Reinstalling using USB Recovery - pfBlockerNG in config backup

NGUSER6947 · Mar 8, 2023, 1:47 PM

I had to reinstall pfsense on my backup SG-1100 using USB Recovery. Then I backed up my other (Production) SG-1100 and restored the configuration to the backup device.

Plugging into the LAN port (on the backup device) with my laptop everything seems to have restored correctly, except obviously pfBlockerNG isn't installed. So I get a handful of warning messages:

There were error(s) loading the rules: /tmp/rules.debug:164: macro 'pfB_PRI1_v4' not defined - The line in question reads [164]: block return in log quick on $LAN inet from any to $pfB_PRI1_v4 ridentifier 1770011057 label "USER_RULE: pfB_PRI1_v4" label "id:1770011057"
@ 2023-02-10 16:17:14
There were error(s) loading the rules: /tmp/rules.debug:164: macro 'pfB_PRI1_v4' not defined - The line in question reads [164]: block return in log quick on $LAN inet from any to $pfB_PRI1_v4 ridentifier 1770011057 label "USER_RULE: pfB_PRI1_v4" label "id:1770011057"
@ 2023-02-10 16:17:42
There were error(s) loading the rules: /tmp/rules.debug:164: macro 'pfB_PRI1_v4' not defined - The line in question reads [164]: block return in log quick on $LAN inet from any to $pfB_PRI1_v4 ridentifier 1770011057 label "USER_RULE: pfB_PRI1_v4" label "id:1770011057"
@ 2023-02-10 16:18:21
There were error(s) loading the rules: /tmp/rules.debug:162: macro 'pfB_PRI1_v4' not defined - The line in question reads [162]: block return in log quick on $LAN inet from any to $pfB_PRI1_v4 ridentifier 1770011057 label "USER_RULE: pfB_PRI1_v4" label "id:1770011057"
@ 2023-02-10 16:18:24

General
Package reinstall process was ABORTED due to lack of internet connectivity @ 2023-02-10 16:14:38

So... at this point, should I remove pfBlockerNG using the GUI, and then when I'm ready swap this one with the production device, get it online and reinstall pfBlockerNG? Will removing it restore the firewall rules to the way they were before I ever installed pfBlockerNG?

My fear is that removing the package either won't work to begin with (since no internet connection) or that it won't revert the firewall rules, and thus when I do plug it into the router it'll be uncommunicating.

Thanks.

SteveITS · Mar 8, 2023, 2:00 PM

@nguser6947 As I recall, at that point pfSense doesn’t show the package installed. You’d need to install it to uninstall. The pfB aliases won’t exist yet until a pfB force update is run. But you can install it and do that.

NGUSER6947 · Mar 8, 2023, 3:14 PM

@steveits Actually it shows up in the Firewall tab.

I'll attempt to connect it (if it won't connect I should turn off the pfB_PRI1_v4 rule, correct?). Then remove and reinstall the package.

SteveITS · Mar 8, 2023, 3:36 PM

@nguser6947 The rule will still be there but you'll get the warning that the alias doesn't exist. Therefore the rule doesn't do anything. Whether that affects connectivity depends on what your rule does. :) If it's a deny inbound rule then it won't affect outbound.

NGUSER6947 · Mar 8, 2023, 9:02 PM

So in the end, I was able to get the device online, uninstall pfBlockerNG, the reinstall it and everything seems to be working just fine. It's now running as my production device.

I will keep the other one (the one that had been my production unit before) on the shelf for two weeks just to be sure no hidden issues appear with the new one, then will reinstall and upgrade it too.

Thanks for all the help on these forums, and to Netgate for a solid product .