4. Cannot define table bogons

Cannot define table bogons

  • G

    Hi,

    I fear that this is a well trodden path…

    I have pfSense 2.4.0-RELEASE (amd64) (FreeBSD 11.1) running as a virtualised guest on a Debian 9.1 KVM server.

    I installed with the KVM defaults using virtio for two NICs and the "disk".  I initially attached the WAN to an unused NIC, as there seemed to be no way to attach straight to the 3G USB modem that is my gateway to the Internet.  I then configured the modem, and switched the WAN interface to ppp0:

    
WAN (wan)       -> ppp0       -> v4: 118.209.7.206/32
LAN (lan)       -> em0        -> v4: 192.168.1.37/24

    From the pfSense firewall, the WAN and LAN work.  I can lookup DNS addresses on the Internet from the LAN, using the DNS server on the firewall.  But I can't get connections to pass through the firewall.

    The troubleshooting guide suggests that outbound NAT is not working.  Specifically, from inside the LAN, I can ping the LAN address and the WAN address, but not the default gateway on the WAN.

    In addition the System Logs show:

    
Oct 29 11:48:43         php-fpm         25456   /rc.filter_configure_sync:
    New alert found: There were error(s) loading the rules:
    /tmp/rules.debug:17: cannot define table bogons: Invalid argument -
    The line in question reads [17]: table <bogons>persist file "/etc/bogons"</bogons>

    Because of a lot of chatter on the Internet (mostly on the pSense and ProxMox groups), I installed a second instance of pfSense using IDE disk and Intel NIC virtual drivers.  No change.

    The Firewal -> Wan rules look like this:

    
States  Protocol  Source               Port  Destination  Port  Gateway  Queue  Schedule  Description  Actions
0 /0 B  *         RFC 1918 networks    *     *            *     *        *                 Block private networks  
0 /0 B  *         Reserved             *     *            *     *        *                 Block bogon networks
                  Not assigned by IANA

    The Firewall -> LAN rules look like this:

    
States  Protocol  Source  Port  Destination  Port  Gateway  Queue  Schedule  Description
0 /0 B  *         *       *     LAN Address  443   *        *                Anti-Lockout Rule
                                              80
                                              22
0 /0 B  IPv4 *    LAN net *     *              *   *        none             Default allow LAN to any rule  
0 /0 B  IPv6 *    LAN net *     *              *   *        none             Default allow LAN IPv6 to any rule

    The Outbound NAT rules are in "automatic mode" and look like this:

    
Interface  Source                      Source Port  Destination  Destination Port  NAT Address  NAT Port  Static Port  Description
WAN        127.0.0.0/8 192.168.1.0/24  *            *            500               WAN address  *         [tick]       Auto created rule for ISAKMP
WAN        127.0.0.0/8 192.168.1.0/24  *            *            *                 WAN address  *         [X-over]     Auto created rule

    I don't have a working system to compare, but the lack of filter rules below looks ominous to me:

    
[2.4.0-RELEASE][root@pfsense.my.domain]/root: pfctl -s all
FILTER RULES:
No queue in use

INFO:
Status: Enabled for 0 days 00:30:47           Debug: Urgent

State Table                          Total             Rate
  current entries                        0               
  searches                            9427            5.1/s
  inserts                                0            0.0/s
  removals                               0            0.0/s
Counters
  match                               9431            5.1/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                              0            0.0/s
  proto-cksum                            0            0.0/s
  state-mismatch                         0            0.0/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s
  map-failed                             0            0.0/s

TIMEOUTS:
tcp.first                   120s
tcp.opening                  30s
tcp.established           86400s
tcp.closing                 900s
tcp.finwait                  45s
tcp.closed                   90s
tcp.tsdiff                   30s
udp.first                    60s
udp.single                   30s
udp.multiple                 60s
icmp.first                   20s
icmp.error                   10s
other.first                  60s
other.single                 30s
other.multiple               60s
frag                         30s
interval                     10s
adaptive.start            58200 states
adaptive.end             116400 states
src.track                     0s

LIMITS:
states        hard limit    97000
src-nodes     hard limit    97000
frags         hard limit     5000
table-entries hard limit   200000

OS FINGERPRINTS:
758 fingerprints loaded

    All ideas gratefully received…

    Phil

    0

  • Hi,

    Your "pfctl -s all" shows clearly that the firewall has none of the build-in default rules, neither your own rules.
    The lacking of the default rules is not a good sign. Consider a complete reinstall - even ditch your config, make a fresh start.

    Fro what I understood, don't stay with 2.4.0, go to 2.4.1 right away.

    0
  • P

    Does the file exist? /etc/bogons and does it have valid content?(subnets like 0.0.0.0/8 and 240.0.0.0/4 on seperate lines)
    Can you run this on console/ssh?:```
    pfctl -f /tmp/rules.debug

    0
  • G

    Hi,

    Thank you for the responses.

    I have tried tearing down the whole thing and starting again.  No change.

    I will answer the other questions when I return to my office later this week (can't play with the firewall until then).

    I will also try 2.4.1.

    Phil

    0
  • G

    Hi,

    I gave up on pfSense and decided to try OPNsense.

    It had exactly the same problem.

    That sent me back to basics, and I found that I had not enabled virtualisation (Intel VTX) in the BIOS of the KVM server.

    I knew it was required, and had though it was enabled, but it was not.

    With virtualisation enabled in the BIOS "pfctl -s all" shows a healthy set of filter rules, and the bogons error message in the log is gone.

    Problem solved.

    What led me somewhat astray was the fact that I had another FreeBSD 11.1 virtual machine running just fine on the same KVM server.

    Hope this helps for those who follow via Google…

    Cheers,

    Phil

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2019 Rubicon Communications, LLC | Privacy Policy