Couple 2.1 bugs



  • A few items:

    1. Load balancer dashboard widget doesn't populate pool section with member servers and uptime %.  On 2.0.3 it was fine.  Load balancing is working fine, and under status/load balancer the pool section is properly displayed as are uptimes.

    2. NTP server behaviour has changed.  Instead of listing just the physical interfaces like in 2.0.3 all the virtual ip's are listed.  If you just set to listen on the interface (like in 2.0.x) it doesn't listen on the virtual ip's also on that interface.  This means during upgrade from 2.0.x -> 2.1 NTP breaks unexpectedly until you add the virtual ip's to the NTP config for listening.

    That's it so far  :o



  • Marking an gateway as monitored vs not monitored appears a bit buggy, and I've had it duplicate the gateway on me.



  • Another little thing: my "Dynamic DNS" entries did no longer automatically update after the upgrade.

    The settings were correctly transferred and if I go into the Dynamic DNS settings and do a "save and force update" they update and turn green again.

    This can bite you a couple of days after the upgrade when you are on the road and can't seem to access your own system …



  • Strange.  What system?  64bit or 32bit?  Full install?



  • @kejianshi:

    Strange.  What system?  64bit or 32bit?  Full install?

    64 bit, full install upgraded from 2.0.3.  2.0.3 was a clean install on these boxes.



  • Yep - Thats strange.  We have same setup but my DynDNS updater is fine.



  • @jwelter99:

    1. NTP server behaviour has changed.  Instead of listing just the physical interfaces like in 2.0.3 all the virtual ip's are listed.  If you just set to listen on the interface (like in 2.0.x) it doesn't listen on the virtual ip's also on that interface.  This means during upgrade from 2.0.x -> 2.1 NTP breaks unexpectedly until you add the virtual ip's to the NTP config for listening.

    I know I'm totally making assumptions here, but if you are using NTP in a CARP cluster, you shouldn't set it to listen on the virtual IPs. If on the other hand you meant that you set it up so that it listens on 2 IPs on the same interface, don't set it up like that. NTP should be set up so that the client (pc/laptop/smartphone/toaster-running-linux) behind pfsense sees two (2) NTP upstream servers. One (1) of those servers should be listening on box A and one (1) should be listening on box B.
    Why it needs to be set up like that is beyond the scope of this thread. I know, I know, as always I'm recommending the exact opposite of what the entire Internet takes for granted. Someone will chime in and correct me. Don't.
    NTP should never listen on all the IPs on an interface. only the primary IP (assuming your downstream network somehow communicates with that IP, ie same subnet). Never on the CARP (failover) IP. Something that stays static and attached to a single box.

    That said, I have not noticed any NTP breakage. Everything is working as it did before the update.



  • @jflsakfja:

    @jwelter99:

    1. NTP server behaviour has changed.  Instead of listing just the physical interfaces like in 2.0.3 all the virtual ip's are listed.  If you just set to listen on the interface (like in 2.0.x) it doesn't listen on the virtual ip's also on that interface.  This means during upgrade from 2.0.x -> 2.1 NTP breaks unexpectedly until you add the virtual ip's to the NTP config for listening.

    I know I'm totally making assumptions here, but if you are using NTP in a CARP cluster, you shouldn't set it to listen on the virtual IPs. If on the other hand you meant that you set it up so that it listens on 2 IPs on the same interface, don't set it up like that. NTP should be set up so that the client (pc/laptop/smartphone/toaster-running-linux) behind pfsense sees two (2) NTP upstream servers. One (1) of those servers should be listening on box A and one (1) should be listening on box B.
    Why it needs to be set up like that is beyond the scope of this thread. I know, I know, as always I'm recommending the exact opposite of what the entire Internet takes for granted. Someone will chime in and correct me. Don't.
    NTP should never listen on all the IPs on an interface. only the primary IP (assuming your downstream network somehow communicates with that IP, ie same subnet). Never on the CARP (failover) IP. Something that stays static and attached to a single box.

    That said, I have not noticed any NTP breakage. Everything is working as it did before the update.

    Yes, it likely makes sense to specify the two servers and not the CARP VIP but that is how this was setup.  For both NTP and DNS.  On the 2.0.3 -> 2.1 upgrade NTP broke but DNS was fine.

    It seems that in 2.0.3 any interface you enabled NTP on would enable any IP that FW had on that interface - so the CARP VIP's would just work.


Log in to reply