Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    error(s) loading the rules: /tmp/rules.debug

    NAT
    2
    2
    817
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      keropikos last edited by keropikos

      Hi all,

      i have just made a fresh install of pfSense 2.4.4-p1 on a vm (proxmox), and after setting up my various interfaces and settings, i have also enabled NAT reflection in Pure NAT and the options to "Automatic create outbound NAT rules that direct traffic back out to the same subnet it originated from".

      Finally i started adding my NAT rules (i used to have on pfSense 2.3 and older versions working okay), for port forwarding to differnt ports of my network computers and with Aliases (both FQDN and IPS) as sources.

      The problem is, that after setting all up and rebooting the internet connectivity was not working well and no incoming rules where also working.
      The red bell-notification showed me messages ""There were error(s) loading the rules: /tmp/rules.debug /tmp/rules.debug no nat on vtnet proto tcp from... " for every NAT rule i had setup. (I tried deleting one by one the rules that the notification stated but as i saw in the debug file all the rules had the same problem).

      When i disabled the option "Automatic create outbound NAT rules that direct traffic back out to the same subnet it originated from", the tables reloaded correctly and the inbound rules worked okay from the outside but not from the internal network (NAT reflection stopped working without this option).

      my WAN connection is pppoe with DHCPV6.

      All the rules where created from the beggining as it is a fresh install.

      This is the problem for every NAT rule i have setup at the rules.debug file for the first rule:

      rdr on { vtnet0 vtnet1 vtnet2 } proto tcp from $Aliases to XX.XX.XX.XX port 2223 -> 172.16.54.2 port 22
      no nat on vtnet0 proto tcp from vtnet0 to 172.16.54.2 port 22
      nat on vtnet0 proto tcp from 172.16.54.0/24 to 172.16.54.2 port 22 -> 172.16.54.1 port 1024:65535

      vtnet 0,1,2 are my different interfaces and 172.16.54.0/24 is my LAN subnet for the specific port forward and xx.xx.xx.xx my wan ip.

      *Edit
      With NAT+Proxy there is no problem reloading the tables and reflection works, but with thw NAT+Proxy limitations of port number for me at least.

      1 Reply Last reply Reply Quote 0
      • jimp
        jimp Rebel Alliance Developer Netgate last edited by

        What is the full and exact error message? You might need to check in the system log, or with it set in the problematic way, run pfctl -f /tmp/rules.debug from a shell prompt and check what it prints.

        Normally the syntax of the line you posted would be fine, but it's possible there is some point in some when that interface doesn't have an address which might cause pf to fail to expand the macro temporarily. In that case it might be a race condition and thus difficult to reproduce.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • First post
          Last post