• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Problem with snapshot 3/31 16:19:49

CE 2.7.0 Development Snapshots (Retired)
6
46
9.3k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • G
    grandrivers
    last edited by Mar 31, 2022, 9:43 PM

    Getteing there were error(s) loading rules: pf to: pfctl_rules -The line in question reads [0]: @ 2022-03-31 17:39:19

    pfsense 2.4 super micro A1SRM-2558F
    C2558 8gig ECC  60gig SSD
    tripple Wan dual pppoe

    J 1 Reply Last reply Apr 1, 2022, 3:09 AM Reply Quote 0
    • J
      JonathanLee @grandrivers
      last edited by JonathanLee Apr 1, 2022, 3:10 AM Apr 1, 2022, 3:09 AM

      @grandrivers

      yes I am having that issue currently also

      login-to-view

      J 1 Reply Last reply Apr 1, 2022, 3:11 AM Reply Quote 0
      • J
        JonathanLee @JonathanLee
        last edited by JonathanLee Apr 1, 2022, 5:49 AM Apr 1, 2022, 3:11 AM

        @jonathanlee

        This update killed the packet filter also. It's just a router until its fixed for me. My uptime is 0.00000001% right now lol. It's because I test out every update, so mine is rebooting all the time. You win some you lose some. The stable version is probably a tank now with 99.99999 percent uptime. Mine running just the proxy till next try.

        1 Reply Last reply Reply Quote 0
        • J
          jimp Rebel Alliance Developer Netgate
          last edited by Apr 1, 2022, 12:18 PM

          I'm on the same snapshot here but have no problems loading rules.

          What is in /tmp/rules.debug?

          What happens if you try a filter reload from Status > Filter Reload?

          What shows up if you go to a shell prompt and try pfctl -f /tmp/rules.debug?

          Anything in the system log?

          You might try disabling or uninstalling packages temporarily to see if it's coming from a specific package.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • J
            jimp Rebel Alliance Developer Netgate
            last edited by Apr 1, 2022, 1:22 PM

            I found one VM where I can reproduce this and there may be a temporary workaround.

            The problem appears to be https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=262971 which is a new issue with multiple identical rules in the ruleset.

            The easiest way for that to happen on pfSense is from NAT reflection. Thus, if you disable NAT reflection and reboot, that may be sufficient to get the rules to load until we get a proper fix in today.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            J 2 Replies Last reply Apr 1, 2022, 2:12 PM Reply Quote 2
            • J
              jimp Rebel Alliance Developer Netgate
              last edited by Apr 1, 2022, 1:27 PM

              If disabling NAT reflection doesn't help, check for other completely identical rules in your ruleset:

              # egrep -v '^#|^[[:blank:]]*$' /tmp/rules.debug | sort | uniq -c | grep -v '^   1 '
              

              That should output only 100% duplicate lines. In my case they were from NAT reflection. If you have some other source, you may need to address it there (e.g. pfBlocker), though most firewall rules won't be identical since they have unique tracking IDs. So most likely this will come from an internally generated rule like NAT reflection or perhaps from a package.

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              J 1 Reply Last reply Apr 1, 2022, 2:16 PM Reply Quote 0
              • J
                JonathanLee @jimp
                last edited by Apr 1, 2022, 2:12 PM

                @jimp Hello you asked about how the logs looked I still have it running in the faulted condition if you guys needed something.

                login-to-view

                1 Reply Last reply Reply Quote 0
                • J
                  JonathanLee @jimp
                  last edited by Apr 1, 2022, 2:15 PM

                  @jimp login-to-view

                  I have not changed this however it is already disabled

                  1 Reply Last reply Reply Quote 0
                  • J
                    JonathanLee @jimp
                    last edited by Apr 1, 2022, 2:16 PM

                    @jimp said in Problem with snapshot 3/31 16:19:49:

                    egrep -v '^#|^[[:blank:]]*$' /tmp/rules.debug | sort | uniq -c | grep -v '^ 1 '

                    login-to-view

                    1 Reply Last reply Reply Quote 0
                    • J
                      jimp Rebel Alliance Developer Netgate
                      last edited by Apr 1, 2022, 2:26 PM

                      Is that no nat on [...] rule a manual outbound NAT rule you have?

                      If so, you have two of them, remove one.

                      Look in /tmp/rules.debug and find the line(s) for those rules and see what section they are in.

                      Also, once pf is in that bad state you have to reboot to recover. So fix the NAT rule(s) and then reboot.

                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      J 4 Replies Last reply Apr 1, 2022, 2:41 PM Reply Quote 0
                      • J
                        JonathanLee @jimp
                        last edited by Apr 1, 2022, 2:41 PM

                        @jimp I uninstalled all packages and reinstalled them all the same issue so far, the filter reload would fail. I originally had nat disabled I am turning on one to one to see if that changes anything. I don't remember it set to all disabled before this update.

                        1 Reply Last reply Reply Quote 0
                        • J
                          JonathanLee @jimp
                          last edited by Apr 1, 2022, 2:45 PM

                          This post is deleted!
                          1 Reply Last reply Reply Quote 0
                          • J
                            JonathanLee @jimp
                            last edited by Apr 1, 2022, 2:47 PM

                            This post is deleted!
                            1 Reply Last reply Reply Quote 0
                            • J
                              JonathanLee @jimp
                              last edited by Apr 1, 2022, 3:46 PM

                              This post is deleted!
                              1 Reply Last reply Reply Quote 0
                              • J
                                jimp Rebel Alliance Developer Netgate
                                last edited by Apr 1, 2022, 3:52 PM

                                Please post the text and not screenshots. It's making it unnecessarily hard to follow.

                                Looking at the code it looks like it's from NAT reflection not outbound NAT. Is that a port forward for NTP you have? Is NAT reflection enabled globally or perhaps on just that rule?

                                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                Need help fast? Netgate Global Support!

                                Do not Chat/PM for help!

                                J 2 Replies Last reply Apr 1, 2022, 3:59 PM Reply Quote 0
                                • J
                                  JonathanLee @jimp
                                  last edited by JonathanLee Apr 1, 2022, 4:00 PM Apr 1, 2022, 3:59 PM

                                  @jimp You got it thanks for the help

                                  here is your request this was the original settings, I have tried to delete the one line however it re adds

                                  Outbound NAT rules (automatic)

                                  Subnets to NAT

                                  tonatsubnets = "{ 127.0.0.0/8 ::1/128 192.168.0.0/16 }"
                                  nat on $WAN inet from $tonatsubnets to any port 500 -> 64.113.111.129/32 static-port
                                  nat on $WAN inet6 from $tonatsubnets to any port 500 -> (mvneta0) static-port
                                  nat on $WAN inet from $tonatsubnets to any -> 64.113.111.129/32 port 1024:65535
                                  nat on $WAN inet6 from $tonatsubnets to any -> (mvneta0) port 1024:65535

                                  TFTP proxy

                                  rdr-anchor "tftp-proxy/*"

                                  NAT Inbound Redirects

                                  rdr on mvneta1 inet proto { tcp udp } from 192.168.0.0/16 to any port $DNS -> 192.168.1.1
                                  no nat on mvneta1 inet proto tcp from (mvneta1) to 192.168.0.0/16
                                  nat on mvneta1 inet proto tcp from 192.168.0.0/16 to 192.168.1.1 port $DNS -> (mvneta1)

                                  rdr on mvneta1 inet6 proto { tcp udp } from any to any port $DNS -> ::1
                                  rdr on mvneta1 inet proto udp from 192.168.0.0/16 to any port 123 -> 192.168.1.1
                                  no nat on mvneta1 inet proto tcp from (mvneta1) to 192.168.0.0/16
                                  nat on mvneta1 inet proto tcp from 192.168.0.0/16 to 192.168.1.1 port 123 -> (mvneta1)

                                  rdr on mvneta1 inet6 proto udp from any to any port 123 -> ::1

                                  Setup Squid proxy redirect

                                  rdr pass on mvneta1 inet proto tcp from any to !(mvneta1) port 80 -> 127.0.0.1 port 3128
                                  rdr pass on mvneta1 inet proto tcp from any to !(mvneta1) port 443 -> 127.0.0.1 port 3129

                                  1 Reply Last reply Reply Quote 0
                                  • J
                                    JonathanLee @jimp
                                    last edited by JonathanLee Apr 1, 2022, 4:09 PM Apr 1, 2022, 4:03 PM

                                    @jimp

                                    This is my NAT for DNS and NTP

                                    I force them to use the firewall

                                    login-to-view

                                    This setting has worked for some time now I get time from the firewall no matter what wan ip address a device requests for NTP. I had issues with time being jumped 15-20 mins without this nat setting for NTP, no clue why so I added a rule that let the firewall handle all NTP requests, after that no issues with time jumps

                                    1 Reply Last reply Reply Quote 0
                                    • J
                                      jimp Rebel Alliance Developer Netgate
                                      last edited by Apr 1, 2022, 4:08 PM

                                      Do you have NAT reflection enabled globablly or on those rules? If so, disable it.

                                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                      Need help fast? Netgate Global Support!

                                      Do not Chat/PM for help!

                                      J 1 Reply Last reply Apr 1, 2022, 4:11 PM Reply Quote 1
                                      • J
                                        JonathanLee @jimp
                                        last edited by Apr 1, 2022, 4:11 PM

                                        @jimp

                                        Network Address Translation Settings for Firewall

                                        login-to-view

                                        All is disabled

                                        login-to-view

                                        1 Reply Last reply Reply Quote 0
                                        • J
                                          jimp Rebel Alliance Developer Netgate
                                          last edited by Apr 1, 2022, 4:15 PM

                                          There is also a per-rule option on the individual port forwards. Is it enabled there?

                                          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                          Need help fast? Netgate Global Support!

                                          Do not Chat/PM for help!

                                          J 1 Reply Last reply Apr 1, 2022, 4:16 PM Reply Quote 0
                                          10 out of 46
                                          • First post
                                            10/46
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.