Cannot define table bogons



  • Hi,

    I fear that this is a well trodden path…

    I have pfSense 2.4.0-RELEASE (amd64) (FreeBSD 11.1) running as a virtualised guest on a Debian 9.1 KVM server.

    I installed with the KVM defaults using virtio for two NICs and the "disk".  I initially attached the WAN to an unused NIC, as there seemed to be no way to attach straight to the 3G USB modem that is my gateway to the Internet.  I then configured the modem, and switched the WAN interface to ppp0:

    
    WAN (wan)       -> ppp0       -> v4: 118.209.7.206/32
    LAN (lan)       -> em0        -> v4: 192.168.1.37/24
    
    

    From the pfSense firewall, the WAN and LAN work.  I can lookup DNS addresses on the Internet from the LAN, using the DNS server on the firewall.  But I can't get connections to pass through the firewall.

    The troubleshooting guide suggests that outbound NAT is not working.  Specifically, from inside the LAN, I can ping the LAN address and the WAN address, but not the default gateway on the WAN.

    In addition the System Logs show:

    
    Oct 29 11:48:43         php-fpm         25456   /rc.filter_configure_sync:
        New alert found: There were error(s) loading the rules:
        /tmp/rules.debug:17: cannot define table bogons: Invalid argument -
        The line in question reads [17]: table <bogons>persist file "/etc/bogons"</bogons> 
    

    Because of a lot of chatter on the Internet (mostly on the pSense and ProxMox groups), I installed a second instance of pfSense using IDE disk and Intel NIC virtual drivers.  No change.

    The Firewal -> Wan rules look like this:

    
    States  Protocol  Source               Port  Destination  Port  Gateway  Queue  Schedule  Description  Actions
    0 /0 B  *         RFC 1918 networks    *     *            *     *        *                 Block private networks  
    0 /0 B  *         Reserved             *     *            *     *        *                 Block bogon networks
                      Not assigned by IANA
    
    

    The Firewall -> LAN rules look like this:

    
    States  Protocol  Source  Port  Destination  Port  Gateway  Queue  Schedule  Description
    0 /0 B  *         *       *     LAN Address  443   *        *                Anti-Lockout Rule
                                                  80
                                                  22
    0 /0 B  IPv4 *    LAN net *     *              *   *        none             Default allow LAN to any rule  
    0 /0 B  IPv6 *    LAN net *     *              *   *        none             Default allow LAN IPv6 to any rule 
    
    

    The Outbound NAT rules are in "automatic mode" and look like this:

    
    Interface  Source                      Source Port  Destination  Destination Port  NAT Address  NAT Port  Static Port  Description
    WAN        127.0.0.0/8 192.168.1.0/24  *            *            500               WAN address  *         [tick]       Auto created rule for ISAKMP
    WAN        127.0.0.0/8 192.168.1.0/24  *            *            *                 WAN address  *         [X-over]     Auto created rule 
    
    

    I don't have a working system to compare, but the lack of filter rules below looks ominous to me:

    
    [2.4.0-RELEASE][root@pfsense.my.domain]/root: pfctl -s all
    FILTER RULES:
    No queue in use
    
    INFO:
    Status: Enabled for 0 days 00:30:47           Debug: Urgent
    
    State Table                          Total             Rate
      current entries                        0               
      searches                            9427            5.1/s
      inserts                                0            0.0/s
      removals                               0            0.0/s
    Counters
      match                               9431            5.1/s
      bad-offset                             0            0.0/s
      fragment                               0            0.0/s
      short                                  0            0.0/s
      normalize                              0            0.0/s
      memory                                 0            0.0/s
      bad-timestamp                          0            0.0/s
      congestion                             0            0.0/s
      ip-option                              0            0.0/s
      proto-cksum                            0            0.0/s
      state-mismatch                         0            0.0/s
      state-insert                           0            0.0/s
      state-limit                            0            0.0/s
      src-limit                              0            0.0/s
      synproxy                               0            0.0/s
      map-failed                             0            0.0/s
    
    TIMEOUTS:
    tcp.first                   120s
    tcp.opening                  30s
    tcp.established           86400s
    tcp.closing                 900s
    tcp.finwait                  45s
    tcp.closed                   90s
    tcp.tsdiff                   30s
    udp.first                    60s
    udp.single                   30s
    udp.multiple                 60s
    icmp.first                   20s
    icmp.error                   10s
    other.first                  60s
    other.single                 30s
    other.multiple               60s
    frag                         30s
    interval                     10s
    adaptive.start            58200 states
    adaptive.end             116400 states
    src.track                     0s
    
    LIMITS:
    states        hard limit    97000
    src-nodes     hard limit    97000
    frags         hard limit     5000
    table-entries hard limit   200000
    
    OS FINGERPRINTS:
    758 fingerprints loaded
    
    

    All ideas gratefully received…

    Phil



  • Hi,

    Your "pfctl -s all" shows clearly that the firewall has none of the build-in default rules, neither your own rules.
    The lacking of the default rules is not a good sign. Consider a complete reinstall - even ditch your config, make a fresh start.

    Fro what I understood, don't stay with 2.4.0, go to 2.4.1 right away.



  • Does the file exist? /etc/bogons and does it have valid content?(subnets like 0.0.0.0/8 and 240.0.0.0/4 on seperate lines)
    Can you run this on console/ssh?:```
    pfctl -f /tmp/rules.debug



  • Hi,

    Thank you for the responses.

    I have tried tearing down the whole thing and starting again.  No change.

    I will answer the other questions when I return to my office later this week (can't play with the firewall until then).

    I will also try 2.4.1.

    Phil



  • Hi,

    I gave up on pfSense and decided to try OPNsense.

    It had exactly the same problem.

    That sent me back to basics, and I found that I had not enabled virtualisation (Intel VTX) in the BIOS of the KVM server.

    I knew it was required, and had though it was enabled, but it was not.

    With virtualisation enabled in the BIOS "pfctl -s all" shows a healthy set of filter rules, and the bogons error message in the log is gone.

    Problem solved.

    What led me somewhat astray was the fact that I had another FreeBSD 11.1 virtual machine running just fine on the same KVM server.

    Hope this helps for those who follow via Google…

    Cheers,

    Phil


Log in to reply