Firewall rule - gateway drop down menu empty

arielgrin

Hi all: I just found out that I can't select a specific gateway anymore when configuring a firewall rule. My existing rules that have a specific gateway selected do show it and work correctly, but if I want to modify them or create a new one, the gateway selection drop down menu is empty, not even showing the "default" word. I tried restarting the pfsense pc but it still shows that behaviour. Any help will be appreciated.

Derelict

That sounds familiar. What version of pfSense?

jimp

And what browser are you using?

arielgrin

@derelict 2.3.5-RELEASE-p2

arielgrin

@jimp I tried chrome, firefox and ie, it is the same with all of them

SaschaITM

I have that exact same problem on one of my pfSense systems. Unfortunately it's one with a rather complex setup, and I'd like to retain all historical data if possible, so any help with fixing this is appreciated.

The problem started with an update to 2.4.3 which otherwise went smoothly. The updates to 2.4.3-p1 and 2.4.4 went smoothly as well, but the problem persisted. Existing firewall rules are working fine, and are using their configured gateways. The problem is that the "Gateway" dropdown on the "Edit Rule" page is empty, with no text at all (verified by looking at the HTML code, the dropdown simply isn't populated with any data). This happens when editing existing rules with or without gateway, and when adding new rules. I've already double-checked all interface and gateway/gateway group settings, and they look OK to me. After each update I've also edited all gateways and gateway groups and saved them without changing anything, in the hope that the "config update" would make the dropdown populate again.

jimp

I haven't heard of that one happening before. Have you tried a different browser, just to be certain it isn't an issue there?

We had a similar issue happen with IPsec but it turned out to be specific to IE and some alternate JS engine for Chrome.

Even though it appears the source is also blank, if it's a JS issue the source might be altered by the browser to reflect what it believes the JS should be doing.

Even so, that doesn't sound like what is happening to the OP here, so if it persists, put it in another thread.

SaschaITM

Thanks for the quick reply! Yes, I've tried with IE10, MS Edge, Firefox 6x, Pale Moon 28.x, Opera (can't remember the versions right now), and all were showing the same result. I'd say my issue sounds exactly like what the OP has described: the gateway shows up (and works) fine for existing rules, but the dropdown ist empty when editing an existing rule (with or without gateway) or adding a new one.

jimp

I got this thread mixed up with another empty drop-down thread then, sorry!

One thing to make sure of is that your gateway has a proper address family set.

So for example, edit the gateway, make sure IPv4 is set, save. Edit the firewall rule, make sure IPv4 is set, save. Then reload the rule and see if you see the gateway.

SaschaITM

Thanks for bearing with me (; . I've just checked: all gateways have IPv4 set in "Address Family". When adding a new rule the "Address Family" also shows "IPv4", but the "Gateway" field is still empty (the dropdown doesn't even show the "default" entry it should display).

Is there maybe a PHP command I can use to show all gateways like pfSense would "see" them for the UI? My guess is that there's an error in the config somewhere which isn't visible to me (possibly an invalid character or something on which some parser or some part of the code chokes), maybe such a command could help in identifying the source of the issue.

Also, I'm aware this issue is probably kinda tricky to debug, and I'm prepared to setup a new pfSense instance, manually duplicating all my settings (I'd rather do this than importing the config file, in case the bug or problem is in the original config). I'd rather avoid the multiple hours of work it'd take to setup the new system though, if at all possible.

jimp

var_dump(return_gateway_groups_array()); in the PHP exec box under Diag > Command Prompt would show you the gateways.

The gateway names are put through json so maybe there is a character somewhere in your gateway names or descriptions that is breaking json.

If you could post the contents of config.xml containing your gateways and gateway groups that would be helpful. Or the output of the PHP command above may be enough.

SaschaITM

@jimp said in Firewall rule - gateway drop down menu empty:

var_dump(return_gateway_groups_array());

Yay, got it! One Gateway Group description had two " characters in it. On a hunch I've removed them, and voilà - the gateway dropdown is being populated again! Thanks so much for the support, and for pointing me in the right direction!

jimp

So two double quotes (") or two single quotes (')?

Something must not be right with the code that forms the json if that broke it. I'd like to be able to replicate it so I can fix it properly.

SaschaITM

That's two double quotes ("), the original string was Alle "sicheren" WANs, sequentiell, I've changed it to Alle sicheren WANs sequentiell and that fixed the issue instantly, without having to reboot the box.

I hope the OP will notice this, it'd be so cool if a simple edit like this would fix his issue as well! (;

arielgrin

In my case, the command var_dump is not returning anything, even though I have checked all the tips everyone gave on this thread. Maybe that just shows Gateway Groups and not gateways, and given I don't have any gateway groups, just gateways, that is why this particular command is not showing anything. Does anyone have any other idea that might help me? Thanks.

SaschaITM

The command returned a lot of text for me, with data about all gateways and gateway groups (I can post an edited/anonymized version if you're interested). Are you sure you've entered the command under "Diagnostics / Command Prompt" in the "Execute PHP Commands" box?

jimp

I found the problem and fixed it. Issue is at https://redmine.pfsense.org/issues/8962 and the fix commit will show up there shortly.

arielgrin

@jimp said in Firewall rule - gateway drop down menu empty:

var_dump(return_gateway_groups_array());

I created a gateway group to check that command and it also didn't return anything. Don't know what else to check/do.

SaschaITM

Well, I guess the command should at least show the data for the default gateway, so it seems you've got a different issue than mine after all. Hope you'll be able to fix it!

jimp: where do I get my bug bounty award? (;

EDIT: after looking at the PHP command output again, I'm not so sure single gateways are included in the output after all, sorry. The command var_dump(return_gateways_array()); seems to show those.

arielgrin

I just found my issue too, thanks to SaschalTM tip. I checked the description of my gateways and I found that one of them had a leading space on the description, which I can swear it was not then when I created the gateways. In any case, I removed the leading space and saved the gateway, went to the firewall rule and for sure the gateway drop down menu was once again populated. I then checked the PHP commands again and for sure they returned the gateways and the gateway group I just created, but I can't be sure that the edit fixed that too, maybe I was making a typo on the command, which I doubt, but since there was a leading space that I was not seeing before, maybe I was not seeing a typo too.

In any case, my issue is resolved. Thanks guys for your help, and a special thanks to SachalTM.