pfr_update_stats: assertion failed and blocked traffic



  • I started noticing very weird blocked functions in my home network. My music server would not resolve http(s) get requests for streaming music, though I could on other devices. I could not resolve a domain name by typing the base URL in the address bar (like typing purple.com and get the page to load), but I could find it in a search bar and navigate to them and perform nslookups on them. I updated the main pfSense OS, but could not update any packages. Other weirdness that was not easy to categorize.

    I tried to reboot the pfSense via the web and command menu - neither worked. I forced a hardware reboot and noticed many repeated errors on the console and system logs which read:
    pfr_update_stats: assertion failed

    Here is my solution, which is working for now:

    • In the Firewall / pfBlockerNG / General page, tick the box for "Suppression - This will prevent Selected IPs from being blocked. Only for IPv4 lists (/32 and /24)." and click the Save button for this page.
    • In the Firewall / pfBlockerNG / General page, untick: Enable pfBlockerNG and Keep settings to disable them both. then click the save button.
    • In the Firewall / pfBlockerNG / General page, tick only the Enable pfBlockerNG to enable and leave the Keep settings unticked/disabled.
    • In the Firewall / pfBlockerNG / Update page, select the Select 'Force' option Update and click Run. Copy the output from this into a text file.

    Use the text file to separate the results to find four types of results:

    • No Domains Found

    • Terminated - Easylists can not be used

    • Anything which is not working, such as a 404 page not found or other error

    • Anything working can be ignored

    • Open EVERY DNS Group Name on the Firewall / pfBlockerNG / DNSBL Feeds page. Search for any of the feeds that are NOT working at all and paste the URL into a browser bar. If they do not resolve, delete them - don't forget to click the save button at the bottom. If they do resolve, see the next step

    • Open EVERY DNS Group Name on the Firewall / pfBlockerNG / DNSBL Feeds page. Search for any of the feeds that are listed as No Domains Found, or that did resolve to a list in a previous step, and paste the URL into a browser bar. If the list is just a bunch of IP addresses, then you have them on the wrong part of your firewall! To fix this:

      • Copy the URLs of any of the lists which were IP-based out of the DNSBL page and into a text file as a placeholder.

      • Move over to the Firewall / pfBlockerNG / IPv4 page and start a new Alias Name (or edit one you may already have there). Add each one of the URLs from your text file, giving it a unique header name (the last field) and make sure to set it to Auto & ON. .

      • Once all added, I set the List Action and update schedule to my preference and saved the page

    For anything which results in 'Terminated - Easylists can not be used' I do not yet have a solution.

    • In the Firewall / pfBlockerNG / General page, untick: Enable pfBlockerNG and Keep settings to disable them both. then click the save button.
    • In the Firewall / pfBlockerNG / General page, tick only the Enable pfBlockerNG to enable and leave the Keep settings unticked/disabled.
    • In the Firewall / pfBlockerNG / Update page, select the Select 'Force' option Update and click Run. Repeat the process of reviewing the results to remove broken lists and move IP-based lists to the right IPv4 list page.

    ------ONCE satisfied with the results:

    • In the Firewall / pfBlockerNG / General page, untick: Enable pfBlockerNG and Keep settings to disable them both. then click the save button.
    • In the Firewall / pfBlockerNG / General page, tick BOTH the Enable pfBlockerNG and Keep settings to enable them both.
    • In the Firewall / pfBlockerNG / Update page, select the Select 'Force' option Update and click Run.