There were error(s) loading the rules: pfctl: DIOCADDRULENV: Device busy
-
@stephenw10 Yes sir, the 6100 running 23.09.1. Here is the output from the Filter Reload, it did not trigger any notices.
Initializing Creating aliases Creating gateway group item... Generating Limiter rules Generating NAT rules Creating 1:1 rules... Creating outbound NAT rules Creating automatic outbound rules Setting up TFTP helper Generating filter rules Creating default rules Pre-caching ... Creating filter rule ... Creating filter rules ... Setting up pass/block rules Setting up pass/block rules Creating rule Pre-caching Wireguard Port... Creating filter rule Wireguard Port ... Creating filter rules Wireguard Port ... Setting up pass/block rules Setting up pass/block rules Wireguard Port Creating rule Wireguard Port Pre-caching ping... Creating filter rule ping ... Creating filter rules ping ... Setting up pass/block rules Setting up pass/block rules ping Creating rule ping Pre-caching Default allow LAN to any rule... Creating filter rule Default allow LAN to any rule ... Creating filter rules Default allow LAN to any rule ... Setting up pass/block rules Setting up pass/block rules Default allow LAN to any rule Creating rule Default allow LAN to any rule Pre-caching ... Creating filter rule ... Creating filter rules ... Setting up pass/block rules Setting up pass/block rules Creating rule Pre-caching OpenVPN OpenVPN Users wizard... Creating filter rule OpenVPN OpenVPN Users wizard ... Creating filter rules OpenVPN OpenVPN Users wizard ... Pre-caching Homebridge Allow... Creating filter rule Homebridge Allow ... Creating filter rules Homebridge Allow ... Setting up pass/block rules Setting up pass/block rules Homebridge Allow Creating rule Homebridge Allow Pre-caching Block Default LAN... Creating filter rule Block Default LAN ... Creating filter rules Block Default LAN ... Setting up pass/block rules Setting up pass/block rules Block Default LAN Creating rule Block Default LAN Pre-caching Block Default LAN... Creating filter rule Block Default LAN ... Creating filter rules Block Default LAN ... Setting up pass/block rules Setting up pass/block rules Block Default LAN Creating rule Block Default LAN Pre-caching Allow Any... Creating filter rule Allow Any ... Creating filter rules Allow Any ... Setting up pass/block rules Setting up pass/block rules Allow Any Creating rule Allow Any Pre-caching Pass VPN traffic from WireGuard peers... Creating filter rule Pass VPN traffic from WireGuard peers ... Creating filter rules Pass VPN traffic from WireGuard peers ... Setting up pass/block rules Setting up pass/block rules Pass VPN traffic from WireGuard peers Creating rule Pass VPN traffic from WireGuard peers Pre-caching ... Creating filter rule ... Creating filter rules ... Setting up pass/block rules Setting up pass/block rules Creating rule Pre-caching Pass VPN traffic from WireGuard peers... Creating filter rule Pass VPN traffic from WireGuard peers ... Creating filter rules Pass VPN traffic from WireGuard peers ... Setting up pass/block rules Setting up pass/block rules Pass VPN traffic from WireGuard peers Creating rule Pass VPN traffic from WireGuard peers Pre-caching UNVR Allow... Creating filter rule UNVR Allow ... Creating filter rules UNVR Allow ... Setting up pass/block rules Setting up pass/block rules UNVR Allow Creating rule UNVR Allow Pre-caching Block Default LAN... Creating filter rule Block Default LAN ... Creating filter rules Block Default LAN ... Setting up pass/block rules Setting up pass/block rules Block Default LAN Creating rule Block Default LAN Pre-caching Allow Any... Creating filter rule Allow Any ... Creating filter rules Allow Any ... Setting up pass/block rules Setting up pass/block rules Allow Any Creating rule Allow Any Creating IPsec rules... Creating uPNP rules... Generating ALTQ queues Loading filter rules Setting up logging information Setting up Ethernet filter rules... Setting up SCRUB information Processing down interface states Running plugins Done -
Hmm, is there any sort of pattern to when it happens? When it's passing most traffic perhaps?
Is there anything else logged at the time?
-
@stephenw10 I have 3 locations. 3 6100, 2 of them are nearly identical configuration, most of the same components on the LAN. The 6100 that is throwing off these errors was replaced due to hardware at one time and so the config was restored. It's also the least configured of the 3 in terms of rules. I really wish I could give you more details but that location is pretty quiet..
-
@stephenw10 I forgot to mention that I have Tac Pro on this device, I plan to open a ticket
-
Yes, open a ticket if you haven't already. Link to this thread so TAC have the details here.
-
Just to be clear when this happens it just logs that and continues? It doesn't require manual intervention?
-
@stephenw10 It's crashed and I had to hire someone to go onsite and manually power cycle it
-
I assume not every time that error is shown though?
-
@stephenw10 No, just 2x
-
Hmm, OK. 2x too many!
Do you know if it remains responsive at the console when that happens?
-
@stephenw10 I wish I could say, but its a remote location and has only acted this way when I'm not on site... last time was 24 hours after I left...frustrating
-
Are you able to upload a status file to us to review?
-
@stephenw10 of course, pls tell me what to do =)
-
Great, you can pull the status_output file from the GUI. See:
https://docs.netgate.com/pfsense/en/latest/recipes/diagnostic-data.html#view-and-download-diagnostic-data-in-the-guiThen upload it here:
https://nc.netgate.com/nextcloud/s/YfciQktBin7fLEM -
@stephenw10 All done sir
-
Great I see that. Checking....
-
Mmm, OK nothing obvious there. I'm going to consult developers on this.
-
Ok, the likely cause here is a race condition between filter reloads triggered close to simultaneously.
That obviously shouldn't happen but you can probably mitigate it by tuning your gateway parameters for the WG_VPN_HQ gateway. Currently that is continually throwing alarms and reloading the filter every time it does. I suspect when you see this error it ends up thowing several alarms and queing up reloads.
I would try either setting the monitoring values to far higher numbers, say 50% and 500ms, or disabling monitoring action on the gateway. If that prevents or reduces the errors you're seeing that would prove the theory.
Steve
-
@stephenw10 From a troubleshooting standpoint, it makes sense since these overseas vpn can have spotty connection from time to time. I already made those adjustments... waiting to see what happened :D Thanks @stephenw10 much appreciated!
-
I’m also seeing this message pop up a lot recently on one of my 23.09.1 firewalls. I’m counting 8 messages between 4/15 to today (4/28).
It’s always an alert saying:
There were error(s) loading the rules: pfctl: DIOCADDRULENV: Device busy - The line in question reads [0]:Followed by another alert saying:
PF was wedged/busy and has been reset.
