Tinc on 2.3 Error & Crash
-
Hi
I tried the latest build & installed tinc from the package manager. have the same setup running in 2.2.6 & 2.3.2 and both work fine.
when i setup the tinc this is the error i see on the pfsense side
There were error(s) loading the rules: /tmp/rules.debug:147: macro 'pkg' not defined - The line in question reads [147]: pass in quick on $pkg-tinc inet from any to any tracker 1485541472 keep state label "USER_RULE"
@ 2017-01-27 18:24:35I have submitted a crash report too.
-
I tried the latest build & installed tinc from the package manager. have the same setup running in 2.2.6 & 2.3.2 and both work fine.
Considering that the package is not available on 2.3.2 at all and tinc was very much broken on 2.2.x, I'm wondering what's working fine for you and how are you installing it. Other than that, AFAICT the above error pretty much shows that you don't have pkg-tinc interface group, which would normally get created on normal package install (and it certainly won't with manual hacks on unsupported pfSense versions.)
https://github.com/pfsense/FreeBSD-ports/blob/devel/security/pfSense-pkg-tinc/files/usr/local/pkg/tinc.inc#L165
-
Considering that the package is not available on 2.3.2 at all and tinc was very much broken on 2.2.x, I'm wondering what's working fine for you and how are you installing it. Other than that, AFAICT the above error pretty much shows that you don't have pkg-tinc interface group, which would normally get created on normal package install (and it certainly won't with manual hacks on unsupported pfSense versions.)
https://github.com/pfsense/FreeBSD-ports/blob/devel/security/pfSense-pkg-tinc/files/usr/local/pkg/tinc.inc#L165
1st off. This is a fresh 2.3.3 Dev install. I think i said that in the 1st sentence. NO MANUAL HACKS. I installed it from the repository & configured it. So "you don't have pkg-tinc interface group, which would normally get created on normal package install" doesnt make any sense. Ignore my sentence about making it work in earlier versions.
BTW i had a tinc crash message as well & i submitted that. unfortunately i also deleted it from the system as soon as i submitted it
-
1st off. This is a fresh 2.3.3 Dev install. I think i said that in the 1st sentence.
Hmmm…
I tried the latest build & installed tinc from the package manager. have the same setup running in 2.2.6 & 2.3.2 and both work fine.
Way to confuse things, really.
Do you actually have the interface group there? Interfaces - Assign - Interface Groups.
-
Way to confuse things, really.
Do you actually have the interface group there? Interfaces - Assign - Interface Groups.
Yup very much there.
-
What floating rule have you configured there to pass the traffic?
-
What floating rule have you configured there to pass the traffic?
i didnt add any rules. i just allowed port 655 to communicate.
-
What floating rule have you configured there to pass the traffic?
will rebuild the router & try to save the crash report & post it here.
-
What floating rule have you configured there to pass the traffic?
i didnt add any rules.
You must have a very much hunted machine… Perhaps have a look at the floating rules tab and/or the tinc interface group tab and find the one missing description. This is not coming from pfSense built-in rules.
pass in quick on $pkg-tinc inet from any to any tracker 1485541472 keep state label "USER_RULE"
In case you are wondering what those red things mean:
- USER_RULE label is only used for user-defined rules (the ones in the GUI)
- the tracker is the timestamp when the rule what created (Fri, 27 Jan 2017 18:24:32 GMT)
- quick is either a checkbox on Floating rules tab, or implicitly added to rules created on interface groups tabs (such as IPSec/OpenVPN, or - surprisingly - tinc :P)
(Also, wondering how you allowed port 655 to communicate without adding any rules. :o)
-
allowed port 655 to communicate without adding any rules. :o)
i meant no rules in "floating" tab.
655 port in WAN Tab
In tinc tab i have this
IPv4* * * * * * NONE
-
In tinc tab i have this
IPv4* * * * * * NONE
Hooray. So, when you remove that rule, the error is gone, correct?
- If you create another interface group, and use test for Group Name, and add the same rule there, do you get an error like macro 'test' not defined ?
- Remove it, create another interface group, and use prefix-test for Group Name and add the same rule there, do you get an error like macro 'prefix' not defined ?
-
Installed 2.3.3 (pfSense-CE-memstick-2.3.3-DEVELOPMENT-amd64-latest.img)
Restored from saved config
Had issues as well. Nothing was working over tinc mesh. Checked the firewall, seen pkg-tinc added
Copied rules by changing tinc -> pkg-tinc
After that I've got an error message(s):
There were error(s) loading the rules: /tmp/rules.debug:197: macro 'pkg' not defined - The line in question reads [197]: pass in quick on $pkg-tinc inet from $GM_Subnets to 172.25.9.0/24 tracker 1454201128 keep state label "USER_RULE: Allow GM Nets"
Mesh net started working. E.g. all services over VPN started working. While internet stopping.
I have no rules to redirect public internet via VPN, it goes from LAN -> Wan
Since I had a little time to go deeper, didn't check the internet thing.
Here are some screenshots of current (2.3.2_p1) tinc and LAN rules:
tinc, allow ospf and route via tinc nets:
lan:
-
It'd be really awesome if someone actually tested what's been requested. https://forum.pfsense.org/index.php?topic=124622.msg688654#msg688654
(Really no idea what you mean by "Copied rules by changing tinc -> pkg-tinc".)
-
It'd be really awesome if someone actually tested what's been requested. https://forum.pfsense.org/index.php?topic=124622.msg688654#msg688654
Do you mean, to remove this rule
IPv4* * * * * * NONE
from tinc tab? I don't have this rule for tinc (see the screenshots), just routing to specific, tinc-related private subnets.
(Really no idea what you mean by "Copied rules by changing tinc -> pkg-tinc".)
Via "Edit rule" option:
I can't run 2.3.3-dev now, but in case mentioned, "pkg-tinc" is in selection and listed in the combo box
Once interface changed, rule is moved into new "pkg-tinc" rules page from old one, "tinc"
-
I don't have this rule for tinc (see the screenshots), just routing to specific, tinc-related private subnets.
Then ignore that part. How about the rest?
I can't run 2.3.3-dev now, but in case mentioned, "pkg-tinc" is in selection and listed in the combo box
Then how on earth have you installed the package?!?! What pfSense version are you running?
This entire thread makes me pull the few remaining hair out.
:( >:( >:(
-
Then how on earth have you installed the package?!?! What pfSense version are you running?
This entire thread makes me pull the few remaining hair out.
:( >:( >:(
One which works, tinc is installed manually
Currently, it is 2.3.2-RELEASE-p1 (amd64)
Tinc is installed this way on 2.3.2 (with sudo package installed beforehand):
sudo pkg add http://pkg.freebsd.org/freebsd:10:x86:64/latest/All/tinc-1.0.31.txz sudo pkg add https://dl.dropboxusercontent.com/u/4512442/pfSense-pkg-tinc-1.0.28.txzThan
1.saved a config file from 2.3.2, tinc & firewals are inside this xml
2. made a clean install from the USB Flash from pfSense-CE-memstick-2.3.3-DEVELOPMENT-amd64-latest.img (Jan 28th)
3. Restored configuration from step 1After that tinc is fully functional, connected and all mesh is there. While all old rules for "tinc" stayed on old and "pkg-tinc" is empty
Please, let me know if you need more details
Thank you
-
No, I do not want any details about manual hacks and similar crap. And thanks for ignoring the questions.
Go figure the bug yourself, guys. Enough time wasted here. >:(
-
No, I do not want any details about manual hacks and similar crap. And thanks for ignoring the questions.
Go figure the bug yourself, guys. Enough time wasted here. >:(
dude! not sure whats bugging you. so please chill. if you cant be patient with many who are new to this, then please.. please dont waste your time with us.
maybe someone with a little bit more patience & understanding will swing by
-
If there is someone who is actually running this on recent 2.3.3 or 2.4 snapshot, chime in and answer these goddamn simple questions:
In Interfaces - Assign:
- If you create another interface group, and use test for Group Name, and add a firewall rule there, do you get an error like macro 'test' not defined ?
- Remove it, create another interface group, and use prefix-test for Group Name and add the same rule there, do you get an error like macro 'prefix' not defined ?
If you are using 2.3.2, 2.2.x or whatever else, if you installed the package from third-party repo, another one from Dropbox and stuck it together with a pneumatic hammer and stinky socks, kindly DO NOT bother and abandon this thread.
Trying to find out what's the issue with the interface group prefix. Absolutely NOT interested in crap like this.
People want a bug properly fixed, instead of idiotic hacks and installing god knows what crap from Dropbox and manually editing config.xml. FFS. >:( >:( >:(
-
If there is someone who is actually running this on recent 2.3.3 or 2.4 snapshot, chime in and answer these goddamn simple questions:
In Interfaces - Assign:
- If you create another interface group, and use test for Group Name, and add a firewall rule there, do you get an error like macro 'test' not defined ?
- Remove it, create another interface group, and use prefix-test for Group Name and add the same rule there, do you get an error like macro 'prefix' not defined ?
If you are using 2.3.2, 2.2.x or whatever else, if you installed the package from third-party repo, another one from Dropbox and stuck it together with a pneumatic hammer and stinky socks, kindly DO NOT bother and abandon this thread.
Trying to find out what's the issue with the interface group prefix. Absolutely NOT interested in crap like this.
People want a bug properly fixed, instead of idiotic hacks and installing god knows what crap from Dropbox and manually editing config.xml. FFS. >:( >:( >:(
Wow! This is really hacky-hack, pneumatic hammer and stinky socks, for my wife. But to install the package… "sudo apt-get install" is near a minor detail of everyday work of anyone related to networks or such...
This was a merely workaround for tinc missing in 2.3, you can check it out in following topic:
https://forum.pfsense.org/index.php?topic=109843.0And yes, it is a 2-liner with all settings picked up successfully from pre 2.3 pfSense (pkg add ...)
Anyway, I'll check next Saturday when be around with a test group. It is quite risky to do a remote experiments. This firewall is behind the provider's NAT and once tinc is cut, there is no other means to reach the net.
As well as wiping out all tinc-related config section (Tinc settings and firewall related entries). Will make sure it is all gone in the config backup xml file. So bug won't appear after the "by the holy book" way
-
But to install the package… "sudo apt-get install" is near a minor detail of everyday work of anyone related to networks or such...
I've been installing ports for decades like this. Yesterday I did:
sudo apt-get install facebookAnd that is now neatly running on my pfSense 2.6.8. Amazing environment, OS/2.
Microsoft should get very afraid.
-
@Mr.:
But to install the package… "sudo apt-get install" is near a minor detail of everyday work of anyone related to networks or such...
I've been installing ports for decades like this. Yesterday I did:
sudo apt-get install facebookAnd that is now neatly running on my pfSense 2.6.8. Amazing environment, OS/2.
Microsoft should get very afraid.
Wow, how that smart! Really, can impress 13 y.o. on geeks party.
Do you think I will try to justify to prove anything for the folks who ready to start class on Debian vs BSD package management to show their smart a**?"Install a package", that's my point, get better/bigger point next time, my boring friend.
-
In tinc tab i have this
IPv4* * * * * * NONE
Hooray. So, when you remove that rule, the error is gone, correct?
- If you create another interface group, and use test for Group Name, and add the same rule there, do you get an error like macro 'test' not defined ?
- Remove it, create another interface group, and use prefix-test for Group Name and add the same rule there, do you get an error like macro 'prefix' not defined ?
ok rebuilt the machine with what you asked for. here are the screen shots, logs & crash report.
Install Log for tinc (I did this thro the GUI - Package Manager. no hack shit)
Installing pfSense-pkg-tinc…
Updating pfSense-core repository catalogue...
pfSense-core repository is up-to-date.
Updating pfSense repository catalogue...
pfSense repository is up-to-date.
All repositories are up-to-date.
The following 2 package(s) will be affected (of 0 checked):New packages to be INSTALLED:
pfSense-pkg-tinc: 1.0.28 [pfSense]
tinc: 1.0.29 [pfSense]Number of packages to be installed: 2
119 KiB to be downloaded.
Fetching pfSense-pkg-tinc-1.0.28.txz: . done
Fetching tinc-1.0.29.txz: …....... done
Checking integrity... done (0 conflicting)
[1/2] Installing tinc-1.0.29…
[1/2] Extracting tinc-1.0.29: …..... done
[2/2] Installing pfSense-pkg-tinc-1.0.28…
[2/2] Extracting pfSense-pkg-tinc-1.0.28: …...... done
Saving updated package information...
done.
Loading package configuration... done.
Configuring package components...
Loading package instructions...
Custom commands...
Executing custom_php_install_command()...done.
Executing custom_php_resync_config_command()...done.
Menu items... done.
Services... done.
Writing configuration... done.Cleaning up cache... done.
Successit installed with an Interface group called pkg-tinc. I set up tinc with another host & put rule to allow tcp/udp. it didnt work. same error as before.
so i deleted that group & created a new group called prefix-test & setup the rules. it created a crash report. please see below
Also got the error message
There were error(s) loading the rules: /tmp/rules.debug:149: macro 'prefix' not defined - The line in question reads [149]: pass in quick on $prefix-test inet from any to any tracker 1485799084 keep state label "USER_RULE"
@ 2017-01-30 17:58:07Crash report begins. Anonymous machine information:
amd64
10.3-RELEASE-p15
FreeBSD 10.3-RELEASE-p15 #466 583cd4646(RELENG_2_3): Mon Jan 30 07:12:16 CST 2017 root@ce23-amd64-builder:/builder/pfsense/tmp/obj/builder/pfsense/tmp/FreeBSD-src/sys/pfSenseCrash report details:
PHP Errors:
[30-Jan-2017 17:37:16 Etc/UTC] PHP Warning: rename(/usr/local/etc/tinc,/usr/local/etc/tinc.old): Directory not empty in /usr/local/pkg/tinc.inc on line 33
[30-Jan-2017 17:37:16 Etc/UTC] PHP Stack trace:
[30-Jan-2017 17:37:16 Etc/UTC] PHP 1. {main}() /etc/rc.start_packages:0
[30-Jan-2017 17:37:16 Etc/UTC] PHP 2. sync_package() /etc/rc.start_packages:90
[30-Jan-2017 17:37:16 Etc/UTC] PHP 3. eval() /etc/inc/pkg-utils.inc:631
[30-Jan-2017 17:37:16 Etc/UTC] PHP 4. tinc_save() /etc/inc/pkg-utils.inc(631) : eval()'d code:1
[30-Jan-2017 17:37:16 Etc/UTC] PHP 5. rename() /usr/local/pkg/tinc.inc:33
[30-Jan-2017 17:38:07 Etc/UTC] PHP Warning: rename(/usr/local/etc/tinc,/usr/local/etc/tinc.old): Directory not empty in /usr/local/pkg/tinc.inc on line 33
[30-Jan-2017 17:38:07 Etc/UTC] PHP Stack trace:
[30-Jan-2017 17:38:07 Etc/UTC] PHP 1. {main}() /usr/local/www/pkg_edit.php:0
[30-Jan-2017 17:38:07 Etc/UTC] PHP 2. eval() /usr/local/www/pkg_edit.php:253
[30-Jan-2017 17:38:07 Etc/UTC] PHP 3. tinc_save() /usr/local/www/pkg_edit.php(253) : eval()'d code:1
[30-Jan-2017 17:38:07 Etc/UTC] PHP 4. rename() /usr/local/pkg/tinc.inc:33Filename: /var/crash/minfree
2048this is a fresh install. I DID NOT DO ANYTHING FANCY HERE
-
it installed with an Interface group called pkg-tinc. I set up tinc with another host & put rule to allow tcp/udp. it didnt work. same error as before.
so i deleted that group & created a new group called prefix-test & setup the rules. it created a crash report. please see belowAlso got the error message
There were error(s) loading the rules: /tmp/rules.debug:149: macro 'prefix' not defined - The line in question reads [149]: pass in quick on $prefix-test inet from any to any tracker 1485799084 keep state label "USER_RULE"
@ 2017-01-30 17:58:07Thank you very much. Finally! Confirms that the issue is not with the package at all. It's the pfSense code in behind that does not handle interface group names like this (just recently made possible on 2.3.3+ in order to reserve pkg- prefix for packages that make use of interface groups, otherwise it wouldn't let you save such things.)
https://redmine.pfsense.org/issues/7173
-
Thank you very much. Finally! Confirms that the issue is not with the package at all. It's the pfSense code in behind that does not handle interface group names like this (just recently made possible on 2.3.3+ in order to reserve pkg- prefix for packages that make use of interface groups, otherwise it wouldn't let you save such things.)
https://redmine.pfsense.org/issues/7173
Did one more thing. uninstalled tinc. reinstalled again with defaults. a pkg-tinc group is created. & when i try to use rules & start it up i get this error again
There were error(s) loading the rules: /tmp/rules.debug:149: macro 'pkg' not defined - The line in question reads [149]: pass in quick on $pkg-tinc inet from any to any tracker 1485800525 keep state label "USER_RULE"
@ 2017-01-30 18:22:08So went & deleted it. created an interface group called doktornotor :o 8) & setup rules again
No error but no traffic is going thro
-
Needs to be fixed in pfSense itself, as noted on the bug.
P.S. PR for the rename() quirk here: https://github.com/pfsense/FreeBSD-ports/pull/275 (but that is NOT what's breaking the package).
-
thanks… will keep this test setup. let me know if you want me to test something.
-
@Mr.:
But to install the package… "sudo apt-get install" is near a minor detail of everyday work of anyone related to networks or such...
I've been installing ports for decades like this. Yesterday I did:
sudo apt-get install facebookAnd that is now neatly running on my pfSense 2.6.8. Amazing environment, OS/2.
Microsoft should get very afraid.
Wow, how that smart! Really, can impress 13 y.o. on geeks party.
Do you think I will try to justify to prove anything for the folks who ready to start class on Debian vs BSD package management to show their smart a**?"Install a package", that's my point, get better/bigger point next time, my boring friend.
Friend is a title I reserve for people I like.