Rule syntax error after 2.4.4 upgrade to 2.4.5

DarkBlade

Hopefully a simple issue...

Having upgraded to 2.4.5 today, my PFsense is reporting:

there were error(s) loading the rules: /tmp/rules.debug:110: syntax error - The line in question reads [110]: 
  rdr on { em1 openvpn } proto icmp from 192.168.200.0/24 to 192.168.200.0/24 port any -&gt; $PFSense

The line in the rules.debug file reads:

# Reflection redirect
rdr on { em1 openvpn } proto icmp from 192.168.200.0/24 to 192.168.200.0/24 port any -> $PFSense

PFSense is an alias for the PFsense LAN IP.

Anyone have any ideas what the issue is? Thanks.

Gertjan

@DarkBlade said in Rule syntax error after 2.4.4 upgrade to 2.4.5:

->

Some how, this one made it onto the config.xml

Delete and re create the rule ? Or just the comment ?

DarkBlade

I've commented out the rule for now.
I can't seem to see which rule this applies to (there are no rules under the default OpenVPN tab, but I do have a my own VPN tab under rules and I suspect it is the basic pass rule for ICMP)
I've re-created my 2.4.4 build from backup and there seems to be no difference in the rules via the GUI.
Can't remember how I tested the rule when it was setup.
I have noticed some differences in this section of the rules.debug between 2.4.4 and 2.4.5. Not sure if there is a slight bug here?

This is the section in the rules.debug from 2.4.4

# Load balancing anchor
rdr-anchor "relayd/*"
# TFTP proxy
rdr-anchor "tftp-proxy/*"
# NAT Inbound Redirects
rdr on ovpns1 proto icmp from 192.168.200.0/24 to any -> $PFSense
# Reflection redirect
rdr on { em1 openvpn } proto icmp from 192.168.200.0/24 to 192.168.200.0/24 -> $PFSense
# UPnPd rdr anchor
rdr-anchor "miniupnpd"

This is the section in after the upgrade to 2.4.5.

# Load balancing anchor
rdr-anchor "relayd/*"
# TFTP proxy
rdr-anchor "tftp-proxy/*"
# NAT Inbound Redirects
rdr on pppoe0 proto tcp from any to 91.135.4.5 port 554 -> $NVR
# Reflection redirect
rdr on { em1 openvpn } proto tcp from any to 91.135.4.5 port 554 -> $NVR
rdr on pppoe0 proto tcp from any to 91.135.4.5 port 443 -> $PFSense port 5900
# Reflection redirect
rdr on { em1 openvpn } proto tcp from any to 91.135.4.5 port 443 -> $PFSense port 5900
rdr on pppoe0 proto tcp from any to 91.135.4.5 port 992 -> $Wall_e
# Reflection redirect
rdr on { em1 openvpn } proto tcp from any to 91.135.4.5 port 992 -> $Wall_e
rdr on ovpns1 proto icmp from 192.168.200.0/24 to any -> $PFSense
# Reflection redirect
rdr on { em1 openvpn } proto icmp from 192.168.200.0/24 to 192.168.200.0/24 port any -> $PFSense
rdr on pppoe0 proto tcp from any to 91.135.4.5 port 5555 -> $Wall_e
# Reflection redirect
rdr on { em1 openvpn } proto tcp from any to 91.135.4.5 port 5555 -> $Wall_e
# UPnPd rdr anchor
rdr-anchor "miniupnpd"

Gertjan

The extra rules used by 2.4.5 use labels like $NVR, $PFSense, $Wall_e.
These are not pfSense itself.

Reset your pfSense to default, make 'pppoe' work (and stop there) and these labels will be gone.

Looks like these rules are part of NAT (?) rules on the pppoe interface that didn't exists when you were using 2.4.4.

edit : just in case : NATting, of course, should not be used to access things like pfSense GUI or a NVR.
Use OpenVPN server for a secured connection. Then you can access all your local devices without any NATting.