Keep getting scrolling error messages

Sharaz

i get this each time i reboot my pfs:

Jan 2 03:16:38 php: : There were error(s) loading the rules: /tmp/rules.debug:136: syntax error /tmp/rules.debug:138: syntax error /tmp/rules.debug:139: syntax error /tmp/rules.debug:140: syntax error /tmp/rules.debug:141: syntax error /tmp/rules.debug:144: syntax error /tmp/rules.debug:146: syntax error /tmp/rules.debug:147: syntax error /tmp/rules.debug:148: syntax error /tmp/rules.debug:149: syntax error pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [136]: pass out quick on

i have no idea where to begin on that one.  can someone recommend what to check?

sullrich

Open /tmp/rules.debug

Then type :LINENUMBER <enter>Show me each of the lines that its complaining about.</enter>

Sharaz

136 - pass in quick on fxp1 proto udp from 208.11.134.124 to 67.166.171.83 port = 500 keep state label "IPSEC: chiron-cerberus - inbound isakmp"
138 - pass in quick on fxp1 proto esp from 208.11.134.124 to 67.166.171.83 keep state label "IPSEC: chiron-cerberus - inbound esp proto"
139 - pass out quick on fxp1 proto ah from 67.166.171.83 to 208.11.134.124 keep state label "IPSEC: chiron-cerberus - outbound ah proto"
140 - pass in quick on fxp1 proto ah from 208.11.134.124 to 67.166.171.83 keep state label "IPSEC: chiron-cerberus - inbound ah proto"
141 - pass out quick on fxp0 from 192.168.125.0/26 to 192.168.125.0/26 keep state label "IPSEC: chiron-cerberus - remote to local"
144 - pass in quick on fxp1 proto udp from 67.166.251.112 to 67.166.171.83 port = 500 keep state label "IPSEC: shane-jonathan - inbound isakmp"
146 - pass in quick on fxp1 proto esp from 67.166.251.112 to 67.166.171.83 keep state label "IPSEC: shane-jonathan - inbound esp proto"
147 - pass out quick on fxp1 proto ah from 67.166.171.83 to 67.166.251.112 keep state label "IPSEC: shane-jonathan - outbound ah proto"
148 - pass in quick on fxp1 proto ah from 67.166.251.112 to 67.166.171.83 keep state label "IPSEC: shane-jonathan - inbound ah proto"
149 - pass out quick on fxp0 from 192.168.0.0/24 to 192.168.125.0/26 keep state label "IPSEC: shane-jonathan - remote to local"

actually, the only thing that just jumps out at me as incorrect, is line 141.  it says 192.168.125.0/26 to 192.168.125.0/26 as the ipsec vpn… which we know would be impossible.  however, the vpn is working.  i think this would be a bug somewhere, that mis-calculated the LAN subnet (possibly related to how it miscalculated it concerning the advanced outbound nat).

sullrich

Those rules are bogus.  I removed them and I'm still up as well.

Sharaz

so do you recommend i remove all those lines then?

hoba

You don't have to remove all those lines. Go to WAN settings in the webgui and uncheck block bogus networks at the bottom of the page. Please report back if that solves the situation.

Sharaz

block bogon is already unchecked, block private is checked.

can you clarify which you meant please?