pfr_update_stats: assertion failed and blocked traffic
-
-
I started noticing very weird blocked functions in my home network. My music server would not resolve http(s) get requests for streaming music, though I could on other devices. I could not resolve a domain name by typing the base URL in the address bar (like typing purple.com and get the page to load), but I could find it in a search bar and navigate to them and perform nslookups on them. I updated the main pfSense OS, but could not update any packages. Other weirdness that was not easy to categorize.
I tried to reboot the pfSense via the web and command menu - neither worked. I forced a hardware reboot and noticed many repeated errors on the console and system logs which read:
pfr_update_stats: assertion failedHere is my solution, which is working for now:
- In the Firewall / pfBlockerNG / General page, tick the box for "Suppression - This will prevent Selected IPs from being blocked. Only for IPv4 lists (/32 and /24)." and click the Save button for this page.
- In the Firewall / pfBlockerNG / General page, untick: Enable pfBlockerNG and Keep settings to disable them both. then click the save button.
- In the Firewall / pfBlockerNG / General page, tick only the Enable pfBlockerNG to enable and leave the Keep settings unticked/disabled.
- In the Firewall / pfBlockerNG / Update page, select the Select 'Force' option Update and click Run. Copy the output from this into a text file.
Use the text file to separate the results to find four types of results:
-
No Domains Found
-
Terminated - Easylists can not be used
-
Anything which is not working, such as a 404 page not found or other error
-
Anything working can be ignored
-
Open EVERY DNS Group Name on the Firewall / pfBlockerNG / DNSBL Feeds page. Search for any of the feeds that are NOT working at all and paste the URL into a browser bar. If they do not resolve, delete them - don't forget to click the save button at the bottom. If they do resolve, see the next step
-
Open EVERY DNS Group Name on the Firewall / pfBlockerNG / DNSBL Feeds page. Search for any of the feeds that are listed as No Domains Found, or that did resolve to a list in a previous step, and paste the URL into a browser bar. If the list is just a bunch of IP addresses, then you have them on the wrong part of your firewall! To fix this:
-
Copy the URLs of any of the lists which were IP-based out of the DNSBL page and into a text file as a placeholder.
-
Move over to the Firewall / pfBlockerNG / IPv4 page and start a new Alias Name (or edit one you may already have there). Add each one of the URLs from your text file, giving it a unique header name (the last field) and make sure to set it to Auto & ON. .
-
Once all added, I set the List Action and update schedule to my preference and saved the page
-
For anything which results in 'Terminated - Easylists can not be used' I do not yet have a solution.
- In the Firewall / pfBlockerNG / General page, untick: Enable pfBlockerNG and Keep settings to disable them both. then click the save button.
- In the Firewall / pfBlockerNG / General page, tick only the Enable pfBlockerNG to enable and leave the Keep settings unticked/disabled.
- In the Firewall / pfBlockerNG / Update page, select the Select 'Force' option Update and click Run. Repeat the process of reviewing the results to remove broken lists and move IP-based lists to the right IPv4 list page.
------ONCE satisfied with the results:
- In the Firewall / pfBlockerNG / General page, untick: Enable pfBlockerNG and Keep settings to disable them both. then click the save button.
- In the Firewall / pfBlockerNG / General page, tick BOTH the Enable pfBlockerNG and Keep settings to enable them both.
- In the Firewall / pfBlockerNG / Update page, select the Select 'Force' option Update and click Run.