Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Cannot define table bogons

    Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
    5 Posts 3 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      gpw928
      last edited by

      Hi,

      I fear that this is a well trodden path…

      I have pfSense 2.4.0-RELEASE (amd64) (FreeBSD 11.1) running as a virtualised guest on a Debian 9.1 KVM server.

      I installed with the KVM defaults using virtio for two NICs and the "disk".  I initially attached the WAN to an unused NIC, as there seemed to be no way to attach straight to the 3G USB modem that is my gateway to the Internet.  I then configured the modem, and switched the WAN interface to ppp0:

      
      WAN (wan)       -> ppp0       -> v4: 118.209.7.206/32
      LAN (lan)       -> em0        -> v4: 192.168.1.37/24
      
      

      From the pfSense firewall, the WAN and LAN work.  I can lookup DNS addresses on the Internet from the LAN, using the DNS server on the firewall.  But I can't get connections to pass through the firewall.

      The troubleshooting guide suggests that outbound NAT is not working.  Specifically, from inside the LAN, I can ping the LAN address and the WAN address, but not the default gateway on the WAN.

      In addition the System Logs show:

      
      Oct 29 11:48:43         php-fpm         25456   /rc.filter_configure_sync:
          New alert found: There were error(s) loading the rules:
          /tmp/rules.debug:17: cannot define table bogons: Invalid argument -
          The line in question reads [17]: table <bogons>persist file "/etc/bogons"</bogons> 
      

      Because of a lot of chatter on the Internet (mostly on the pSense and ProxMox groups), I installed a second instance of pfSense using IDE disk and Intel NIC virtual drivers.  No change.

      The Firewal -> Wan rules look like this:

      
      States  Protocol  Source               Port  Destination  Port  Gateway  Queue  Schedule  Description  Actions
      0 /0 B  *         RFC 1918 networks    *     *            *     *        *                 Block private networks  
      0 /0 B  *         Reserved             *     *            *     *        *                 Block bogon networks
                        Not assigned by IANA
      
      

      The Firewall -> LAN rules look like this:

      
      States  Protocol  Source  Port  Destination  Port  Gateway  Queue  Schedule  Description
      0 /0 B  *         *       *     LAN Address  443   *        *                Anti-Lockout Rule
                                                    80
                                                    22
      0 /0 B  IPv4 *    LAN net *     *              *   *        none             Default allow LAN to any rule  
      0 /0 B  IPv6 *    LAN net *     *              *   *        none             Default allow LAN IPv6 to any rule 
      
      

      The Outbound NAT rules are in "automatic mode" and look like this:

      
      Interface  Source                      Source Port  Destination  Destination Port  NAT Address  NAT Port  Static Port  Description
      WAN        127.0.0.0/8 192.168.1.0/24  *            *            500               WAN address  *         [tick]       Auto created rule for ISAKMP
      WAN        127.0.0.0/8 192.168.1.0/24  *            *            *                 WAN address  *         [X-over]     Auto created rule 
      
      

      I don't have a working system to compare, but the lack of filter rules below looks ominous to me:

      
      [2.4.0-RELEASE][root@pfsense.my.domain]/root: pfctl -s all
      FILTER RULES:
      No queue in use
      
      INFO:
      Status: Enabled for 0 days 00:30:47           Debug: Urgent
      
      State Table                          Total             Rate
        current entries                        0               
        searches                            9427            5.1/s
        inserts                                0            0.0/s
        removals                               0            0.0/s
      Counters
        match                               9431            5.1/s
        bad-offset                             0            0.0/s
        fragment                               0            0.0/s
        short                                  0            0.0/s
        normalize                              0            0.0/s
        memory                                 0            0.0/s
        bad-timestamp                          0            0.0/s
        congestion                             0            0.0/s
        ip-option                              0            0.0/s
        proto-cksum                            0            0.0/s
        state-mismatch                         0            0.0/s
        state-insert                           0            0.0/s
        state-limit                            0            0.0/s
        src-limit                              0            0.0/s
        synproxy                               0            0.0/s
        map-failed                             0            0.0/s
      
      TIMEOUTS:
      tcp.first                   120s
      tcp.opening                  30s
      tcp.established           86400s
      tcp.closing                 900s
      tcp.finwait                  45s
      tcp.closed                   90s
      tcp.tsdiff                   30s
      udp.first                    60s
      udp.single                   30s
      udp.multiple                 60s
      icmp.first                   20s
      icmp.error                   10s
      other.first                  60s
      other.single                 30s
      other.multiple               60s
      frag                         30s
      interval                     10s
      adaptive.start            58200 states
      adaptive.end             116400 states
      src.track                     0s
      
      LIMITS:
      states        hard limit    97000
      src-nodes     hard limit    97000
      frags         hard limit     5000
      table-entries hard limit   200000
      
      OS FINGERPRINTS:
      758 fingerprints loaded
      
      

      All ideas gratefully received…

      Phil

      1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan
        last edited by

        Hi,

        Your "pfctl -s all" shows clearly that the firewall has none of the build-in default rules, neither your own rules.
        The lacking of the default rules is not a good sign. Consider a complete reinstall - even ditch your config, make a fresh start.

        Fro what I understood, don't stay with 2.4.0, go to 2.4.1 right away.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • P
          PiBa
          last edited by

          Does the file exist? /etc/bogons and does it have valid content?(subnets like 0.0.0.0/8 and 240.0.0.0/4 on seperate lines)
          Can you run this on console/ssh?:```
          pfctl -f /tmp/rules.debug

          1 Reply Last reply Reply Quote 0
          • G
            gpw928
            last edited by

            Hi,

            Thank you for the responses.

            I have tried tearing down the whole thing and starting again.  No change.

            I will answer the other questions when I return to my office later this week (can't play with the firewall until then).

            I will also try 2.4.1.

            Phil

            1 Reply Last reply Reply Quote 0
            • G
              gpw928
              last edited by

              Hi,

              I gave up on pfSense and decided to try OPNsense.

              It had exactly the same problem.

              That sent me back to basics, and I found that I had not enabled virtualisation (Intel VTX) in the BIOS of the KVM server.

              I knew it was required, and had though it was enabled, but it was not.

              With virtualisation enabled in the BIOS "pfctl -s all" shows a healthy set of filter rules, and the bogons error message in the log is gone.

              Problem solved.

              What led me somewhat astray was the fact that I had another FreeBSD 11.1 virtual machine running just fine on the same KVM server.

              Hope this helps for those who follow via Google…

              Cheers,

              Phil

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.