Can you force a rule to apply before floating rules and hold it's position?
-
@cdsJerry said in Can you force a rule to apply before floating rules and hold it's position?:
- Reset to factory defaults
This option doesn't work? I don't know the order of boot, maybe it is crashing trying to read the config file before it reads in the ECL file. In that case you could reinstall and restore as I noted above.
-
@SteveITS NONE of the options work. While it does eventually come up with the menu nothing on the menu works. If I enter a number it sits for a little bit and then comes up with that same Fatal error message again. That's why I was hoping your method of reloading a config from USB would work so I could get back to some sort of control. I can't access the machine at all on the GUI.. it just says unable to load page. My only access is via the terminal cable but once it loads I have no control.
I seem to be able to enter things early in the boot process which aborts the boot but I don't know what I'm doing enough to do anything useful once I get it to abort the loading process.
-
@cdsJerry You could try a different/smaller USB stick for the ECL?
If it was me I'd just reinstall. It's easier than it sounds, once the image is written to USB stick.
Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
Upvote ๐ helpful posts! -
@SteveITS it doesn't seem to recognize the USB drive to restore the config so how would it see it to reinstall everything? If it sees it, then it should do the config and solve the problem right? And if it doesn't see it, then having an installation file on it won't work either.
I seem to recall that because it's an appliance I have to get a special installation file or code if I do a reset? And being EOL the wouldn't be a new code so I'd be SOL.
I'll use a smaller USB drive and try to get the config to work again. Back soon.
-
@SteveITS The smaller drive didn't seem to make any difference. Same errors. Still no response to menu.
-
@cdsJerry You'd get 23.09.1 which is valid for the 3100. Technically so is 24.03 minus a few packages (per the pending release notes) but you could ask for 23.09.1. Yes you need to ask, see my link above to the manual page.
You could try renaming/deleting the config file on disk, not sure what pfSense will do if it's missing.
-
@SteveITS if it won't read the config file from the USB drive how likely would it be that it would read the package file to reload everything?
It appears that it's seeing the USB drive but the ECL doesn't seem to be working. -
@cdsJerry I guess it depends on whether pfSense doesn't recognize the drive, or whether it doesn't get far enough to read in the new file because it crashes too early.
If it doesn't see the USB stick then it shouldn't hurt to try...if it can't it would just bypass it and boot normally.
-
@SteveITS I have to buy a subscription to get the install file for the 3100 however right? I hate to toss money at a system that doesn't appear to be working and is EOL. While I'd love to be able to save a few dollars (our company can sure use it) maybe I need to give up. Nothing so far has made any progress on this thing. My attempt to keep two rules above the pfb has resulted in an appliance that won't do anything. The attempt to make those rules into an alias screwed me.
-
@cdsJerry No, install files are free tickets.
Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
Upvote ๐ helpful posts! -
@SteveITS The reinstall seems to have worked!! It even loaded the config backup file. It's loading packages in the background as I type this. Once completed I'll attempt to set the pfb as an alias and reset the rules again. Hopefully this time it doesn't start increasing all the rules exponentially again. If it does, I'm at least confident that I can get back to this point again now.
-
@SteveITS I'm back to where I was with the pfblocker changing the rule order again. I went into Firewall / pfBlockerNG / IP / IPv4 and created the Alias as Alias native. However I the alias doesn't show up anywhere else. It's not listed under Firewall / Aliases / IP nor does it show up as an Alias if I try to create a rule on firewall.
All the various pfb_rules are gone from the firewall as expected, but I can't add the alias rule because it doesn't seem to exist anywhere. So it says it exists... but where?
-
@cdsJerry It doesn't show on Firewall Aliases. It should show in Diagnostics/Tables, or in autocomplete like this:
Ensure you've run a Force Update in pfBlocker to create it.
-
@SteveITS Nothing.
-
@cdsJerry if it's not there and not in Diagnostics/Tables, did it successfully generate via the force update? What does the pfB log say?
-
@SteveITS It looks like it's missing a file for some reason. Given that it's a clean install how can it be missing files already? Didn't that package just reinstall after the rebuild this morning?
CRON PROCESS START [ v3.2.0_7 ] [ 04/2/24 13:00:01 ] UPDATE PROCESS START [ v3.2.0_7 ] ===[ DNSBL Process ]================================================ *** [ Unbound.conf file missing. Exiting! ] *** ===[ GeoIP Process ]============================================ [ pfB_Top_v4 ] exists. [ 04/2/24 13:00:11 ] [ pfB_Africa_v4 ] exists. [ pfB_Europe_v4 ] exists. [ 04/2/24 13:00:12 ] [ pfB_NAmerica_v4 ] exists. [ pfB_Oceania_v4 ] exists. [ pfB_SAmerica_v4 ] exists. ===[ IPv4 Process ]================================================= ===[ Aliastables / Rules ]========================================== No changes to Firewall rules, skipping Filter Reload No Changes to Aliases, Skipping pfctl Update UPDATE PROCESS ENDED [ 04/2/24 13:00:13 ] CRON PROCESS START [ v3.2.0_7 ] [ 04/2/24 14:00:00 ] UPDATE PROCESS START [ v3.2.0_7 ] ===[ DNSBL Process ]================================================ *** [ Unbound.conf file missing. Exiting! ] *** ===[ GeoIP Process ]============================================ [ pfB_Top_v4 ] exists. [ 04/2/24 14:00:09 ] [ pfB_Africa_v4 ] exists. [ 04/2/24 14:00:10 ] [ pfB_Europe_v4 ] exists. [ 04/2/24 14:00:11 ] [ pfB_NAmerica_v4 ] exists. [ pfB_Oceania_v4 ] exists. [ pfB_SAmerica_v4 ] exists. ===[ IPv4 Process ]================================================= ===[ Aliastables / Rules ]========================================== No changes to Firewall rules, skipping Filter Reload No Changes to Aliases, Skipping pfctl Update UPDATE PROCESS ENDED **Saving configuration [ 04/2/24 14:51:20 ]** *** [ Unbound.conf file missing. Exiting! ] *** ** Stopping firewall filter daemon ** **Saving configuration [ 04/2/24 14:59:59 ]** *** [ Unbound.conf file missing. Exiting! ] *** ** Restarting firewall filter daemon ** **Saving configuration [ 04/2/24 15:01:35 ]** *** [ Unbound.conf file missing. Exiting! ] *** ** Stopping firewall filter daemon ** **Saving configuration [ 04/2/24 15:19:20 ]** *** [ Unbound.conf file missing. Exiting! ] *** **Saving configuration [ 04/2/24 15:19:43 ]** *** [ Unbound.conf file missing. Exiting! ] *** ** Restarting firewall filter daemon ** **Saving configuration [ 04/2/24 15:34:50 ]** *** [ Unbound.conf file missing. Exiting! ] *** ** Stopping firewall filter daemon **``` -
@cdsJerry said in Can you force a rule to apply before floating rules and hold it's position?:
Unbound.conf file missing
Man, you are having a tough week! Google has only ONE result for that...the source code.
https://github.com/pfsense/FreeBSD-ports/blob/devel/net/pfSense-pkg-pfBlockerNG/files/usr/local/pkg/pfblockerng/pfblockerng.incif (file_exists("{$pfb['dnsbldir']}/unbound.conf")) { ... } else { pfb_logger("\n\n*** [ Unbound.conf file missing. Exiting! ] ***\n\n", 1); }Disable DNSBL? Enable DNSBL?
-
@SteveITS You don't know the half of it. I lost a key employee this week. I lost my wedding band last night while killing a groundhog that was under my porch. My notebook computer died over the weekend. And my mother -in-law is moving up from Florida because my wife and I are going to need to take care of her now.
And then there's this firewall..... Which as you know was a clean install this morning and here I am beating my head on it again.
Yes... this week has sucked pretty bad so far.\
Is this what's preventing the alias from being created?
There were error(s) loading the rules: /tmp/rules.debug:53: cannot define table pfB_Europe_v4: Cannot allocate memory - The line in question reads [53]: table <pfB_Europe_v4> persist file "/var/db/aliastables/pfB_Europe_v4.txt"
@ 2024-04-02 15:20:20
-
Yikes, I hope it gets better.
@cdsJerry said in Can you force a rule to apply before floating rules and hold it's position?:
Cannot allocate memory
So either pfSense is out of memory or PHP is out of memory. Probably the latter since I think the limit is 128 MB on ARM? Usually that's not an issue until loading in files over that size because PHP has to allocate the memory to read in the file.
System/Advanced/Miscellaneous has a PHP Settings section with a memory limit.
Also check System/Advanced/Firewall & NAT that Firewall Maximum Table Entries is minimum 2 million when using pfBlocker, and raise as necessary.
Depending on what you're doing with pfB_Europe_v4, it is usually way more efficient to "allow my country" than "block the world" because the latter uses lots more RAM/table entry space.
-
@SteveITS It's a better day already. I went out in the rain yesterday with my metal detector and was able to find my wedding ring in the hay field. I'd have never found it without the metal detector. My luck is improving. I'm going to go with that!
On the PHP settings it looks like everything is at defaults. IF I'm looking at this right, PHP memory is set to the default of 128? Could I set that to something higher?
On the system/advanced/firewall & NAT.. 2 million??? Mine is set to the default of 400,000. That's a huge difference. Would you confirm I should change it to 2 million?
I've always heard it's a bad practice to try to block the world. So many things come from outside countries for support, purchases, etc. it would be hard to know who to allow in. But maybe allowing 12 countries in would be better.. if we can figure out where our customers are actually working from? So much is outsourced it might be impossible to tell.
