error(s) loading the rules: /tmp/rules.debug

  • Hi all,

    i have just made a fresh install of pfSense 2.4.4-p1 on a vm (proxmox), and after setting up my various interfaces and settings, i have also enabled NAT reflection in Pure NAT and the options to "Automatic create outbound NAT rules that direct traffic back out to the same subnet it originated from".

    Finally i started adding my NAT rules (i used to have on pfSense 2.3 and older versions working okay), for port forwarding to differnt ports of my network computers and with Aliases (both FQDN and IPS) as sources.

    The problem is, that after setting all up and rebooting the internet connectivity was not working well and no incoming rules where also working.
    The red bell-notification showed me messages ""There were error(s) loading the rules: /tmp/rules.debug /tmp/rules.debug no nat on vtnet proto tcp from... " for every NAT rule i had setup. (I tried deleting one by one the rules that the notification stated but as i saw in the debug file all the rules had the same problem).

    When i disabled the option "Automatic create outbound NAT rules that direct traffic back out to the same subnet it originated from", the tables reloaded correctly and the inbound rules worked okay from the outside but not from the internal network (NAT reflection stopped working without this option).

    my WAN connection is pppoe with DHCPV6.

    All the rules where created from the beggining as it is a fresh install.

    This is the problem for every NAT rule i have setup at the rules.debug file for the first rule:

    rdr on { vtnet0 vtnet1 vtnet2 } proto tcp from $Aliases to XX.XX.XX.XX port 2223 -> port 22
    no nat on vtnet0 proto tcp from vtnet0 to port 22
    nat on vtnet0 proto tcp from to port 22 -> port 1024:65535

    vtnet 0,1,2 are my different interfaces and is my LAN subnet for the specific port forward and xx.xx.xx.xx my wan ip.

    With NAT+Proxy there is no problem reloading the tables and reflection works, but with thw NAT+Proxy limitations of port number for me at least.

  • Rebel Alliance Developer Netgate

    What is the full and exact error message? You might need to check in the system log, or with it set in the problematic way, run pfctl -f /tmp/rules.debug from a shell prompt and check what it prints.

    Normally the syntax of the line you posted would be fine, but it's possible there is some point in some when that interface doesn't have an address which might cause pf to fail to expand the macro temporarily. In that case it might be a race condition and thus difficult to reproduce.

Log in to reply