Fail to boot and reload filter after update 2.6.0 to 2.7.0

Tnumarim · Feb 22, 2024, 7:13 PM

After performing update from 2.6.0 to 2.7.0 the system did not boot and their appeared a notice on Filter Reload: There were error(s) loading the rules: pfctl: pfi_get_ifaces: Operation not supported by device - The line in question reads [0]: @2024-02-22 18:12:08. Also Status>Filter Reload did not solve the problem and showed the following output:
Initializing
• Creating aliases
• Creating gateway group item...
• Generating Limiter rules
• Generating NAT rules
• Creating 1:1 rules...
• Creating outbound NAT rules
• Creating automatic outbound rules
• Setting up TFTP helper
• Generating filter rules
• Creating default rules
• Pre-caching Default allow LAN to any rule...
• Creating filter rule Default allow LAN to any rule ...
• Creating filter rules Default allow LAN to any rule ...
• Setting up pass/block rules
• Setting up pass/block rules Default allow LAN to any rule
• Creating rule Default allow LAN to any rule
• Pre-caching Default allow LAN IPv6 to any rule...
• Creating filter rule Default allow LAN IPv6 to any rule ...
• Creating filter rules Default allow LAN IPv6 to any rule ...
• Setting up pass/block rules
• Setting up pass/block rules Default allow LAN IPv6 to any rule
• Creating rule Default allow LAN IPv6 to any rule
• Creating IPsec rules...
• Creating uPNP rules...
• Generating ALTQ queues
• Loading filter rules
• Setting up logging information
• Setting up SCRUB information
• There were error(s) loading the rules: pfctl: pfi_get_ifaces: Operation not supported by device - The line in question reads [0]:

Can anybody help to solve my problem and get my router running again. Currently I have only LAN but no WAN connection

stephenw10 · Feb 22, 2024, 9:48 PM

@Tnumarim said in Fail to boot and reload filter after update 2.6.0 to 2.7.0:

pfctl: pfi_get_ifaces

That looks like kernel/world mismatch which implies the upgrade didn't complete correctly.

Can you access the command line?

Try running pfSense-upgrade -d and see if if offers to upgrade again.

Otherwise try upgrading any remaining packages with pkg-static -d upgrade.

You can always install 2.7.2 clean and restore your config into it.

Steve

Tnumarim · Feb 22, 2024, 10:30 PM

This post is deleted!

Tnumarim · Feb 22, 2024, 11:09 PM

@stephenw10 After running pfSense-upgrade -d, the Shell Output message was as follows:
pfSense-repoc-static: failed to fetch the repo data
failed to read the repo data.
failed to update the repository settings!!!
failed to update the repository settings!!!

stephenw10 · Feb 22, 2024, 11:42 PM

Ah, I see now you said you had no WAN connection. What should the WAN be? How was it connected previously?

Tnumarim · Feb 22, 2024, 11:52 PM

Hi Stephen, I had normal internet connection before updating from pfSense 2.6.0 to 2.7.0. After the upgrade pfSense did not boot because it apparently could not load certain rules as outlined in my earlier message

stephenw10 · Feb 23, 2024, 12:03 AM

Well I would just install 2.7.2 clean from there if you can. It will probably be quicker ultimately.

Tnumarim · Feb 23, 2024, 12:46 AM

@stephenw10 How can I install 2.7.0 if I have no internet connection? The WAN connection has been lost after my attempt to update from 2.6.0 to 2.7.0 the router did not boot properly showing the error message in loading the rules: pfctl: pfi_get_ifaces

stephenw10 · Feb 23, 2024, 1:18 AM

So you don't have a copy of the install media? Do you have backup of the config?

Ok then run ifconfig and see what the status of your WAN is.

As I asked previously, how was it configured? DHCP? PPPoE? Something more exotic?

Tnumarim · Feb 23, 2024, 2:32 PM

@stephenw10 You are right, I did not make a backup of the config (stupid, I know). WAN was configured via PPPoE. I ran ifconfig and the Shell Output is as follows:
igb0: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=4e527bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
ether 00:0d:b9:51:ff:4c
inet6 fe80::20d:b9ff:fe51:ff4c%igb0 prefixlen 64 scopeid 0x1
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
igb1: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=4e527bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
ether 00:0d:b9:51:ff:4d
inet6 fe80::20d:b9ff:fe51:ff4d%igb1 prefixlen 64 scopeid 0x2
inet6 fe80::1:1%igb1 prefixlen 64 scopeid 0x2
inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
igb2: flags=8822<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=4e527bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
ether 00:0d:b9:51:ff:4e
media: Ethernet autoselect
status: no carrier
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
igb3: flags=8822<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=4e527bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
ether 00:0d:b9:51:ff:4f
media: Ethernet autoselect
status: no carrier
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
enc0: flags=0<> metric 0 mtu 1536
groups: enc
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
inet 127.0.0.1 netmask 0xff000000
groups: lo
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pfsync0: flags=0<> metric 0 mtu 1500
groups: pfsync
pflog0: flags=100<PROMISC> metric 0 mtu 33152
groups: pflog
pppoe0: flags=8890<POINTOPOINT,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1500
description: WAN
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

stephenw10 · Feb 23, 2024, 2:32 PM

@Tnumarim said in Fail to boot and reload filter after update 2.6.0 to 2.7.0:

WAN was configured via PPPoE

Urgh, that makes it a lot more tricky.

Do you see the config still at /conf/config.xml?

If you're using a serial console you can cat that and copy/paste it out of the terminal if you have to.

If you still have SSH access you can just SCP that off the firewall.

Finding someway to reinstall 2.7.2 directly is going to be the easiest solution here.

Tnumarim · Feb 23, 2024, 4:13 PM

@stephenw10 I navigated to System>Advanced, Admin Access tab. This page shows Protocol HTTPS (SSL/TLS) checked and ‘Enable webConfigurator login autocomplete’ also checked. On same page ‘Enable Secure Shell’ not checked (selected). SSHd Key Only set to Password or Public Key. Shall I change something on this page? What do you mean with “you can just SCP that off the firewall”? What should I do there, can you describe exactly?
The page with WAN Firewall Rules shows 2 rules: RFC 1918 networks and Reserved, Not assigned by IANA (Block bogon networks). Below on same page it is stated in red: No rules are currently defined for this interface. In fact 2 rules are shown. How can this be possible. All incoming connections on this interface will be blocked untill pass rules are added. That’s the reason why I have no WAN access. Would it help to add some rules and save these to the WAN interface?

stephenw10 · Feb 23, 2024, 5:04 PM

Oh I'm sorry I assumed it was not booting far enough to reach the GUI.

OK if you have access to the GUI just go to Diag > Backup and download the config file there.

Check Status > Interfaces. Does the ppp WAN show there? Is it disconnected? Will it connect manually?

Tnumarim · Feb 23, 2024, 6:07 PM

@stephenw10 As outlined in above message #9 I did not make a backup of the config, so I cannot download it from Diag>Backup.
Under Status > Interfaces WAN shows up as down but won’t connect after hitting the ‘Connect WAN’ button. On bottom of this page it is stated in red: ‘Using dial-on-demand will bring the connection up again if any packet triggers it. What can I do next to get my WAN connection back? The upgrade proces to 2.7.0 went quite smoothly and I did not notice any hickup during the whole proces.

stephenw10 · Feb 23, 2024, 6:09 PM

@Tnumarim said in Fail to boot and reload filter after update 2.6.0 to 2.7.0:

I did not make a backup of the config, so I cannot download it from Diag>Backup.

Hmm, I'm not sure what you mean. If you can access that page you should be able to backup the current config. And any older config stored.

Tnumarim · Feb 23, 2024, 6:22 PM

@stephenw10 Do you mean that I should make a backup of my current configuration? Yes I can do that. But I have no babckup of my configuration before the update from 2.6.0 to 2.7.0. After preparing the backup file of the current config should I than use that XML file to restore this configuration under page Backup & Restore?

stephenw10 · Feb 23, 2024, 6:45 PM

The config should still be valid. But you should also be able to download previous config versions from the config history tab there.

You can then use that to restore into a clean install if you need to.

I would try re-saving the WAN interface and then checking the logs for any errors.

Tnumarim · Feb 23, 2024, 7:40 PM

@stephenw10 Under Config History there is one file (Local Database) which was saved yesterday with designation ‘Creating restore point before upgrade’. Should I download that config to restore into a clean install?
I also made a backup of the interfaces. How can I check the logs for errors?

stephenw10 · Feb 23, 2024, 9:23 PM

Yes, download that file too. Compare it with the other config you downloaded.

Look in Status > System Logs after resaving the WAN.

Tnumarim · Feb 23, 2024, 10:52 PM

@stephenw10 Steve, I will continue tomorrow with your valuble new suggestions to solve my problem and will let you know the results.
Thanks sofar, Felix