Orphaned VLAN entry

awsic06

2.7.0-RELEASE (amd64)
built on Wed Jun 28 03:53:34 UTC 2023
FreeBSD 14.0-CURRENT

I'm setting up a read-only account (cannot save the config after changes are made). I was going through testing to verify no changes could be made before I sent the user the creds. The new read-only account is structured as such:
Effective Privileges
Inherited from Name Description Action
ReadOnly WebCfg - All pages Allow access to all pages (admin privilege)
--------- User - Config: Deny Config Write If present, ignores requests from this user to write config.xml

To test, I did something that would not impact the operation of the in-use pfS. I attempted to created a new VLAN (tagged 5) and bonded it to interface opt2 (igb3) and clicked Save. The newly created VLAN does NOT show in VLANs, but in Interface Assignments/Available network ports I see igb3.5

I logged out as the new "ReadOnly" user, logged in as my normal admin account and the VLAN did not show under Interfaces/VLANs. However it does show as an Interface under Interfaces/Interface Assignments as igb3.5

So it saved the "ReadOnly" user's test change somewhere (not in config.xml). But it also does not list the VLAN under the VLANs Interfaces (for any account) - but it's somehow able to be an option in the drop down box. Looking at the config.xml file, the <vlans></vlans> is empty so, true as it should, the save to the config.xml file didn't work.

I opened a session to the same pfS via a different browser and navigated to Interfaces/Interface Assignments. Clicked the drop down for Available network ports and still saw igb3.5 as an option (should not).

What file or table is responsible for listing VLANs and what do I have to do to disable writing to this file/table? Plus, now how do I get rid of this orphaned, bogus, test VLAN 5 entry? pfS reboot?

thx

stephenw10

Do you see it listed in the output of ifconfig?

If the vlan is actually created it will show there even if it's not in the config and hence would not be there are next boot.

Is there some reason you aren't running 2.7.2?

awsic06

Yes, looks like ifconfig has the VLAN entry:

igb3.5: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=4600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6,NOMAP>
ether 00:e0:67:17:f5:fb
inet6 fe80::2e0:67ff:fe17:f5fb%igb3.5 prefixlen 64 scopeid 0xa
groups: vlan
vlan: 5 vlanproto: 802.1q vlanpcp: 0 parent interface: igb3
media: Ethernet autoselect
status: no carrier
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

Not on 2.7.2 because, Version says "The system is on the latest version. Version information updated at Wed Feb 21 13:23:52 PST 2024" and is not offering an update to be done. Going ot System / Update / System Update it says:
Branch Current Stable Release (2.7.2)
Current Base System: 2.7.0
Latest Base System: 2.7.0
Status: Up to date

In prior times when I've had update problems I change the Update Settings / Branch to something else, then back to the desired branch and it fixes the issue. But this time it still says Up to date and only offers me 2.7.0. That is another problem for another forum post - maybe.

thx.

stephenw10

Try running: certctl rehash

Then recheck.

awsic06

@stephenw10
Ran certctl rehash:

Scanning /usr/share/certs/untrusted for certificates...
Scanning /usr/share/certs/trusted for certificates...
Scanning /usr/local/share/certs for certificates...

then ifconfig and the igb3.5 is still present.

stephenw10

Yes, sorry, I meant try checking updates after running that.

awsic06

@stephenw10 HA!~ I was wondering how certs were related to VLAN. Yeah, update is available now. I'll run this tonight to get on 2.7.2. Then I'll ifconfig and see what is there.

stephenw10

It's still a bug in current dev builds: https://redmine.pfsense.org/issues/15282