Cannot define table bogons
-
Hi,
I fear that this is a well trodden path…
I have pfSense 2.4.0-RELEASE (amd64) (FreeBSD 11.1) running as a virtualised guest on a Debian 9.1 KVM server.
I installed with the KVM defaults using virtio for two NICs and the "disk". I initially attached the WAN to an unused NIC, as there seemed to be no way to attach straight to the 3G USB modem that is my gateway to the Internet. I then configured the modem, and switched the WAN interface to ppp0:
WAN (wan) -> ppp0 -> v4: 118.209.7.206/32 LAN (lan) -> em0 -> v4: 192.168.1.37/24
From the pfSense firewall, the WAN and LAN work. I can lookup DNS addresses on the Internet from the LAN, using the DNS server on the firewall. But I can't get connections to pass through the firewall.
The troubleshooting guide suggests that outbound NAT is not working. Specifically, from inside the LAN, I can ping the LAN address and the WAN address, but not the default gateway on the WAN.
In addition the System Logs show:
Oct 29 11:48:43 php-fpm 25456 /rc.filter_configure_sync: New alert found: There were error(s) loading the rules: /tmp/rules.debug:17: cannot define table bogons: Invalid argument - The line in question reads [17]: table <bogons>persist file "/etc/bogons"</bogons>
Because of a lot of chatter on the Internet (mostly on the pSense and ProxMox groups), I installed a second instance of pfSense using IDE disk and Intel NIC virtual drivers. No change.
The Firewal -> Wan rules look like this:
States Protocol Source Port Destination Port Gateway Queue Schedule Description Actions 0 /0 B * RFC 1918 networks * * * * * Block private networks 0 /0 B * Reserved * * * * * Block bogon networks Not assigned by IANA
The Firewall -> LAN rules look like this:
States Protocol Source Port Destination Port Gateway Queue Schedule Description 0 /0 B * * * LAN Address 443 * * Anti-Lockout Rule 80 22 0 /0 B IPv4 * LAN net * * * * none Default allow LAN to any rule 0 /0 B IPv6 * LAN net * * * * none Default allow LAN IPv6 to any rule
The Outbound NAT rules are in "automatic mode" and look like this:
Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port Description WAN 127.0.0.0/8 192.168.1.0/24 * * 500 WAN address * [tick] Auto created rule for ISAKMP WAN 127.0.0.0/8 192.168.1.0/24 * * * WAN address * [X-over] Auto created rule
I don't have a working system to compare, but the lack of filter rules below looks ominous to me:
[2.4.0-RELEASE][root@pfsense.my.domain]/root: pfctl -s all FILTER RULES: No queue in use INFO: Status: Enabled for 0 days 00:30:47 Debug: Urgent State Table Total Rate current entries 0 searches 9427 5.1/s inserts 0 0.0/s removals 0 0.0/s Counters match 9431 5.1/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 0 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 0 0.0/s proto-cksum 0 0.0/s state-mismatch 0 0.0/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s map-failed 0 0.0/s TIMEOUTS: tcp.first 120s tcp.opening 30s tcp.established 86400s tcp.closing 900s tcp.finwait 45s tcp.closed 90s tcp.tsdiff 30s udp.first 60s udp.single 30s udp.multiple 60s icmp.first 20s icmp.error 10s other.first 60s other.single 30s other.multiple 60s frag 30s interval 10s adaptive.start 58200 states adaptive.end 116400 states src.track 0s LIMITS: states hard limit 97000 src-nodes hard limit 97000 frags hard limit 5000 table-entries hard limit 200000 OS FINGERPRINTS: 758 fingerprints loaded
All ideas gratefully received…
Phil
-
Hi,
Your "pfctl -s all" shows clearly that the firewall has none of the build-in default rules, neither your own rules.
The lacking of the default rules is not a good sign. Consider a complete reinstall - even ditch your config, make a fresh start.Fro what I understood, don't stay with 2.4.0, go to 2.4.1 right away.
-
Does the file exist? /etc/bogons and does it have valid content?(subnets like 0.0.0.0/8 and 240.0.0.0/4 on seperate lines)
Can you run this on console/ssh?:```
pfctl -f /tmp/rules.debug -
Hi,
Thank you for the responses.
I have tried tearing down the whole thing and starting again. No change.
I will answer the other questions when I return to my office later this week (can't play with the firewall until then).
I will also try 2.4.1.
Phil
-
Hi,
I gave up on pfSense and decided to try OPNsense.
It had exactly the same problem.
That sent me back to basics, and I found that I had not enabled virtualisation (Intel VTX) in the BIOS of the KVM server.
I knew it was required, and had though it was enabled, but it was not.
With virtualisation enabled in the BIOS "pfctl -s all" shows a healthy set of filter rules, and the bogons error message in the log is gone.
Problem solved.
What led me somewhat astray was the fact that I had another FreeBSD 11.1 virtual machine running just fine on the same KVM server.
Hope this helps for those who follow via Google…
Cheers,
Phil