returned. Also the first match, based on alphabetical order, will be returned for gethostbyname-type lookups using the /etc/hosts database. In other words, an admin adding an entirely different DNS label to the Host Overrides but has same first "Host" part will break other entry. My recommendation is to get rid of the "Host" part and just have a single "DNS name" field; if someone wants the old behavior they can still add additional entries for it.

Aug 2016 Version: 2.3 services_dnsmasq_domainoverride_edit mentions "#" (pound sign) for the dnsmasq special server address to forward as usual. But the gui interface won't accept it and says "Please match the requested format." I assume it is because it is using Form_IpAddress. Same thing for "!" to not forward. It won't let it Save.

Aug 2016 Version: 2.3 services_dnsmasq_domainoverride_edit maybe Source IP should use a Form_Select of interfaces such as done in services_dnsmasq. If not, then better explain this here.

Jul 2016 Version: 2.3 services_dnsmasq_domainoverride_edit.php Domain Override doesn't require "Apply Changes" button to be used when Saved and automatically restarts dnsmasq with the -\-server and -\-rebind-domain-ok switches. This is different behavior versus the Host Overrides and other Forwarder options which, when Saved, indicates changes must be applied to take effect.

Jul 2016 Version: 2.3 services_dnsmasq.php or related ... the DNS overrides will not be placed into /etc/hosts until the "Enable DNS forwarder" is set. But if the "Enable DNS forwarder" is unchecked, saved and applied, the entries will stay in the /etc/hosts file - no dnsmasq will be running but local programs like ping will still have access to them. This is inconsistent - either put them into /etc/hosts regardless, or remove from /etc/hosts if dnsmasq is not enabled.

Jan 2018 Version: 2.3.3 /etc/inc/dyndns.class comment has "dyns.org" but I think that is dyns.net.

Jan 2018 Version: 2.3.3 FIXED services_dyndns_edit "Verify SSL peer" checkbox doesn't show its corresponding form label. It is set to "null". I suggest it be set to "HTTP API options". By the way, maybe curl_ssl_verifypeer form should be also called "HTTP API options" as pfsense users shouldn't have to know what "CURL" is. https://redmine.pfsense.org/issues/7588

FIXED Jan 2018 Version: 2.3.3 services_rfc2136_edit.php and services_dnsupdate_process() suggest allow HMAC-SHA256 too as that is default for newer BIND key generation tools.

FIXED Jan 2018 Version: 2.3.3 services_rfc2136_edit.php and services_dnsupdate_process() The Key Type choices don't matter. It is used in services_dnsupdate_process() to set the flags and protocol for the KEY resource record. But nsupdate code does not use the key flag nor key protocol.

Jan 2018 Version: 2.3.3 services_checkip.php more information tip says "... will be used to check IP addresses for Dynamic DNS services, and RFC 2136 entries that ...". This is misleading as an admin may think that the Dynamic DNS Clients feature uses it. Suggestion: "... will be used to retrieve real IP addresses for RFC 2136 Clients services that ..." Also suggest that the services_rfc2136_edit.php "Use public IP" link to it or mention it.

Sep 2017 Version: 2.3.3 suggestion for firewall_rules.php if isset($filterent['log'] consider also adding a hyperlink to the status_logs_filter.php page

Sep 2017 Version: 2.3.3 FIXED firewall_rules.php?if=lan bytes is negative in states detail I see this is already reported: https://redmine.pfsense.org/issues/7075 and fixed six months ago.

Sep 2017 Version: 2.3.3 firewall_rules.php for printing the gateway, if no description it will use guiconfig.inc's pprint_port() which will provide an asterisk if no value or if a number may match a well known port name. I don't think this is what is meant for the gateway. If this is meant so it can use the first part of name delimited with a dash (-) I think there is a more sane way to do it and this existing way may break in the case of gateway names with a dash in it.

Jul 2018 Version: 2.4.3 firewall_rules_edit.php code comment says "if user enters an alias and selects "network" then disallow." and uses is_alias but error message implies "alias" is okay: $input_errors[] = gettext("Alias entries must be a single host or alias."); And why not allow a "network" alias with the source or destination "network"? Note the first time it will complain about missing bit count but then will auto-define it (like /32) so won't complain the second time. If it could use the network alias then should get bit count from it?

Aug 2018 Version: 2.4.3 firewall_rules_edit.php Suggestion: Add "unknown" as a choice for the Source OS

Aug 2018 Version: 2.4.3 dscp For dscp in advanced firewall options, I chose chose various codepoints but pfctl -sr didn't show the same numbers as in filter.inc. For example from /tmp/rules.debug: pass in quick on $WAN reply-to ( re0 ) inet proto tcp from any to any dscp "8" tracker 1533130107 flags S/SA keep state label "USER_RULE: testing" and from pfctl -sr: pass in quick on re0 reply-to (re0 inet proto tcp all flags S/SA dscp 0x20 keep state label "USER_RULE: testing" DON"T REPORT THIS. ALREADY REPORTED? https://forum.netgate.com/topic/24423/pfctl-sr-results-from-the-diffserv-code-point-wrong/3

Aug 2018 Version: 2.4.3 /etc/inc/filter.inc should "EF" dscp code be replaces with value 46 (like VA becomes 44)?

Aug 2018 Version: 2.4.3 firewall_rules_edit.php suggestion: reorder advanced options to put State types before state options and put "Max. src. states" immediately after corresponding "Max. src nodes" (and before "Max. connections").

Aug 2018 Version: 2.4.3 firewall_rules_edit.php SUGGESTION: mobve tha advanced options nopfsync and nosync form fields next to each other since their use is similar.

Mar 2018 Version: 2.3.3 firewall_aliases_edit.php?tab=port Mistakenly used dash instead of colon. entered "55-1255" in the Port field and clicked save and a popup said "Please match the requested format: IPv4 address like ..." This is a "port" but error is about IP address.

May 2016 Version: 2.3 system_advanced_firewall.php I saw multiple sentences and paragraphs in the interface that were verbatim from the pf.conf manual; the license.php page should list the copyright and license. (I report this multiple times and have not listed all places.)

May 2016 Version: 2.3 system_advanced_firewall.php document why pfsense_default_state_size() assumes each state is 10 kB in size?

May 2016 Version: 2.3 system_advanced_firewall.php no where else in the code, dead code? $ipseccfg['dns-interval'] see dns-interval for similar config

Aug 2018 Version: 2.4.3 firewall_schedule.php Trashcan is available for rules in use and popup is displayed to delete it. It doesn't delete it. I suggest that the trash can icon be disabled myybe saying it is in use, and if possible have link to rule. Also real problem, says "Cannot delete schedule. Currently in use by ." But the $referenced_by is empty. so sentence is incomplete. This happened with no descr. I made mine also show the $rule['tracker'] but would be nice to link to it too.

Aug 2018 Version: 2.4.3 system_advanced_misc.php Schedule States checkbox is only about custom pfctl -y. Schedules at this time is only used by packet filter. This is on the Miscellaneous page, but makes more sense to be on the Firewall & NAT page.

Sep 2017 Version: 2.3.3 firewall_virtual_ip_edit.php setting the CARP password but not the confirm password complains. <input class="form-control" name="password_confirm" id="password_confirm" type="password" placeholder="Virtual IP Password"> (no value) But you can immediately save with the bogus unseen password and confirm there. See source then has "value" defined. <input class="form-control" name="password_confirm" id="password_confirm" type="password" value="********" placeholder="Virtual IP Password"> And resulting conf will be: <password></password> even though a CARP password is required.

Oct 2017 Version: 2.3.3 status_carp.php related status shortcut goes to the same page! Don't have links to oage you are already on.

May 2017 Version: 2.3.3 FIXED diag_pftop.php has "Size" for sorttype which is not an order type known by pftop. (sort_size_callback in pftop is "Bytes".) Size is not a sort option and is same as "none". https://redmine.pfsense.org/issues/7579

May 2017 Version: 2.3.3 FIXED diag_pftop.php should not have sort options choices of Peak and Rate since only useful if have cached information as available in interactive mode (see text console version) to calculate the instantaneous speed and peak speed. https://redmine.pfsense.org/issues/7580

Apr 2017 Version: 2.3.3 FIXED /etc/pfSense.obsoletedfiles has wrong path for diag_system_pftop.php see 1af5edbf04e0e3bbbc55981f6fc404b60ff33f2b (note different php file now) https://redmine.pfsense.org/issues/7581

Jun 2016 Version: 2.3 FIXED diag_dump_states.php clicking the Packets or Bytes header for sorting is no intelligent nor intuitive. It doesn't really sort packet counts or bytes considering they may be formatted using acronyms. Also the sort is for just one part, but each has two counts in/out. THIS APPEARS TO BE FIXED.

Apr 2017 Version: 2.3.3 diag_dump_states.php enter a non-existent but valid IP address and will get a Kill States button but no states listed. This is not intuitive to remove states that don't exist. https://redmine.pfsense.org/issues/7582

Jun 2016 Version: 2.3 diag_resetstate.php header says "Select States to Reset" but the docs there says "will remove all entries from the corresponding tables". There is nothing to select in this view. https://redmine.pfsense.org/issues/6709

Jun 2016 Version: 2.3 diag_resetstate.php if the checkbox is UNchecked, clicking "Reset" still prompts "Are you sure you wish to Reset?" and Okay does nothing. This is not intuitive. Get rid of the checkbox. The pop-up window is good enough. https://redmine.pfsense.org/issues/6710

Jun 2016 Version: 2.3 FIXED diag_states_summary is not intuitive as each table has two columns with same "# States" header. first is for $ipinfo['seen']; and second is for $protoinfo['seen']; Maybe have the header say "Protcol counts" over the last three fields or add a documentation line at top (or bottom) to explain that. FIXED https://redmine.pfsense.org/issues/6711

Jun 2016 Version: 2.3 diag_tables be consistent in naming or add more doc details to the diag_tables page as custom tables are called "aliases" elsewhere also it uses the word "database" in some places for table or aliases too. https://redmine.pfsense.org/issues/6713

Jun 2016 Version: 2.3 diag_tables often says "Date of last update of table is unknown." but table comments at same time shows the date: last updated 1463027701 (Thu May 12 04:35:01 2016 GMT) (that was for bogons) I assume one is for the locate timestamp while the other is the timestamp as provided in the remote's original file, but either way using same terminilogy may be confusing, so maybe should be explained there. MAYBE FIXED AS I CANNOT SEE THIS ANYMORE

Jun 2016 Version: 2.3 diag_tables has "Related status" shortcut for "aliases" that goes to same diag_tables page. diag_routes and maybe other pages have this too. It was a little misleading to click through it to realize it was not a related page. Suggest comparing the target with the link, like is done for Related settings in shortcuts.inc: if (!empty($link) && ($_SERVER['REQUEST_URI'] != "/{$link}")) { (that worked for me) But maybe there was a reason already this wasn't used? I didn't notice problem for Related logs, but maybe there too. Just added to my existing ticket: https://redmine.pfsense.org/issues/6701

Feb 2018 Version: 2.3.3 status_logs_settings.php SUGGESTION: put all the packet filter related settings (like filterdescriptions) together in a section with a header for it.

Feb 2018 Version: 2.3.3 status_logs_filter.php when using the "Display as second row" setting, then clicking on a column header for the status_logs_filter logs, it will separate the second rows with the description/labels from the log entries. Clicking again to reverse any sort doesn't fix it. The sorting should keep the description/labels with its corresponding log. (I know "Display as column" is a workaround.)

Feb 2018 Version: 2.3.3 status_logs_filter_summary.php The code is there and the output in the HTML source shows it but with my firefox browser I don't see the pie charts for the source and destination ports. The data points are there. The other pie charts work fine.

May 2016 Version: 2.3 system.php config is called DNS Forwarder but it is not a DNS Forwarder; tcpdump showed it doing recursive resolution starting at the gtld-servers and not using any forwarder

Mar 2017 Version: 2.3.3 The pagenamefirst option (Display page name first in browser tab) is available for user's customization (system_usermanager.php or system_user_settings.php) but is not included with the same customizations done by admins on system.php. Instead it is at system_advanced_admin.php. This is inconsistent. This is a general setting and should be on the system.php page (and not system_advanced_admin.php). See gen_pagenamefirst_field.

Apr 2019 Version: 2.4.3 system_advanced_admin.php althostnames says "to bypass DNS Rebinding Attack checks". This is for pfSense webpage only, as the two DNS services use their own "domainoverrides" instead. This here is misleading, so mention this is for the pfsense interface only.

May 2019 Version: 2.4.4-p1 system_advanced_admin.php the sshdkeyonly form checkbox became a form. That is fine, but the field title changed from Authentication Method to SSHd Key Only. Please change it back to Authentication Method, since the "key only" is only one of the three Authentication Method choices.

2090516 system_advanced_misc.php do_not_send_uniqueid is misleading Even when checked, your pfSense version is still reported. This is an information disclosure and will happen for alias URL downloads too. For security best practices, disclosing that the IP address is running pfSense and disclosing a specific pfSense version is wrong. Maybe it is okay for HTTPS downloads direct from pfsense, but not for alias URL or URL table downloads and other non-pfsense URIs.

Aug 2016 Version: 2.3 system_advanced_sysctl.php allows adding a tunable with a bogus name or bogus value. Maybe report sysctl output? https://redmine.pfsense.org/issues/7576

Aug 2016 Version: 2.3 system_advanced_sysctl.php SUGGESTION: I'd put the system_advanced_sysctl.php settings on the corresponding pages instead of several unrelated on a single form.

Jun 2019 Version: 2.4.4-p3 notices.inc misspelled: smptcount I don't see any other use of it, so nothing failing due to misspelling.

FIXED Sep 2018 Version: 2.4.3 system_advanced_notifications.php notifications had Enable STARTTLS checkbox, but I didn't see smtptls in 2.4.3. This option was removed in c8c46e5a8e9551db0172b79aae1fee4553b3bf7d in 2016.

Aug 2016 Version: 2.3 system_advanced_notifications.php has a button to test growl, but no indication locally if used or not. In particular shouldn't it warn if the IP address and password is blank? In addition, there is no indication locally if the Test SMTP Settings button did anything. Since it says uses the currently stored configurations, it should show what they are here just in case changed above, or when the test is done it could display what settings were used. or could use multiple submit buttons and call this one Save and Test SMTP Settings? https://redmine.pfsense.org/issues/7577

Sep 2018 Version: 2.4.3 /etc/inc/notices.inc As far as I can tell nothing uses "notification_name". It is configurable but not used. I assume it was meant to be used for the growl "title".

Oct 2018 Version: 2.4.3 /etc/rc.filter_synchronize has code for exclusions for ['aliases']['alias'][$x]['nosync'] ['dnsmasq']['hosts'][$x]['nosync'] ['ipsec']['tunnel'][$x]['nosync'] but I don't see how nosync can be set for aliases, dnsmasq, nor ipsec.

Aug 2018 Version: 2.4.3 Recover config.xml: If it cannot find the file or there is some error, the messages will display too fast to read and will take you back to the main welcome menu.

Aug 2018 Version: 2.4.3 text installer prompts twice at end about using the shell. Once a yes/no and other as reboot/shell choices. This is redundant.

Aug 2018 Version: 2.4.3 After did Revert & Exit from the bsdinstall partedit back to the shell, I couldn't type in lowercase. So "exit" became "sh: EXIT: not found". and Ctrl-D just showed a "D". I had to reboot to install again.

Aug 2018 Version: 2.4.3 bsdinstaller NO SEE my bug details above *** Needs 2g disk for geli even if encrypt disks and encrypt swap are both set to NO.

Aug 2018 Version: 2.4.3 bsdinstaller zfs disk info curses window in installer showed 30% but couldn't scroll in the output using normal up and down arrow keys. Page up/down and home/end did work. I recommend that up and down arrow keys should work as some may not notice additional content.

Jan 2016 Version: 2.3 install why untar kernel from cd if already was copied to /mnt disk tar xzpf /kernels/kernel_*SMP*.gz -C /mnt/boot/ why not just untar it from /mnt tar xzpf /mnt/kernels/kernel_*SMP*.gz -C /mnt/boot/

Feb 2016 Version: 2.3 custom install why /etc/rmt link to non-existent /usr/sbin/rmt ?

May 2019 Version: 2.4.4-p1 2.4.4-p1 installer says there is not enough free space to install "1.0 GB free, 1.0 GB required"

Jul 2017 Version: 2.3.3 status_ipsec.php print_ipsec_body() suggestion: instead of printing value of esn (1) maybe show "ESN"?

Feb 2018 Version: 2.3.3 /etc/inc/ipsec.inc why both $ipsec_log_cats and $ipsec_loglevels arrays that are the same? I don't see $ipsec_loglevels used.

Nov 2018 Version: 2.4.3 /etc/inc/ipsec.inc $ipsec_loglevels list is redundant and not needed. See $ipsec_log_cats which is used.

Apr 2018 Version: 2.3.3 vpn_ipsec_mobile.php I don't see any code in /etc/inc/vpn.inc that uses group_source what is it for? maybe group_source setting is no longer used?

Dec 2018 Version: 2.4.3 vpn_ipsec_settings.php this uses verbatim content from strongSwan without any copyright mention or attribution.

Dec 2018 Version: 2.4.3 vpn_ipsec_settings.php add a space: "Enable IPCompression" checkbox or reword to "Enable IPComp compression"

Jun 2017 Version: 2.3.3 vpn_ipsec_phase1.php selected Internet Protocol: IPv6 and the Remote Gateway had an IPv4 address ( This mismatch caused the following input error: "A valid remote gateway IPv4 address must be specified or protocol needs to be changed to IPv6" This error message is reversed. Selecting IPv4 and entering an IPv6 address results in the wrong "A valid remote gateway IPv6 address must be specified or protocol needs to be changed to IPv4". The error messages doesn't make sense as it implies an invalid address is okay as long as the protocol is changed. Note that the input allows entering a hostname. I suggest that the checks be removed.

Jun 2017 Version: 2.3.3 vpn_ipsec_phase1.php has 'rekey_enable', 'Disable rekey', and 'reauth_enable', 'Disable Reauth' This is not a bug but a coding style issue or a user interface oddity. Note they both have variable called "enable" but the corresponding checkbox is disabled. Use a variable name like "_disable" that implies what it is really means. Or make it more user friendly by rewording and using existing variable names with checkboxes are checked by default.

Jun 2017 Version: 2.3.3 vpn_ipsec_phase1.php I think the whole configuration for this specific Phase 1 disappears when this splitconn is checked when there is no corresponding Phase2.

Jun 2017 Version: 2.3.3 vpn_ipsec_phase1.php editing an exiting phase1 key exchange version from IKEv2 to Auto or IKEv1 (and applying changes) makes no changes under /var/etc/ipsec/ (even though changes make it to config.xml)

May 2019 Version: 2.4.4-p1 vpn_ipsec_phase2.php choose "Routed (VTI)" mode after a tunnel mode default was selected shows the Remote Network Address field. But if you first look at Tunnel mode then Routed mode, the Remote Network fields are not displayed. I think "vti" it is missing a hideClass('opt_remoteid', false);

Jun 2017 Version: 2.3.3 ipsec what is purpose of pre-shared key in the phase 1 if no file is touched, but use Pre-Shared Keys page it is added and used?

Dec 2018 Version: 2.4.3 interfaces.php has Scripts as plural for the DHCPv6 advanced options. It is just a single script so be singular?

Dec 2018 Version: 2.4.3 /etc/inc/interfaces.inc The check for adv_dhcp6_key_info_statement_expire has "/((([0-9]{4}-)?[0-9]{2}[0-9]{2} )?[0-9]{2}:[0-9]{2})||(foreever)/" I think this is missing a required dash (-) between the month and day (mm-dd) per the manual https://www.freebsd.org/cgi/man.cgi?query=dhcp6c.conf

Apr 2019 Version: 2.4.3 interfaces.php check for a valid IPv6 prefix for prefix-6rd before using it. For example this was "ab:cd" as prefix-6rd: Apr 4 15:21:35 pfSense php-fpm[23877]: /interfaces.php: The command '/sbin/ifconfig opt1_stf inet6 2921:2120::/' returned exit code '1', the output was 'ifconfig: ioctl (SIOCAIFADDR): Invalid argument'

Apr 2019 Version: 2.4.3 /etc/inc/interfaces.inc interface_6rd_configure() log_error has "address ... is not public" but doesn't use is_private_ip() I assume this was a copy and paste from other sections in same code, but check for private IP wasn't needed but forgot to change the log output.

Apr 2019 Version: 2.4.3 /etc/inc/interfaces.inc interface_6to4_configure() twice uses the deprecated See https://tools.ietf.org/html/rfc7526 "Deprecating the Anycast Prefix for 6to4 Relay Routers"

Apr 2019 Version: 2.4.3 interfaces.php Track IPv6: IPv6 Prefix ID setHelp has: from 0 to %3$s) but the %3$s argument is '<span id="track6-prefix-id-range"></span>' resulting in: from 0 to ) Something is missing there. Other times it has a number like 3: (hexadecimal from 0 to 3) Make sure the output is clear.

Apr 2019 Version: 2.4.3 system_advanced_network.php Allow IPv6 has a note which is wrong. Multiple IPV6 features are disabled by not setting ipv6allow beyond just PF rules, like NTP status, IPv6 gateways, Unbound DNS resolver.

Apr 2019 Version: 2.4.3 ./system_advanced_network.php for ipv6duiden_id says "variable length" but RFC3315 says is eight octets and /etc/inc/util.inc is_duid() checks for a specific byte count and length (which includes the two-byte vendor number and the DUID type).

Apr 2019 Version: 2.4.3 /etc/inc/util.inc is_duid() checks for duid type 3 to be a specific size and length, but RFC3315 says the DUID-LL is a "variable length" for the link-layer address.

Apr 2019 Version: 2.4.3 interfaces.php when applying changes to save for an interface, unbound is started even though already running: Apr 5 00:11:46 pfSense php-fpm[23877]: /interfaces.php: The command '/usr/local/sbin/unbound -c /var/unbound/unbound.conf' returned exit code '1', the output was '[1554423106] unbound[71846:0] warning: too many file descriptors requested. The builtinmini-event cannot handle more than 1024. Config for less fds or compile with libevent [1554423106] unbound[71846:0] warning: continuing with less udp ports: 465 [1554423106] unbound[71846:0] error: bind: address already in use [1554423106] unbound[71846:0] fatal error: could not open ports' It didn't use the "reload" option or stop it first.

Oct 2017 Version: 2.3.3 load balancer relay layer 7 is for DNS over UDP only! it is broken as cannot even do DNSSEC even if over UDP. It is limited to ancient DNS, non-EDDNS0.

Oct 2017 Version: 2.3.3 load_balancer_pool.php it sets TCP options for dns proto which listens on UDP these "tcp" are not even used!

Oct 2017 Version: 2.3.3 load_balancer_virtual_server_edit.php has code for mode but it cannot change so maybe this is old and not removed yet? (It is a hidden value.) also ./load_balancer_virtual_server.php references mode but unused also /etc/inc/vslb.inc has a check for that mode == 'relay" which doesn't exist and even the old was called "relay_mode" but no way to set that either. I think code for relay_mode is old. Looks like old code or incomplete? If is old, then add a comment to these places in code to explain that.

Oct 2017 Version: 2.3.3 load_balancer_pool_edit.php A couple times I have created different pools with the same name. So two lbpool entries in config.xml with same name. This happens with the first pool (0). The code checks with: ($i != $id) which is 0 != "" which are equivalent empty values in PHP loose comparison. Using a strict comparison !== is not right because later checks for number $i versus string $id would make it so can't edit then save. Please check this differently.

Oct 2017 Version: 2.3.3 load_balancer_pool_edit.php The Monitor drop down is in the "Add Item to the Pool" section. Move it two places up, so is right before its corresponding Retry value.

Oct 2017 Version: 2.3.3 load_balancer_pool_edit.php input error says "The field Server List is required." but there is no field described as "Server List". Maybe change $reqdfieldsn to have instead: gettext("Enabled Pool Member") or something like that.

Oct 2017 Version: 2.3.3 load_balancer_pool_edit.php a blank entry got into the enabled server list, resulting in vague " is not a valid IP address or IPv4 subnet (in "enabled" list)." I could see and remove the blank line and continue successfully.

Oct 2017 Version: 2.3.3 load_balancer_virtual_server_edit.php input error says "is not a valid IP address, IPv4 subnet, or alias." but doesn't give the name of the field. See it starts with lowercase and usually these input errors are complete sentences starting with a subject.

Oct 2017 Version: 2.3.3 load_balancer_virtual_server_edit.php Port says an alias may be specified, but the port's Form_Input is for a 'number' so no text may be entered. The /etc/inc/vslb.inc code indicates this virtual server port can be an alias so change this to 'text'.

Oct 2017 Version: 2.3.3 load balancer I have lots of relayd logging of "unused protocol: dnsproto". At one time I did have that relay type configured but now using TCP but relayd.conf still has it defined but unused.

Oct 2017 Version: 2.3.3 load_balancer_virtual_server_edit.php changing an existing and working virtual server with relay protocol from TCP to use DNS may continue to have the pf rdr rule in place as seen with "pfctl -a relayd/FOO -vvsn" even though the relayd.conf has relay (instead of redirect) now (implying the apply happened). Restarting the service fixes it by removing the rdr translation rule. I didn't see the problem changing from DNS to TCP though.

Oct 2017 Version: 2.3.3 suggest more clear descriptions for default monitor ICMP ping and Generic SMTP service ready greeting check But where are these defined? are they even in a new install? I only see in an upgrade at /etc/inc/upgrade_config.inc

Oct 2017 Version: 2.3.3 load_balancer_setting.php doesn't show what is set by default. And even after defining all three values and saving (which end up in relayd.conf (timeout, interval, prefork) the Relayd Global Settings page has three blank fields. So if you click save again there it will lose your settings.

Apr 2019 Version: 2.4.3 load_balancer_setting.php prefork says default is 5 processes but manpage documents as 3 processes. If there is a custom code change for 5, maybe document that in the php script. The startup starts one "parent", three "ca", one "pfe", one "hce", and three "relay" processes for relayd. (On that note, maybe the "ca" processes aren't needed?)

Dec 2018 Version: 2.4.3 status_lb_pool.php The Reset button prompts if okay to reset and then reloads page to the previous enabled checkboxes. It makes no changes to system so no reason to have the btn-danger popup. If it did make changes to system it would next have the Apply Changes button to activate.

Oct 2017 Version: 2.3.3 status_lb_pool.php and /etc/inc/vslb.inc Enabled. Member Pool may contain a subnet. This is converted to a relayd.conf table of multiple IP addresses. The status page shows the subnet as a single entry and indicates all are down (red). The relayctl show hosts shows one of the hosts is up like "11 host 100.00% up" The get_lb_summary() function would see it, but status_lb_pool.php uses the server value from lbpool configuration. They won't match. is not The redirection works. relayd is working. It is just that the status_lb_pool.php doesn't indicate individual parts of subnets, so shows is all down (red color). It also doesn't show the percentage.

Feb 2018 Version: 2.3.3 status_logs_settings.php nginx errors can be seen in /var/log/nginx/error.log The log setting checkbox for "Web Server Log" is checked. It says "will appear in the main system log." This is confusing since is not in the main system log which would be the pfSense "General" default log. nginx configuration when checked logs to local5 which is /var/log/nginx.log and there is no way to view that with the status_logs.php logfile view. Whether or not it is checked I see errors in /var/log/nginx/error.log and also in /var/log/system.log. 404 error pages are in /var/log/nginx.log. I suggest fixing the explanation on where is it supposed to log when checked and when not checked. I suggest adding a way to view too. Also check if this /var/log/nginx/error.log is correct.

Feb 2018 Version: 2.3.3 status_logs_settings.php SUGGESTION: move the setHelp about port 514 earlier to the "Remote log servers" group.

Feb 2018 Version: 2.3.3 /etc/inc/rrd.inc cellular (ppp 3g) rrd data is for comma-delimited fields 2, 8, and 9. Which I assume is: rssi, upstream (bwupstream), downstream (bwdownstream) But the /usr/local/bin/3gstats.php comment and header indicates that mode has a comma so has a submode. Either that is wrong or the rrd.inc should use fields 2 and 9 and 10 instead.

Feb 2018 Version: 2.3.3 status_monitoring.php When selecting None for the graph category (left axis), and clicking Update Graphs, the graph disappears (as expected) but the Data Summary is still shown for an undefined graph. It shows the Data Summary for the previous category. If none, it shouldn't have a Data Summary especially since it has no explanation of the view it is for.

Oct 2017 Version: 2.3.3 ./js/pfSenseHelpers.js and ./firewall_nat.php and ./firewall_rules.php the separator save button should be renamed to "Add" as it is not saved! fa-save change to fa-plus and rename svtxt to addtxt and set to <?=gettext("Add")?>

Oct 2017 Version: 2.3.3 firewall_nat.php Delete button shouldn't prompt to remove if nothing is selected

Oct 2017 Version: 2.3.3 firewall_nat_edit.php SUGGESTION: top headers and title say Add instead of Edit if new, but this may be true for many forms.

Oct 2017 Version: 2.3.3 firewall_nat_1to1_edit.php If not set, error shows: The field External subnet is required. but that should say "External subnet IP" as the subnet part is from other setting. Also error: The field Source address is required. is invalid as the page doesn't say "Source". but on the page it is Internal IP Address/mask.

May 2016 Version: 2.3 just for code /etc/inc/filter.inc s/ftp_proxy_entry/tftp_proxy_entry/ because it is TFTP not FTP no behavior change By the way, why does xinetd listen on port 6969 and fork tftp-proxy by default, even if not used? xinetd logs about "readjusting" this every 15 minutes even if not used.

Oct 2017 Version: 2.3.3 firewall_nat_npt_edit.php error has: The field Source prefix is required. but the page doesn't have "Source". as it is the Internal IPv6 Prefix Address. Also the error: The field Destination prefix is required. is wrong too as it is the Destination IPv6 Prefix Address. Also it allows IPv4 addresses. Consider checking and restricting this to IPv6 only.

Jul 2018 Version: 2.4.3 firewall_nat_npt_edit.php The "srcnot" checkbox is confusingly labeled as "Internal IPv6 prefix". That is for this section, but maybe this should be worded more clearly or identified better. Same as the "Destination".

Jul 2018 Version: 2.4.3 firewall_nat_npt_edit.php allows IPv4 addresses with IPv6 /128 style prefixes. Maybe the interface should explain what it is for or the code should restrict what is accepted. Note that it will self-correct to /32 after saving if using IPv4.

Apr 2019 Version: 2.4.3 /usr/local/pkg/miniupnpd.inc only sets bitrate_up and bitrate_down if both download and upload are set. There is no explanation that one is unused if the other is blank. Just allow one to be used or document reason.

Apr 2019 Version: 2.4.3 /usr/local/pkg/miniupnpd.xml SUGGESTION: overridewanip setting should use amenu to select from existing IP addresses like virtual IPs, like other menus do instead of manually typing an existing IP in.
suggest using a menu for this?

Apr 2019 Version: 2.4.3 /usr/local/pkg/miniupnpd.xml SUGGESTION: upnpqueue setting should use a menu to select from existing queues like other menus do instead of manually typing a queue name in.
suggest using a menu for this?

May 2017 Version: 2.3.3 diag_packet_capture.php link to tcpdump manpage is different version than FreeBSD version. I did a quick look with wdiff and the manuals are about 6% different.

May 2017 Version: 2.3.3 diag_packet_capture.php The reverse dns lookup help suggests that the packet capturing may perform a reverse DNS lookup. This is misleading. This reverse lookup is only done when pfSense is viewing the results. Maybe change the help to: "Convert addresses and port numbers to names when viewing the captured packets. This option may cause delays when viewing large packet captures." I am fine with keeping same name even though it is not just about DNS.

Jun 2016 Version: 2.3 FIXED diag_sockets.php the diag_sockets.php info says sockstat uses -L when using the -l. It does not use -L and it does show the the loopback addresses (::1 or Also why there don't use the man page details verbatim, so exclude the unnecessary ADDRESS and other UNIX sockets documentation. FIXED https://redmine.pfsense.org/issues/6708

Jun 2016 Version: 2.3 diag_testport It may be useful to run netcat with -v and provide that output, like "No route to host" or "Succeeded!".

Jun 2016 Version: 2.3 diag_testport 1) can output error "Cannot connect to an IPv6 address using IPv4." (and vice-versa) But that is_ipaddrv4 / is_ipaddrv6 is for IP addresses. The "host" field may be a hostname, so a hostname like ipv6.test-ipv6.com returns only AAAA, and doesn't give that "Cannot connect" error. This is misleading. I do understand that the hostname is passed direct to netcat. 2) In addition, diag_testport has confusing documentation about mix of IPv4 and AAAA, but I can set IP Protocol to IPv6 and I have NO IPv6 and a test will return "successful." Also it uses the word "forced" but IPv4 and IPv6 are only options so one must be selected. 3) since the IP Protocol list only has two choices, maybe just display as radio instead of drop-down menu 4) the diag_testport code suggests that -4 or -6 should be used, but that is only done if the host is an IP number and not a hostname. It is interesting that the code has many checks for setting this -4 or -6, but the IP Protocol selection is not even used unless the host is an IP number. If -6 is used on an IPv4 network, even the getaddrinfo() will fail and netcat will indicate that (but diag_testport won't do that). 5) Actually the IP Protocol selection as a choice makes no sense: diag_testport is smart enough to detect that it is mismatched and smart enough to see an optional sourceip's protocol, then it is smart enough to select the protocol on its own. But if it would honor the ipprotocol for hostnames (no IP number), then maybe a value of having that IP Protocol selection is valid. diag_testport It may be useful to run netcat with -v and provide that output, like "No route to host" or "Succeeded!". https://redmine.pfsense.org/issues/6714

Jun 2016 Version: 2.3 diag_traceroute.php misspelling for "number": 'Maximum nuber of hops' ALREADY FIXED

Jun 2016 Version: 2.3 diag_traceroute.php the max hops for FreeBSD IPv6 traceroute6 is 255, which the max allowed IPv6 "hops limit". Maybe it should allow that? Then again, the nginx may Time-out beyond 64?

Jun 2016 Version: 2.3 diag_traceroute.php the IPv4 traceroute when resolving IPs to hostnames outputs both, but the IPv6 traceroute6 only shows the hostnames and not the address. My suggestion is to use -l when ipv6 when not using -n. The max hops for FreeBSD IPv6 traceroute6 is 255, which the max allowed IPv6 "hops limit". Maybe it should allow that? Then again, the nginx may Time-out beyond 64? https://redmine.pfsense.org/issues/6715

Oct 2017 Version: 2.3.3 services_snmp.php Bind Interface drop-down had a couple empty entries: <option value="_vip59cd5846137fa"> </option><option value="_vip59cd593b899e8"> </option> If these _vip entries should be there, they should have some identifier there.

Apr 2018 Version: 2.3.3 interfaces.php suggest change of Description label to "Name"

Apr 2018 Version: 2.4.3 interfaces.php and interfaces.inc Speed/Duplex passes along wrong values to ifconfig: setting it on a wireless indicated it changed and accepted changes but next view of configuration showed back to default. Logs had: Apr 27 14:17:49 pfSense php-fpm[312]: /interfaces.php: The command '/sbin/ifconfig 'ath0_wlan0' media 'DS/5.5Mbps' mediaopt 'mode'' returned exit code '1', the output was 'ifconfig: SIOCSIFMEDIA (media): Device not configured' <option value="DS/5.5Mbps mode autoselect">DS/5.5Mbps mode autoselect</option> It should not have had "mediaopt mode". see interface_configure() Also where is "media" set. I only see mediaopt. I think the Speed and Duplex should be renamed to "Media Types and Options" and whatever supported media (ifconfig -m) string is used probably could be used on ifconfig arguments verbatim.

Oct 2018 Version: 2.4.3 interfaces.php when using the DHCP Client Configuration option the Hostname field disappears per: if (ovr) { hideInput('dhcphostname', true); But interfaces.inc uses it for its substitution: /* Apply Hostname Substitutions */ $dhclientconf = str_replace("{hostname}", $ifcfg['dhcphostname'], $dhclientconf); To fix this don't hide the input field OR if it is meant to be the system hostname substitute with $config['system']['hostname'] instead

Apr 2018 Version: 2.4.3 status_interfaces.php pressing SPACEBAR to attempt to scroll down on this page may toggle the first DHCP "Release" button without realizing it. I suggest that pressing SPACE on this page doesn't disable DHCP.

Nov 2017 Version: 2.3.3 status_interfaces.php "In/out packets" is redundant with ""In/out packets (pass)". They have the same information. See /etc/inc/pfsense-utils.inc where they have the same settings. $ifinfo['inpkts'] = $in4_pass_packets + $in6_pass_packets; $ifinfo['outpkts'] = $out4_pass_packets + $out6_pass_packets; $ifinfo['inpktspass'] = $in4_pass_packets + $in6_pass_packets; $ifinfo['outpktspass'] = $out4_pass_packets + $out6_pass_packets;

Feb 2019 Version: 2.4.3 interfaces_bridge_edit.php FreeBSD docs verbatim copied of multiple sentences without reference to FreeBSD copyright or license

Mar 2018 Version: 2.3.3 interfaces_vlan_edit.php priority for VLAN "pcp" is passed to pfSense_vlan_create but I don't see where pfSense_vlan_create() uses it. Maybe this is related to https://forum.pfsense.org/index.php?topic=123889.0 and https://redmine.pfsense.org/issues/4133#change-16438 for example I don't see https://redmine.pfsense.org/attachments/download/1096/pf_pcp_tools.diff applied

Apr 2019 Version: 2.4.3 system_advanced_network.php has dead code for old FreeBSD for flowtable. This flowtable value isn't used.

Apr 2017 Version: 2.3.3 diag_arp.php probably shouldn't have a delete action for a "permanent" entry for an IP address of a configured interface since it will indicate success thatw as deleted but really is still there.

Oct 2017 Version: 2.3.3 ./widgets/widgets/wake_on_lan.widget.php suggestion: shows link for dhcp leases if dhcpif is enabled. So maybe show for dhcpv6 too to be consistent. Or just get rid of this link for DHCP from the WoL widget. (By the way, the dhcp leases page has send WoL packet feature for offline leases but the dhcpv6 page does not.)

SUGGESTION Oct 2017 Version: 2.3.3 services_igmpproxy.php table suggest Name changed to "Interface" and suggest Values changes to "Alternate Network Sources" or "Alt. Sources" or "Networks" or "Subnets". Also suggestion: have a column for TTL Threshold.

Oct 2017 Version: 2.3.3 services_igmpproxy.php Save button does nothing? Why Save button?

Mar 2018 Version: 2.3.3 services_igmpproxy_edit.php Seven sentences from the igmpproxy.conf.5 man page are used verbatim. It is GPL2 licensed but no mention of this in the php source file.

Mar 2018 Version: 2.3.3 services_igmpproxy_edit.php SUGGESTION: only allow threshold to be an integer in 1 to 255. Also maybe don't use "text" input form but "number" with the min and max attributes and default of 1.

Mar 2018 Version: 2.3.3 services_igmpproxy_edit.php The networks address form uses Form_IpAddress but I was able to accidently typo an IP address with two consecutive dots. This caused igmpproxy to complain about "Unable to parse address token", and "Unable to parse subnet address", and "Unknown token". Maybe the Form_IpAddress routine can check for typos like that better or otherwise something to prevent that bogus address getting into the configuration.

Nov 2017 Version: 2.3.3 services_ntpd.php complain if orphan mode is invalid. It should not allow an invalid tos orphan -1200 for example. Also the code checks if less than 17, but docs say less than 16. I see some implementations may default to 16, but I think 15 is upper limit for normal stratum and 16 means is unsynchronized.

Apr 2018 Version: 2.3.3 status_ntpd.php doesn't show the status if acl default noquery is set. It should allow status if that is set but the localhost acl allows it. So instead of checking for noquery, could just check for "***Request timed out".

Apr 2018 Version: 2.3.3 status_ntpd.php error if noquery says "NTP service settings" and links to services_ntpd.php. It should say "NTP ACL settings" and link to services_ntpd_acls.php and maybe indicate it is about "noquery".

Apr 2019 Version: 2.4.3 services_ntpd_gps.php if don't have /dev/cua device (gpsport) then indicate on the page that this feature is not enabled and not available.

Apr 2018 Version: 2.3.3 services_ntpd_pps.php ppsfudge1 / fudge1 input form is "text". SUGGEST: Add some check to make sure is a T_Double or T_Integer (in NTP terminology). SUGGEST: And ppsrefid / refid add a check to make sure is only four characters. Not sure, but probably shouldn't have spaces since /etc/inc/system.inc just dumps it as is into configuration.

Apr 2018 Version: 2.3.3 /etc/inc/system.inc does not use ntpd pps stratum as seen in the config.xml. It is defined with a form in services_ntpd_pps.php $config['ntpd']['pps']['stratum'] = $_POST['ppsstratum']; but this is not used. I do see code for it for "gps" but not "pps". So it defaults to 0. SUGGEST: also consider using "number" instead of "text" for its input field and restrict it to 0 to 15. Also the code checks for stratum less than 17, but I think the numbers are 0 to 15, so check should be less than 16. Unless 16 is to mean unsynchronized. I don't even know if all NTPs support 16.

Apr 2018 Version: 2.3.3 services_ntpd_pps.php and /etc/inc/system.inc both have code for $config['ntpd']['pps']['noselect']) which would be $_POST['ppsselect']) but there is no addInput form for it. No way to configure it.

May 2017 Version: 2.3.3 vpn_openvpn_server.php server table list for Description has: <?=htmlspecialchars(sprintf('%s (%s)', $server['description'], $server['dev_mode']))?> but if dev_mode is not set it is empty so displays (). in this case the config.xml doesn't have the dev_mode set because it was created using the wizard. Maybe set it to tun as is the default. or don't display the empty () parenthesis.

May 2017 Version: 2.3.3 openvpn_validate_port() has: if (empty($value ... so when passing zero to it complains (because empty(0) is FALSE): "The field 'Local port' must contain a valid port, ranging from 0 to 65535" While I would want it to check for not 0, the above says zero is okay and the vpn_openvpn_server.php addInput form for it allows it. make fix in both places. https://redmine.pfsense.org/issues/7565

May 2017 Version: 2.3.3 FIXED /etc/inc/openvpn.inc used vpn_openvpn_server.php to set dh_length but only three /etc/dh-parameters.NUM files are available, but drop-down allows others resulting in: openvpn[34890]: Options error: - -dh fails with '/etc/dh-parameters.3072': No such file or directory Note that code for other dh-parameters is commented out. https://redmine.pfsense.org/issues/7566

May 2019 Version: 2.4.4-p3 /etc/inc/openvpn.inc openvpn_get_curvelist() uses sort for the openvpn show-curves option but it has mixed-case. Maybe use natcasesort() or SORT_FLAG_CASE.

May 2017 Version: 2.3.3 vpn_openvpn_server.php see function mode_change() it has two switch (value) blocks that can be merged. And see it has mistakes that aren't even used, like server_tls has: hideInput('shared_key', false); but autokey_change() hides it anyways. This code needs to be cleaned up.

May 2017 Version: 2.3.3 FIXED vpn_openvpn_server.php Address Pool sets pool_enable. I don't see any code that uses it, like not in /etc/inc/openvpn.inc What uses this code? https://redmine.pfsense.org/issues/7567

May 2017 Version: 2.3.3 FIXED vpn_openvpn_server.php d44942d3477c609e37794dc31c36fcd5c4435fbb configures client_mgmt_port but as far as I can tell this number is not used and the management is using a Unix domain socket and not a TCP port. https://redmine.pfsense.org/issues/7568

May 2017 Version: 2.3.3 FIXED wizards/openvpn_wizard.xml 7120ef411c122e67f6585be13fb89daa9df9a152 This is a wizards behavior which can cause confusion or mistake. A wizard saves its settings to config.xml and if you use the wizard again it may prepopulate fields. So if you use the wizard once to setup an LDAP server the later setup a RADIUS server, it may have the 389 port number (for LDAP) for the RADIUS port setup. Even though it has the correct number in note below, the common usage for pfSense is to prepopulate with defaults. In this case, the field is wrong. https://redmine.pfsense.org/issues/7569

May 2017 Version: 2.3.3 openvpn_wizard.xml skipped creating a cert and when finished it took me back to select or add a certificate. After creating one. it took me to next wizard screen but still has error message "Please choose a Certificate." at top. https://redmine.pfsense.org/issues/7570

May 2017 Version: 2.3.3 vpn_openvpn_server.php and vpn_openvpn_csc.php and /etc/inc/openvpn.inc have code related to NetBIOS Data Distribution Server nbdd_server_enable and nbdd_server1 but I don't see any code or GUI to configure it or display it. Maybe is stale code?

May 2017 Version: 2.3.3 vpn_openvpn_csc.php allows creating new configurations for existing configurations by using the same Common Name and local OpenVPN server name, The most recent CSC entry edited or added takes precedence. This could result in a confusing setup if the pfSense admin added many CSC and didn't realize this happened.

May 2017 Version: 2.3.3 vpn_openvpn_csc.php has netbios_ntype and netbios_scope but openvpn_add_dhcpopts() in etc/inc/openvpn.inc has dhcp_nbttype and dhcp_nbtscope I noticed this when configuring a CSC, but I also see the mismatch names in vpn_openvpn_server.php I see ./etc/inc/upgrade_config.inc has the variable names but opposite of etc/inc/openvpn.inc. While here a second the scope id is missing the 'Scope ID' label as the form has "null" for it.

May 2017 Version: 2.3.3 be consistent for vpn pages for disabled view. For openvpn server and clients it uses the disabled class with 50% opacity but the CSC overrides view has a "Disabled" column that says "Yes". For ipsec it has Disable/Enable toggle button and also uses the 50% opacity view. The main thing that I don't like is that when disabled even the "Actions" icons are translucent which seems to imply that they aren't clickable even though they are.

May 2017 Version: 2.3.3 vpn_openvpn_client.php has Related settings shortcut to vpn_openvpn_server.php but that is misleading and for normal pfSense use it is not "Related". As an example, the server's page doesn't have a related settings shortcut pointing to clients (as it should not). https://redmine.pfsense.org/issues/7571

May 2017 Version: 2.3.3 vpn_openvpn_client.php and /etc/inc/openvpn.inc Has checkbox to enable "Infinitely resolve server" but the resolv-retry infinite config is used also if is a client. This is a client. In addition, OpenVPN 2.3 has this enabled by default. I don't see anything here to set it to 0 (zero) to disable. To explain a different way, the config.xml has: <resolve_retry></resolve_retry> while the openvpn$NUM.conf still has: "resolv-retry infinite". I suggest getting rid of it of the feature since is default behavior and is always set here. Or if you keep make it so unchecked means is "0" and don't set by default for client too. https://redmine.pfsense.org/issues/7572

May 2017 Version: 2.3.3 vpn_openvpn_client.php shows the Peer Certificate Revocation list option when non-TLS shared key server mode is selected but not when TLS mode is selected. See the hideLabel definitions for it. Is this reversed? See vpn_openvpn_server.php as the (correct) opposite approach. If this is already as desired, add some hint why it is useful that way. While there consider having this option displayed after the certref option.

May 2017 Version: 2.3.3 FIXED vpn_openvpn_client.php 473f7ec48f7510a60ade574ef32b09f4abaa6b9a text for Tunnel Networks says "The second network address will be assigned". It uses openvpn_get_interface_ip() which uses gen_subnetv4() and then ip_after(). This misleadiing as it could be considered that the first address is the address returned by gen_subnetv4() so really the "third" network address will be assigned by some understandings. Some say the first is the "network address" but that is the terminology used here and the second is the "first IP". My recommendation is simply to clarify the help text. This may be needed for IPV6 and the other openvpn pages too. https://redmine.pfsense.org/issues/7573

May 2017 Version: 2.3.3 vpn_openvpn_client.php compression defaults to No Preference so "comp-lzo" is not set in configuration. But the openvpn manual says "make sure the client-side config file enables selective compression by having at least one - -comp-lzo directive ... this will ... allow a future directive push from the server to dynamically change the on/off/adaptive setting." The manpage is confusing as also hints that adaptive is the default. I recommend you change the user interface default to "adaptive" so it sets "comp-lzo adaptive" to make sure. "No Preference" seems to imply there is a preference so maybe reword or fix this (in /etc/inc/openvpn.inc and for vpn_openvpn_server.php too). PROBABLY FIXED IN a4b3624650 bug #7064

May 2017 Version: 2.3.3 /etc/inc/openvpn.inc The openvpn manual says: Note: Using - -topology subnet changes the interpretation of the arguments of - -ifconfig to mean "address netmask", no longer "local remote". And also says: TUN devices in - -topology subnet mode (which create virtual "multipoint networks"), - -ifconfig is used to set an IP address and subnet mask ... (The manual example also shows it.) But openvpn.inc when using tun still sets ifconfig (conf option) using $ip1 for client and $ip2 for server instead of the $mask. I didn't test this but doesn't follow the docs. This may need fixed so second argument is the mask. I did read https://forum.pfsense.org/index.php?topic=103331.0 https://redmine.pfsense.org/issues/7574

May 2017 Version: 2.3.3 FIXED vpn_openvpn_client.php 85d564f0fd278d27f1a2ff89214bf297676bfd0c Does the route_no_exec feature for "Don't add/remove routes" even work? I don't see any use of route-up script. Also while here see the setHelp text shows "- -route-upscript" which should have a space between up and script. This text is just verbatim from the man page (which has the space). https://redmine.pfsense.org/issues/7575

Nov 2017 Version: 2.3.3 pkg_mgr_install.php not really a bug but a suggestion: the package installation output shouldn't be editable; for example pressing space or return in it may happen to scroll but really it enters that content.

Nov 2017 Version: 2.3.3 pkg_mgr_installed.php The key after the list of installed packages is misleading as it says "Newer version available" and "Package is configured but not (fully) installed" These may be misinterpreted to imply that is applicable to the last or some package that is listed above. Suggest: Say "Key". Also suggest having an associated icon with the test. Currently no icon is displayed with those two links in the key.

Nov 2017 Version: 2.3.3 pkg_mgr_installed.php for the Package Dependencies it links to: href="https://freshports.org/' . $pdep['origin'] which assumes it is a real FreeBSD package. The "bind" package's dependency links to https://www.freshports.org/dns/bind-pfsense which does not exist. maybe if "pfsense" is part of the name don't link to freshports?

May 2017 Version: 2.3.3 pkg_mgr.php The table shows Version for the package then the dependencies show same package name with different version. This is confusing. For example shows: arping 1.2.2_1 depenrds on arping-2.15_1 To clarify, I recommend the Version column be renamed to "pfSense pkg Version" and the "Package Dependencies:" be changed to "FreeBSD Package Dependencies:" (I assume all are from FreeBSD packages.) https://redmine.pfsense.org/issues/7583 I NO LONGER recommend that since they aren't always FreeBSD packages. MY new recommendation is to list FreeBSD Package Dependencies versus pfSense Package Dependencies. pfsense packages names contain "pfsense-". By the way, why do some packages have "-pkg-" as part of the name and some don't (like pfsense-bind911-9.11.1P1)? And why are some packages with capital "S" in pfSense and some don't? And why does check_reload_status name not contain "pfsense"?

Oct 2017 Version: 2.3.3 services_pppoe_edit.php error says: "The field Remote start address is required." This is for remoteip, but the form field is called "Remote Address Range".

May 2018 Version: 2.4.3 services_pppoe_edit.php pppoe_dns1 allows junk, maybe should use Form_IpAddress for it set ipcp dns 8987 7987 gfdsjg 797u @ ; ``

May 2018 Version: 2.4.3 services_pppoe_edit.php I don't see any code using $pppoecfg['radius']['acct_update'] The "set auth acct-update" is not configured. Is the "RADIUS Accounting Update" even used? Add to /etc/inc/vpn.inc a check for acct_update and add ""set auth acct-update" to the mpd configuration.

May 2018 Version: 2.4.3 services_pppoe_edit.php the radiussecret (and secret2) kept on disappearing so had to enter again. I was able to reproduce this several times. I assume this has to do with the DMYPWD usage and the existing password not being retrieved and re-saved.

May 2018 Version: 2.4.3 services_pppoe_edit.php When saving and it errors (like "The field RADIUS shared secret is required"), then the form loses the User Table entries. Having to re-enter users details is frustrating. This is caused by the $pconfig = $_POST; during the save. Later used with $usernames = $pconfig['username']; which does not exist (after the save). The form uses the colon-delimited username. The POST does not. (It only converts to colon-delimited when no errors to save.) The config.xml stores as single "username" but the form uses username0, password0, ip0, username1, password1, ip1, username2, password2, ip2, etc. See the ~14 lines of code when no error and saving which populates the $pppoecfg['username']. That idea can be reused to set $pconfig['username'] if POSTing (and there was an error). I MADE A PATCH FOR THIS.

May 2018 Version: 2.4.3 /etc/inc/vpn.inc and services_pppoe_edit.php I don't see any code to use the pppoe radius server2 (or server2 secret2) settings. I set it and do see in config.xml but not in its /var/etc/pppoe1-vpn/mpd.conf file.

Nov 2017 Version: 2.3.3 system_gateways_edit.php if have a mistake with IP, the Interface change will be reset back to previous even though it was changed.

Apr 2019 Version: 2.4.3 system_gateways_edit.php force_down is misleading. It is still set in routing table as default and dpinger still running for it. Why does status page say "offline" when really is not offline? So basically the only change is to make the gateway selection for firewall rules to be a no-op, so no policy-routing. Make it more clear on the interface webpage. Because it is up but marked "offline" on status page, that is misleading too.

Apr 2019 Version: 2.4.3 system_gateways_edit.php Suggestion: check for max data_payload size since dpinger checks it. Maybe is 65487 bytes for IPv4 and 65507 bytes for IPv6?

Mar 2018 Version: 2.3.3 /etc/inc/gwlb.inc return_gateway_groups_array() compares trigger with strings "loss" or "latency" but system_gateway_groups_edit.php and config.xml has them as digits. Note "loss" if is meant to match a string would be two triggers ("Packet Loss" or "Packet Loss or High latency") and same for latency it would match two triggers ('Packet Loss" too). These checks versus the configuration don't make sense.

Jun 2016 Version: 2.3 FIXED? system_advanced_misc.php https://github.com/pfsense/pfsense/pull/2868 system_advanced_misc.php has: $config['system']['srctrack'] = $_POST['source-tracking-timeout']; but as far as I see no source-tracking-timeout sent shouldn't it be same as $pconfig['srctrack'] ?

Jun 2016 Version: 2.3 diag_routes "Rows to display" is off by one as it includes the header line too. If you choose 10 you would want ten lines of results data to display https://redmine.pfsense.org/issues/6705

Jun 2016 Version: 2.3 diag_routes "Use a regular expression to filter IP address or hostnames" actually works to match any field like flags, mtu, netif; I suggest it is kept the way it works and fix the description to not limit to just the address or hostname https://redmine.pfsense.org/issues/6706

Jun 2016 Version: 2.3 syntax error in the PHP execution in Command Prompt menu should not cause a crash detection to suggest reporting to pfSense https://redmine.pfsense.org/issues/6702

Jun 2016 Version: 2.3 suggestion for the Edit File have the input box have some description or label like "Path name" or "File name or directory" https://redmine.pfsense.org/issues/6703

Apr 2017 Version: 2.3.3 diag_edit.php will give warning "Loading a directory is not supported." but after clicking Browse and getting a directory listing, that warning is not cleared; it still displays same warning even though is now irrelevant Maybe update print_info_box after successes. https://redmine.pfsense.org/issues/7589

Jun 2016 Version: 2.3 Edit File "Go to Line" selection box allows negative numbers and line numbers longer than the file contains https://redmine.pfsense.org/issues/6704

Apr 2017 Version: 2.3.3 diag_edit.php if you are browsing directory hiererchy, and enter a filename and click save, it will write a zero byte file to that filename. Note there was no data to write but the edit display was showing the directory layout. I suggest if a browse directory view is displayed then the Save button should be disabled or the save should indicate no data to save while in directory browsing view and to not do anything. https://redmine.pfsense.org/issues/7590

Apr 2017 Version: 2.3.3 top is missing the CPU: header like CPU: 3.9% user, 0.0% nice, 2.4% system, 0.4% interrupt, 93.3% idle This is a limitation in the top implementation on FreeBSD (seen outside of pfsense). In it filled out in interactive mode after the rest of the display is draw, but in batch mode the line is blank. I filed a bug report against it in FreeBSD: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=218889

Jun 2019 Version: 2.4.4-p3 status_graph_cpu.php nothing graphed anymore, but it used to work. It now just shows an empty graph with a huge number continually increasing like 709637894%

Nov 2017 Version: 2.3.3 miniupnpd is not a package? The get_services() function in etc/inc/service-utils.inc has miniupnpd as installedpackages feature. Now I see that is how status_upnp.php and various /etc/inc/ code does it that way. It is not a pfSense package but core pfSense, so this is somewhat confusing. The /usr/local/pkg/miniupnpd.xml is "pkg". This appears to be only "pkg" style feature in system that is not a package. If this is the way things are moving to, then this is okay, but please document it. Or maybe because it was easier to use pkg_edit for it? Still explain. If this is not the future, then add comments to code or change code so developers aren't confused that miniupnpd is a package.

Nov 2017 Version: 2.3.3 etc/inc/service-utils.inc The get_services() function is missing some network services: dhcpdv6 (using dhcpd -6), pppoe server (using mpd4), and l2tp (using mpd4). (Could consider filterdns too?)

Sep 2018 Version: 2.4.3 /etc/rc.initial.setlanip if enter a blank DHCP starting address, it aborts and goes back to the menu without any error message. If this is desired then previously say "if blank this exits" or something like that. Note that a bogus value will just prompt again for the start address.

Sep 2018 Version: 2.4.3 /etc/rc.initial.setlanip if enter a default gateway for the LAN and later for the WAN, only the LAN one will be there. If you use this #2 again and leave the LAN gateway blank (just press enter), the <gateway_item> for it in the config.xml is not removed and the netstat -rn still shows it too.

May 2016 Version: 2.3 console shell using exec sh causes exit from shell to also close the ssh: Enter an option: read: read error: Input/output error Also "exec sh" at the tcsh prompt works at console, but when exiting the menu redisplays but then says "You have stopped jobs" and "[1] + Stopped (tty input) /etc/rc.initial" and you are back the sh prompt.

May 2016 Version: 2.3 developer shell ctrl-c in the Developer Shell shouldn't exit ssh session

May 2016 Version: 2.3 /usr/local/sbin/pfSsh.php contains $tccommands[] = "master"; $tccommands[] = "RELENG_1_2"; but this code is unused also what uses tccommands?

May 2016 Version: 2.3 developer shell in pfSsh = does nothing as the currentline is replaced

May 2016 Version: 2.3 developer shell "exec" all exclamation marks are escaped if first character has it

May 2016 Version: 2.3 developer shell listpkg Warning: Invalid argument supplied for foreach() in /usr/local/sbin/pfSsh.php(345) : eval()'d code on line 11

May 2016 Version: 2.3 developer shell disabledhcpd name is inconsistent: why disabled vs disable?

May 2016 Version: 2.3 developer shell why does it do this twice: unset($config["interfaces"]["wan"]["blockbogons"]); unlink_if_exists("/tmp/config.cache"); ... unlink_if_exists("/tmp/config.cache"); unset($config['interfaces']['wan']['blockbogons']);

May 2016 Version: 2.3 developer shell externalconfiglocator cannot run twice since Cannot redeclare get_boot_disk() via the include of /etc/ecl.php

May 2016 Version: 2.3 developer shell can this even work? $locations_to_check = array("/", "/config"); foreach ($locations_to_check as $ltc) { $tocheck = "/tmp/mnt/cf{$ltc}config.xml"; checks for /tmp/mnt/cf/config.xml and /tmp/mnt/cf/configconfig.xml but the file would be at /tmp/mnt/cf/conf/config.xml

May 2016 Version: 2.3 developer shell also get_boot_disk and get_swap_disks don't work since modern systems use ufsid labels but later try to compare with device names

May 2016 Version: 2.3 developer shell listpkg does not work, references an array that doesn't exist Playback of file listpkg started. Installed packages: Warning: Invalid argument supplied for foreach() in /usr/local/sbin/pfSsh.php(345) : eval()'d code on line 11 I checked with: if (!is_array($config['installedpackages']['package'])) { echo "not an array\n"; return; } It appears to be fixed in 2.4.3

May 2016 Version: 2.3 developer shell "svc" cannot run twice in the developer shell since Cannot redeclare usage()

Aug 2018 Version: 2.4.3 /etc/rc.initial has internal choice "100" to use links text browser but that isn't usable at all with the pfsense webgui. It may say successful login but the menu panel nor dashboard does not appear. Suggestion: if this is to verify the webConfigurator is up then have it go to some webpage for that. Maybe put a testing php page under /usr/local/www for this?

Feb 2019 Version: 2.4.3 /etc/inc/shaper.inc FAIRQ hogs "Bandwidth limit for hosts to not saturate link" should use the normal bandwidth and bandwidth type like form as user won't know to enter "1Kb" for example.

Feb 2019 Version: 2.4.3 firewall_shaper.php some content is verbatim to pf.conf(5) but no license about it.

Feb 2018 Version: 2.3.3 firewall_shaper.php For a child queue, it accepts a missing name. So when the shaper list has an icon with no name. And clicking "By Queue" may say "No Queue Configured/Selected" with an icon below it and the icon may be overlooked or misundestood. SUGGEST: that the queue name be required (don't allow it to be empty). That is a common requirement for many places in pfsense.

Feb 2019 Version: 2.4.3 firewall_rules_edit.php Please re-order the ackqueue and defaultqueue selections since they are used in opposite order and the first one (currently) cannot even be used unless the second one is defined.

Jan 2019 Version: 2.4.3 ./wizards/traffic_shaper_wizard_dedicated.inc displayname has "Interface \& Scheduler" but should be separate "Interface" and then "Scheduler" for the respective inputs. Also section header says "connection speed" but that is not there for all interfaces.

Jun 2016 Version: 2.3 traffic_shaper_wizard_dedicated.xml scheduler types drop-down are marked as "Local interface" and "WAN interface". Change to also say "Schedule Type". While there note that "interface" is started with lowercase "i" in some uses and uppercase "I" in other uses. Also maybe add "speed" or "rate" and maybe "measurement" or "units" for the upload and download parameters.

Jun 2016 Version: 2.3 traffic_shaper_wizard_dedicated.xml minor bug; the traffic_shaper_wizard_dedicated.xml page has both Penalty Box and PenaltyBox (no space); be consistent?

Jun 2016 Version: 2.3 traffic_shaper_wizard_dedicated.xml doesn't have a check to make sure at least the P2P catchall or a specific protocol is selected

Jun 2016 Version: 2.3 traffic_shaper_wizard_dedicated.xml minor bug, the traffic_shaper_wizard_dedicated.xml P2P page has a mix of "Peer to Peer" (no dashes), "Peer-to-Peer", "p2p" (lowercase) and "P2P"; be consistent?

Jun 2016 Version: 2.3 traffic_shaper_wizard_dedicated.xml "other Applications" says "raise or lower ... higher than most". That grammar of "lower... higher" doesn't read well. Maybe just end the sentence at "protocols."

Feb 2018 Version: 2.3.3 firewall_rules_edit.php config says "In / Out pipe" but error says "In and Out Queue"

May 2019 Version: 2.4.4-p1 ./src/etc/inc/shaper.inc consider adding parameters for FQ_PIE for flow, limit, and quantum like the FQ_CODEL feature options in pfsense. There are sysctls for them too. net.inet.ip.dummynet.fqpie.quantum: 1514 net.inet.ip.dummynet.fqpie.limit: 10240 net.inet.ip.dummynet.fqpie.flows: 1024

Jun 2016 Version: 2.3 the Traffic Shaper / Limiters page has the the "By Interface" info help that is about tree, queues, buttons. But there is no "tree" by default. Also maybe "Limiters" should be explained. Maybe from /etc/inc/shaper.inc

Jan 2019 Version: 2.4.3 firewall_shaper_vinterface.php child queue config for Packet Loss Rate menu is there, but setting it does nothing. get rid the option here? but manpage says plr can be configured for queues. By the way buckets for a queue is not displayed with ipfw pipe show nor ipfw queue show, but is in the /tmp/rules.limiter. (It is there for a pipe.)

Feb 2018 Version: 2.3.3 firewall_shaper_vinterface.php if you have a limiter in use and then uncheck the Enable button, save, and then apply changes, "ipfw pipe show" still shows that limiter. The /tmp/rules.limiter may not list it but the ipfw config is still there as it is not deleted. The Enable button does work to enable, but unchecked means nothing once was loaded. Delete Limiter button does work though - the ipfw pipe disappears.

Jan 2019 Version: 2.4.3 firewall_shaper_vinterface.php clicking Delete Limiter button pops up "The last row may not be deleted." alert. This happens to me every time. See ./js/pfSenseHelpers.js I don't think the context makes sense when deleting a limiter. Or needs more explanation.

Jan 2019 Version: 2.4.3 firewall_shaper_vinterface.php When clicked "Delete this queue" button and okayed it, I saw repeated 8 times: "This pipe/queue is referenced in filter rules, please remove references from there before deleting." But I already removed it and was not used by any filter rule. I think it was caused by having no Name. Name was empty. The child queue didn't get deleted. And it is unable to edit to add the child's name.

Aug 2016 Version: 2.3 FIXED firewall_shaper_vinterface.php action item should link to diag_limiter_info.php for Related Status. And the diag_limiter_info.php should NOT have a Related status action item pointing to itself.

May 2019 Version: 2.4.4-p3 firewall_shaper_vinterface.php My logs showed: /rc.filter_configure_sync: The command '/sbin/ipfw /tmp/rules.limiter' returned exit code '65', the output was 'Line 4: 2 <= queue size <= 100' That config had: queue 1 config pipe 1 queue 102 ... My Queue length (qlimit) was set to 102. Don't allow a qlimit outside of the allowed range.

Mar 2018 Version: 2.3.3 interfaces_qinq_edit.php autoadjustmtu is referenced in code but I don't see it used anywhere.

Mar 2019 Version: 2.4.3 interfaces_ppps_edit.php help doc hints are verbatim from mpd documentation without the copyright and license referenced

Mar 2018 Version: 2.3.3 interfaces_ppps_edit.php advanced options toggle button on PPP or PPPoE types introduces new settings above the button while also a new section titled Advanced Configuration appears below the button. This may be confusing as the admin may not notice the new displayed options in both places. Since there are few advanced options for the some link types only, suggest these are displayed always for them specifically.

Feb 2018 Version: 2.3.3 /etc/inc/interfaces.inc interface_gre_configure() has: if (isset($gre['link1']) && $gre['link1']) { but it is a checkbox with <link1></link1> so it may be defined but has no value so the action of the if conditional never happens.

Mar 2018 Version: 2.3.3 easypass firewall logs showed gif0 entries. Easy pass allowed it "Interface: GIF0" but when tried to save it failed with: "Invalid interface for pass rule" Easy pass shouldn't get that far or it should provide some assistance or firewall rules should allow FreeBSD devices like gif0. (My workaround was to create a new OPT2 interface for gif0 and enable it.)

Mar 2018 Version: 2.3.3 head.inc SUGGEST: include all the interface types (like QinQs, GREs, etc) in $interfaces_menu if they are defined.

Apr 2019 Version: 2.4.3 pkg_mgr_install.php setting fwbranch to devel on update settings page and save go to the main system update page it shows branch as devel, but the latest base version number is the stable version instead of the long date-stamped experimental version number.

May 2019 Version: 2.4.4-p1 system_update_settings.php Suggestion for ./widgets/widgets/system_information.widget.php If disablecheck still have an icon to show the latest version on the dashboard's System Information widget. Just have disablecheck not auto update the package list and download the pfSense-repo packages unless the admin specifically clicks a button to do a one-time version check. It can still show when last checked (manually).

Apr 2019 Version: 2.4.3 /etc/phpshellsessions/gitsync "Remove files that we do not want to overwrite the system with" list has /etc/fstab twice.

Mar 2017 Version: 2.3.3 my user has page-diagnostics-dns privilege which provides DNS lookups but also allowed the user to create an alias "Created from Diagnostics-> DNS Lookup". But now the user cannot see this alias nor has any way to remove it (because needs page-firewall-aliases privilege). I'd suggest that capability to do DNS lookups diagnostics shouldn't also allow addition of aliases. https://redmine.pfsense.org/issues/7584

Mar 2017 Version: 2.3.3 system_usermanager.php it allowed creating a user starting with a dash. So the user is created but was not added to /etc/passwd. For FreeBSD, "The login name must not begin with a hyphen (`-')". I didn't see any logging about this failure. pw useradd complains: "pw: invalid character `-' at position 0 in userid/group name". I suggest the preg_match in system_usermanager.php reject username starting with a dash. Also recommend if pw fails, then capture and log and report that failure.

Mar 2017 Version: 2.3.3 system_usermanager.php using firefox 48.0 pressing enter on the System> User Manager > Users page will trigger the Delete and will prompt to delete users even if no users are selected. My suggestion is not have pressing Enter do anything and especially not Delete.

Mar 2017 Version: 2.3.3 system_usermanager.php I entered an ampersand & in the Full name and it got expanded to master.passwd and /etc/passwd to &amp; note this is HTML entity encoding, done twice. This is also shown in the Users table.

Mar 2017 Version: 2.3.3 FIXED system_usermanager.php fc1913fef29fbc7f90e8e2fe9374b761411f09ae The checkbox for showcert "Click to create a user certificate" when adding a new user does nothing, the cert-options class is not displayed. Or what is that checkbox supposed to do? https://redmine.pfsense.org/issues/7585

Sep 2018 Version: 2.4.3 system_usermanager.php?act=new when adding a new user and you click save missing some details like password, the form will be displayed again. But (if you have a CA), the previously displayed checkbox "Click to create a user certificate" is not displayed again.

Sep 2018 Version: 2.4.3 system_usermanager.php?act=new when adding a new user and when the "Click to create a user certificate" checkbox is clicked and you save without a "Descriptive name" it should complain. This is required to add a new certificate and since the checkbox is checked this implies you wanted to add it. Maybe prepopulate it with the username entry?

Mar 2017 Version: 2.3.3 system_usermanager.php User Certificates view is missing the "Action" table header. Also as a feature request have link to the certificate management page to actually see the cert details (and maybe remove the certificate).

Mar 2017 Version: 2.3.3 feature request system_certmanager.php?act=new&userid=n when adding a certificate specifically assigned to a user, have the system_certmanager.php page say the username at the top. (Especially since it is different than when the page is not for a userid.)

Mar 2017 Version: 2.3.3 system_certmanager.php?act=new&userid=n when selecting method of choose "existing", the descr field is not used (and is ignored and confusing since is different). Maybe only display the descr input box for the forms that need it.

Mar 2017 Version: 2.3.3 FIXED system_usermanager_addprivs.php feature request: system_usermanager_addprivs.php should say what user and fullname is having the privileges added to for the userid (like the system_groupmanager_addprivs.php does) easy fix: $section = new Form_Section('User Privileges for '. $a_user['name']); https://redmine.pfsense.org/issues/7586

Mar 2017 Version: 2.3.3 new users are part of the "nobody group". If multiple real users are part of same group, it lowers security since now they are not a "nobody". You have no idea what tool's umask or group modes may be set later (even default is group read) so users may be able to access others' files. While it is common to use a shared group, "nobody" may be used for some network services or other program and now the users may have new privileges related to things that the pfSense developers may not imagine. If you really want to use some single group, don't use "nobody".

Mar 2017 Version: 2.3.3 system_usermanager.php: feature request: add the username to the Are you sure you wish to delete user? prompt (didn't check recently but maybe for vpn_l2tp_users.php too?)

Mar 2017 Version: 2.3.3 feature request system_groupmanager.php allow configuring the Assigned Privileges for a new "Add" group and not just when editing an existing group

Mar 2017 Version: 2.3.3 feature request system_groupmanager.php via is ?act=edit view when deleting a single privileges go back to the edit view so you can see the change. Currently it takes you back to the all groups view where you have to click edit again to see the privilege changed.

Mar 2017 Version: 2.3.3 system_groupmanager.php via is ?act=edit view when removing a provilege it uses a local privid which gets reassigned each time a list of privilegs for a group changes. So if an pfsense admin mistakenly presses a back button in browser or otherwise reloads the same delpriv action webpage, it may have a consequence of removing an unrelated privilege (because has new privid). (If the privid is the last number then it wouldn't matter then.) This simple mistake could lock out some pfsense user or make them lose some capability that is not noticed for some time. (I didn't check if this problem exists of the user view too.) My suggestion is to use the unique identifiers that already exist (like "page-xmlrpclibrary") instead of an arbitrary number that changes.

Mar 2017 Version: 2.3.3 FIXED system_groupmanager_addprivs.php feature request. Please sort the list of privileges in the form like is done in the system_usermanager_addprivs.php form using uasort and its admusercmp function. There is a comment saying "sort it" but does not appear to be done. https://redmine.pfsense.org/issues/7587

Mar 2017 Version: 2.3.3 system_authservers.php feature request system_authservers.php change order of LDAP Server Settings so Transport is before Port value since it changes the Port value. Note that selecting the transport resets any custom port also.

Mar 2017 Version: 2.3.3 feature request system_authservers.php the text-danger feedback from "Select a container" such as "Could not connect ..." will go to bottom of the page and mayi be overlooked. Suggest having that output go next to the button.

Mar 2017 Version: 2.3.3 system_authservers.php field has "Group naming attribute" to set ldap_attr_group (which is preset to cn for all three templates). It is also in ./wizards/openvpn_wizard.inc I don't see ldap_attr_group (NOT "obj" postfix) anywhere. The field is required but doesn't appear to used.

Jun 2016 Version: 2.3 the diag_authentication "related status" icon links to same page :) https://redmine.pfsense.org/issues/6701 THIS WAS RESOLVED BUT ONLY ONE PART WAS FIXED. SHOULD I OPEN NEW TICKET?

May 2017 Version: 2.3.3 vpn_l2tp_configure in /etc/inc/vpn.inc has killbypid and sleep(8) even if starting it for first time. I suggest it should check if file_exists() first. Note that killbypid via sigkillbypid does check for that but wrap both with it since the sleep(8) is done regardless.

May 2017 Version: 2.3.3 FIXED vpn_l2tp_configure in /etc/inc/vpn.inc can use $l2tpcfg['wins'] for NetBIOS name server (NBNS) information but that "wins" is not configured anywhere. If it is not desired, then remove that stale code? (I did see similar for vpn_pptp.php but this bug is about l2tp.)

May 2017 Version: 2.3.3 FIXED vpn_l2tp.php recommend confirming that DNS servers l2tp_dns1 and l2tp_dns2 are IP addresses. Check this right in vpn_l2tp.php since vpn_l2tp_configure silently checks it. Also while there complain if l2tp_dns2 is set but l2tp_dns1 is not, since vpn_l2tp_configure won't use it if the first is not set.

May 2017 Version: 2.3.3 FIXED vpn_l2tp.php says when RADIUS is set "The local user database will not be used." and vpn_l2tp_users.php also shows: "RADIUS is enabled. The local user database will not be used." I don't see any configuration to turn "internal" off (like "set auth disable internal"). It is not clear if this is about what type of users like L2TP mdp.secrets or what? But if is about mdp.secrets then that is used after RADIUS and is enabled by default. (see http://mpd.sourceforge.net/doc/mpd31.html#31) https://redmine.pfsense.org/issues/7561

May 2017 Version: 2.3.3 in vpn_l2tp.php Remote address range remoteip is required even if RADIUS issued IPs radiusissueips is set. Per vpn_l2tp_configure remoteip is not used if radiusissueips is set. (as it sets to undocumented peer). Is remoteip really required? While there only set clientip is not radiusissueips https://redmine.pfsense.org/issues/7562

May 2017 Version: 2.3.3 vpn_l2tp_users.php Suggestion: consider allowing IP/Subnet for the user. mtp supports this for restricting to a range instead of a specific IP. https://redmine.pfsense.org/issues/7563

Feb 2018 Version: 2.3.3 status_logs_vpn.php?logfile=l2tps&vpntype=l2tp Click Time column header to sort and the Time column reversed but the Log Message fields stayed the same. Click it again and all fields change and click it again and all fields change back. Seems like the first use of the sorting is broken. I don't see this problem with status_logs.php.

May 2017 Version: 2.3.3 FIXED the logging shortcuts for vpn_l2tp.php and vpn_l2tp_users.php and vpn_l2tp_users_edit.php all go to same: status_logs_vpn.php?vpntype=l2tp which does not exist. and takes you to default PPPoE Logins view (instead of best L2TP). the fix in shortcuts.inc is: -$shortcuts['l2tps']['log'] = "status_logs_vpn.php?vpntype=l2tp"; +$shortcuts['l2tps']['log'] = "status_logs_vpn.php?logfile=l2tps&vpntype=l2tp"; You could have a new shortcut configuration for the users vs. config but I think it is fine as is. https://redmine.pfsense.org/issues/7564

Aug 2018 Version: 2.4.3 If don't do the setup_wizard quickly enough on the first attempt, then your session will expire. Then when you log back in you no longer get the setup wizard. It should go back to the setup_wizard automatically if hasn't been done yet or at least have a way to say it is needed. (I do know you can go to it via menu, but a first time admin may not know.)

Jan 2016 Version: 2.3 Click "here" was broken for me on installation wizard screen. since didn't have my port number. That appears to be FIXED in 2.3.5 but I can click on logo to get to the default Dashboard display.

Jun 2019 Version: 2.4.4-p3 head.inc SUGGESTION: for no privilege, set the $system_menu link text in head.inc to "User Password" (instead of "User Manager") for the link to /system_usermanager_passwordmg.php.

Oct 2017 Version: 2.3.3 inconsistency of pppoe in vpn logging but not in vpn menu?

Jun 2016 Version: 2.3 head.inc SUGGESTION: if there is a crash, maybe add to the Diagnostics menu: Crash Reporter Also misspelling: enountered on crash_reporter.php

Jun 2019 Version: 2.4.4-p3 head.inc and index.php SUGGESTION: have the crash detection on every head.inc page instead of just dashboard index.php.

Nov 2017 Version: 2.3.3 status_wireless.php Info details at bottom have flags. The "A = authorized, E = Extended Rate (802.11g), P = Power saving" are wrong for scan list. This may be confusing and need two keys? NOTE: I see this was based on bugs in FreeBSD manual. I reported there https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=223794 Actually it has "P" twice. The second one is correct. Don't get the flags/capabilities confused. Flags are the first character string of single letter flags. The later ones are capabiltities which are always multi-letter acronyms. Get rid of "Capabilities:" from this info details.

Nov 2017 Version: 2.3.3 status_wireless.php Nearby table header has RSSI, but this is not the single calculated receive signal strength indicator. This is both signal and noise (S:N). The FreeBSD source code shows it is converted back from RSSI: (sr->isr_rssi/2)+sr->isr_noise, sr->isr_noise Change the table to what ifconfig shows "S:N".

Nov 2017 Version: 2.3.3 status_wireless.php The status page header for associated shows: ERP but the ifconfig list sta output has "FLAG" for that field. Please change to FLAG.

Buy the pfSense Essentials book from Amazon, Barnes&Noble, or your favorite book store.