Errors Loading Rules

Guest

Hi All,

I have installed the new Beta3 ISO and done a manual configuration setup for Load Balancing but after a few hours of use PF stops passing traffic and displays the message that it has errors loading rules. Both WAN and OPT1 were active and DSL was at the Routers when the errors were received.

Date 18Apr06 Errors:
php: : There were error(s) loading the rules: /tmp/rules.debug:101: syntax error /tmp/rules.debug:102: syntax error /tmp/rules.debug:103: syntax error /tmp/rules.debug:104: syntax error /tmp/rules.debug:105: syntax error /tmp/rules.debug:106: syntax error pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [101]: pass in quick on $wan route-to { } round-robin route-to ( Balancer ) from { 192.168.1.0/24 } to { 182.165.30.2/24 } keep state label "USER_RULE: LAN >

Date 19Apr06 Errors:
There were error(s) loading the rules: /tmp/rules.debug:101: syntax error/tmp/rules.debug:102: syntax error /tmp/rules.debug:103: syntax error /tmp/rules.debug:104: syntax error /tmp/rules.debug:105: syntax error /tmp/rules.debug:106: syntax error /tmp/rules.debug:107: syntax error /tmp/rules.debug:108: syntax error /tmp/rules.debug:109: syntax error pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [101]: pass in quick on $wan route-to { } round-robin route-to ( Balancer ) from { 192.168.1.0/24 } to { 182.165.30.2/24 } keep state label "USER_RULE: LAN > WAN " …

Routes are below:

$ pfctl -sr | grep route
pass in quick on re3 route-to { (re1 186.165.20.2), (re3 182.165.30.2) } round-robin inet from 192.168.1.0/24 to 182.165.30.0/24 keep state label "USER_RULE: LAN > WAN "
pass in quick on ng0 route-to { (re1 186.165.20.2), (re3 182.165.30.2) } round-robin inet from 192.168.1.0/24 to 182.165.30.0/24 keep state label "USER_RULE: LAN > WAN "
pass in quick on re3 route-to { (re1 186.165.20.2), (re3 182.165.30.2) } round-robin inet from ! 192.168.1.0/24 to ! 182.165.30.0/24 keep state label "USER_RULE: WAN > LAN"
pass in quick on ng0 route-to { (re1 186.165.20.2), (re3 182.165.30.2) } round-robin inet from ! 192.168.1.0/24 to ! 182.165.30.0/24 keep state label "USER_RULE: WAN > LAN"
pass in quick on re1 route-to { (re1 186.165.20.2), (re3 182.165.30.2) } round-robin inet from 192.168.1.0/24 to 186.165.20.0/24 keep state label "USER_RULE: LAN > WAN2"
pass in quick on re1 route-to { (re1 186.165.20.2), (re3 182.165.30.2) } round-robin inet from ! 192.168.1.0/24 to ! 186.165.20.0/24 keep state label "USER_RULE: WAN2 > LAN"
pass in quick on re0 route-to { (re1 186.165.20.2), (re3 182.165.30.2) } round-robin inet from 192.168.1.0/24 to any keep state label "USER_RULE: Default LAN -> any"
pass in quick on re0 route-to { (re1 186.165.20.2), (re3 182.165.30.2) } round-robin inet from 192.168.1.0/24 to 186.165.20.0/24 keep state label "USER_RULE: LAN > WAN2"
pass in quick on re0 route-to { (re1 186.165.20.2), (re3 182.165.30.2) } round-robin inet from ! 192.168.1.0/24 to ! 186.165.20.0/24 keep state label "USER_RULE: WAN2 > LAN"
pass in quick on re0 route-to { (re1 186.165.20.2), (re3 182.165.30.2) } round-robin inet from 192.168.1.0/24 to 182.165.30.0/24 keep state label "USER_RULE: LAN > WAN "
pass in quick on re0 route-to { (re1 186.165.20.2), (re3 182.165.30.2) } round-robin inet from ! 192.168.1.0/24 to ! 182.165.30.0/24 keep state label "USER_RULE: WAN > LAN"

I am using 2 different IP's for Monitors.
I dont have a virtual server pool added for Load Balance, is this my problem?

I used the same rules on Beta2 and it was up for about 21 days without errors.

Also I dont seem to have fail over working correctly. When I turn off WAN router then OPT1 wont pass web page traffic, but I can Ping the monitor IP but nowhere else. If I tracert the same monitor IP then it trys to go through the Down WAN and I get a unreachable destination reply.

When both WAN and OPT1 are active then internet access works fine until I get the Errors Loading Rules message and a PF reboot is necessary. Going to the Filters Reload Status page and it displays the errors message and fails to reload although it keeps trying.

Thanks for you assistance in advance,

Kindest Regards,

Craig Roy
Horizon IT Consultants.

sullrich

What is "Balancer" appearing in one of the rules?  Alias?

Guest

Hi Scott,

Balancer is the Pool. It was the only way I was able to get Load Balancing to work in previous Beta's so I just continued using what I had working.
If it is not correct what is the right way?

sullrich

Please take a screen shot of each of the load balancing screens so we can get a good idea of what is going on here.

Also include if you can the LAN and WAN relationships.

Guest

Hi Scott,

Please forgive my ASCII as it is not as clean as others.

WAN 182.165.30.30 ====== [Router Static IP] ======={ Internet Monitor IP 202.173.144.33}
                                                ||
LAN 192.168.1.1 ========[ PFSense ] Load Balance
                                                ||
                                              OPT1 186.165.20.20 ====== [Router Static IP] ======={Internet Monitor IP 202.173.144.81}

Monitor IP's are on different routes according to tracert

I hope that this is of help.

Kindest Regards.

Guest

Sorry that the Pics are so big, I did not realize that it would be on the actual page but into a bin. I would have made them smaller.

sullrich

Are both of the monitor ips up?

Guest

yes both are up. they are in the backbone of the ISP and they are third hop before it actually gets to the isp home page. If these are down then the ISP is down.

Guest

Hi All,

I may have found the problem to my errors, below is what I have done and now Load Balance is working and Fail over is currently working as well.

Beta 3 + the pfSense-BETA3-update-for-random_id-and-blank_rule-issues-on-embedded-and-full.tgz applied.

I went into the rules section and changed the WAN rule of the gateway from Balancer to the WAN IP Address, and in OPT1 (Alias of WAN2) changed the gateway to the OPT1 IP address. The previous Gateways set to Balancer may have had a problem of causing an endless loop, as well as NO Fail Over.

Error on boot up after applying the update also now back stating that Load Balance Monitor IP is Bad IP address. But I can live with this for the time being. Unless it causes more problems.

Will keep all informed if errors continue.

Thanks Scott for your help.
Kindest Regards.

Craig Roy
Horizon IT Consultants.

Guest

Hi All,

Sorry for anyone trying to follow my last post.

Made a mistake in mentioning the Gateway for WAN and OPT1 in the Firewall Rules, changed them to the specified Gateways in the WAN and OPT1 Setup.

EG:
WAN IP    180.19.1.2
WAN GW  180.19.1.10

OPT1        181.20.2.2
OPT1 GW  181.20.2.20

EG:
RULES
WAN GW is 180.19.1.10
OPT1 GW is 181.20.2.20

Hope that this straightens up a few of my mistakes.

iimre

Thank you CraigRoy for your detailed description.
I was fighting with the same problem and finally your case study helped me to solve it.