Rule syntax error after 2.4.4 upgrade to 2.4.5
-
Hopefully a simple issue...
Having upgraded to 2.4.5 today, my PFsense is reporting:
there were error(s) loading the rules: /tmp/rules.debug:110: syntax error - The line in question reads [110]: rdr on { em1 openvpn } proto icmp from 192.168.200.0/24 to 192.168.200.0/24 port any -> $PFSense
The line in the rules.debug file reads:
# Reflection redirect rdr on { em1 openvpn } proto icmp from 192.168.200.0/24 to 192.168.200.0/24 port any -> $PFSense
PFSense is an alias for the PFsense LAN IP.
Anyone have any ideas what the issue is? Thanks.
-
@DarkBlade said in Rule syntax error after 2.4.4 upgrade to 2.4.5:
->
Some how, this one made it onto the config.xml
Delete and re create the rule ? Or just the comment ?
-
I've commented out the rule for now.
I can't seem to see which rule this applies to (there are no rules under the default OpenVPN tab, but I do have a my own VPN tab under rules and I suspect it is the basic pass rule for ICMP)
I've re-created my 2.4.4 build from backup and there seems to be no difference in the rules via the GUI.
Can't remember how I tested the rule when it was setup.
I have noticed some differences in this section of the rules.debug between 2.4.4 and 2.4.5. Not sure if there is a slight bug here?This is the section in the rules.debug from 2.4.4
# Load balancing anchor rdr-anchor "relayd/*" # TFTP proxy rdr-anchor "tftp-proxy/*" # NAT Inbound Redirects rdr on ovpns1 proto icmp from 192.168.200.0/24 to any -> $PFSense # Reflection redirect rdr on { em1 openvpn } proto icmp from 192.168.200.0/24 to 192.168.200.0/24 -> $PFSense # UPnPd rdr anchor rdr-anchor "miniupnpd"
This is the section in after the upgrade to 2.4.5.
# Load balancing anchor rdr-anchor "relayd/*" # TFTP proxy rdr-anchor "tftp-proxy/*" # NAT Inbound Redirects rdr on pppoe0 proto tcp from any to 91.135.4.5 port 554 -> $NVR # Reflection redirect rdr on { em1 openvpn } proto tcp from any to 91.135.4.5 port 554 -> $NVR rdr on pppoe0 proto tcp from any to 91.135.4.5 port 443 -> $PFSense port 5900 # Reflection redirect rdr on { em1 openvpn } proto tcp from any to 91.135.4.5 port 443 -> $PFSense port 5900 rdr on pppoe0 proto tcp from any to 91.135.4.5 port 992 -> $Wall_e # Reflection redirect rdr on { em1 openvpn } proto tcp from any to 91.135.4.5 port 992 -> $Wall_e rdr on ovpns1 proto icmp from 192.168.200.0/24 to any -> $PFSense # Reflection redirect rdr on { em1 openvpn } proto icmp from 192.168.200.0/24 to 192.168.200.0/24 port any -> $PFSense rdr on pppoe0 proto tcp from any to 91.135.4.5 port 5555 -> $Wall_e # Reflection redirect rdr on { em1 openvpn } proto tcp from any to 91.135.4.5 port 5555 -> $Wall_e # UPnPd rdr anchor rdr-anchor "miniupnpd"
-
The extra rules used by 2.4.5 use labels like $NVR, $PFSense, $Wall_e.
These are not pfSense itself.Reset your pfSense to default, make 'pppoe' work (and stop there) and these labels will be gone.
Looks like these rules are part of NAT (?) rules on the pppoe interface that didn't exists when you were using 2.4.4.
edit : just in case : NATting, of course, should not be used to access things like pfSense GUI or a NVR.
Use OpenVPN server for a secured connection. Then you can access all your local devices without any NATting.