Hotfix for #11805 with crowdfunding / donation possible? (NAT issue 2.5.1 CE)
-
Dear pfSense Team,
we are really in trouble with bug #11805 [1] and if I understand the ticket there is a patch available.
Since we are respect your work and time you need, is it possible to make an crowdfunding / donation for an hotfix -p1 release?
[1] https://redmine.pfsense.org/issues/11805
-
The fix is in 2.6 snapshots if you need it.
It's not something that can be applied as a patch though it's in compiled code.
Steve
-
@stephenw10 said in Hotfix for #11805 with crowdfunding / donation possible? (NAT issue 2.5.1 CE):
It's not something that can be applied as a patch though it's in compiled code.
Thanks Steve for reply.
That's why I'm asking to donate a new code build since no easy patch is possible. -
@stephenw10
Hi thank you for your time. I looked at the bug list for version 2.6 on redline and I think it should be ok running it for home use. Because it is not clear when (or if) a patch will be made availability for 2.5.1, do you think it is ok to move to version 2.6? For the time being at least? -
For home use I would say it is. I have not seen any major issues there for some time.
Be prepared to rollback though, as always.
The more people can test that the better really.
Steve
-
Thank you. I will do some testing and I will make sure to be able to rollback yes.
-
@stephenw10 is there no release schedule for 2.5.2?
-
Having here a cold spare device, I'm currently running v2.6-DEV due to #11805 issue.
Using NAT on 2 WANs, 3 IPSec tunnels, 4 OpenVPN site-to-site server, 2 OpenVPN site-to-site client, 1 WireGuard "theonemcdonald" tunnel for 10 road warrior devices, pfBlockerNG-devel.
No problems so far.
Ready to swap on main device though... -
@psp Amazing! Do you have policy based routing working fine also?
-
@vjizzle
Yes, but only related to OpenVPN outbound traffic (i.e. no WG right now). -
@psp Great! Switching over to 2.6 level is getting more and more tempting. Thank you and let us know if you find issues with it. I am running it in a lab environment and it is looking promising there as well.
-
The only issue I'm aware of that might be a show stopper for running it is match rules are broken:
https://redmine.pfsense.org/issues/11857So if you are altq traffic shaping you would not be able to run current 2.6 snaps. Yet.
Steve
-
Ok the last snapshot of 2.6 killed my lab pfsense and now I can see someone posting the solution on de development forum. So for now 2.6 is off the table. Can’t have this “surprise-me-time” on my production firewall. The wait continues.
-
Same thing happened to me. I haven't had the chance to connect a monitor and keyboard to see what is going on.
-
@stephenw10 Thanks for the info. Do you have a link for the bug report on the upstream kernel (FreeBSD)? Or is this a bug that was introduced by Netgate patching the upstream?
-
Not sure of the bug report. The patch is here though:
https://github.com/freebsd/freebsd-src/commit/6d786845cf63c8bf57174e3e43b0b5c5eca75be3
And here in our tree:
https://github.com/pfsense/FreeBSD-src/commit/cf7fd16ddcc36499c6dae90074335e889dc9e484Steve
-
@stephenw10 why aren't we getting a 2.5.2 hotfix? I had to switch from the WAN GW pool, to single WAN as my default route, to fix the issues introduced in 2.5.1
-
@gwaitsi I believe this is the roadmap for pfSense CE sadly. If it works-it-works but clearly the focus is pfSense Plus. This same bug was resolved for pfSense Plus within days I believe, like we can expect from any other firewall vendor.
Sadly this is not the case for the free version of pfSense.
-
@vjizzle said in Hotfix for #11805 with crowdfunding / donation possible? (NAT issue 2.5.1 CE):
@gwaitsi I believe this is the roadmap for pfSense CE sadly. If it works-it-works but clearly the focus is pfSense Plus. This same bug was resolved for pfSense Plus within days I believe, like we can expect from any other firewall vendor.
Sadly this is not the case for the free version of pfSense.
I really hope you are wrong there. There is a huge difference between offering a value add component for a price, versus broken core functionality. Even if it is in the CE version.
-
@gwaitsi I hope I am wrong as well yes. Sadly it is not looking good atm.
