Unable to change the rules and rules are not loading
-
Good day,
We are having issues on our pfsense where there is no connection because the users are unable to connect to the internet and upon inspection it seems the rules are not loading
There were error(s) loading the rules: /tmp/rules.debug:226: syntax error - The line in question reads [226]: pass out log route-to ( re1 X.X.X.X ) proto udp from (self) to Y.Y.Y.Y port = 500 tracker 1000106341 keep state label "IPsec: XXXX tunnel "EASTERN" - outbound isakmp"
@ 2022-08-11 15:14:28 -
Is there anyone have an idea on how to resolve this? Thank you
-
First solution :
Access the console menu.
Use option 15, and pick a configuration just before the one that crippled your access.While you using the console, use option 8, and have a look at the /tmp/rules.debug up and around line number 226.
If you're old enough to know what "vi" is, you could use "viconfig" and remove the offending rule.
This is an example of a firewall rule on my LAN interface :
and here is the corresponding part in the config :
Just remove it - do not make error -
Before doing all this, make an extra backup here Diagnostics >Backup & Restore > Backup & Restore
Better yet : make a backup of the config every day.
Only when you have backup, you'll be sure to never use them. -
@gertjan said in Unable to change the rules and rules are not loading:
While you using the console, use option 8, and have a look at the /tmp/rules.debug up and around line number 226.
Thanks, Will try this
-
Good day,
Already tried but the error persists and the line is just keep on coming back. You can see the line in the attached image. This is under VPN Rules
-
You took a config from before the error happened ?
Can you de activate the IPSEC temporarily ?
-
That's not a user rule it's an auto rule added by the system when you create an IPSec tunnel.
So if it's failing to load it's probably because something referenced by is no longer present. Most likely the gateway or interface doesn't exist.
What pfSense version are you running?
Steve
-
The version is this:
2.4.4-RELEASE (amd64)
built on Thu Sep 20 09:03:12 EDT 2018
FreeBSD 11.2-RELEASE-p3Will it be possible to just delete the ipsec tunnel and recreate it?
-
Good day,
It seems it is working now (haven't fully tested the sites yet), but so far it seems there are no further issue.
As @Gertjan said, there is indeed something wrong with the current configuration of the IPSEC Tunnels. That also coincide with @stephenw10 statement that there is an object reference that is no longer present (in our case the interface group is no longer present).
Additionally, as I never noticed it initially there is another caused for the said error which is the IPSec Tunnel name contains special character (in this case "" ) that causes the rule.debug to be not loaded properly. After removing it, there is no longer errors being observed. Another administrator changed the settings without informing us and never told the changes.
Thank you everyone for your help. Will continue to observe and test the functionalities
-
@xilefseiei said in Unable to change the rules and rules are not loading:
Will continue to observe and test the functionalities
You missed something huge !
2.4.4 is far to ancient.
You might as well found something that was solved many years ago. -
Yes, you should upgrade. There's every chance the bug that allowed that invalid ruleset to be created has been fixed in the 4 years since 2.4.4. Along with numerous security fixes!
Steve
