Error loading rules With Load Balancing in 02-14-2007 and 02-18-2007 SNAPSHOTS

  • Hello,

    I am not sure to put this message in this forum or in the Routing and Dual WAN or
    in the Firewall forums, but here we go:

    My problem is:

    I have instaled pfsense whith the following configuration:

    LAN IP Address: static

    WAN IP Address: static
    WAN IP Gateway:
    WAN Router IP:

    OPT1 IP Address:
    OPT1 IP Gateway:
    OPT1 Router IP:

    I used the 1.0.1 version and applied the pfSense-Full-Update-1.0.1-SNAPSHOT-02-09-2007.tgz snaphot.

    I followed the instructions of the document
    and all worked perfectly with Dual WAN, Load Balancing and FailOver.

    Then I applied the pfSense-Full-Update-1.0.1-SNAPSHOT-02-14-2007.tgz snapshot and all stopped working.
    The same with the pfSense-Full-Update-1.0.1-SNAPSHOT-02-18-2007.tgz snapshot.

    I got the following error:

    **php: : There were error(s) loading the rules: /tmp/rules.debug:
    405: syntax error pfctl: Syntax error in config file: pf rules not loaded

    • The line in question reads [405]: pass in log quick on $lan route-to
      { ( WAN1BalanceWan2 ) , ( WAN1BalanceWan2 ) } round-robin from
      to <notrouters>keep state queue (qlandef, qlanacks) label "USER_RULE: LAN->Wan1+Wan2"</notrouters>**

    If I examine the /tmp/rules.debug file, I find the following line near the end of the file.

    pass in quick on $lan  route-to { (  WAN1BalanceWAN2 ) , (  WAN1BalanceWAN2 ) } round-robin
    from to  <notrouters>keep state  queue (qlandef, qlanacks)  label "USER_RULE: LAN->Wan1+Wan2"</notrouters>

    WAN1BalanceWAN2  is the pool for load balancing.

    This line is caused by a Firewall rule at the LAN interface that I putted following the instruction early mentioned.
    It is a rule like this:
    If Protocol Source Port Destination Port Gateway Description
    LAN any Lan Subnet any !Routers any WAN1BalanceWAN2 LAN->Wan1+Wan2

    But if I disable this rule, apply changes, enable again this rule and apply changes all works well again and
    rhe line at /tmp/rules.debug has changed to:

    pass in quick on $lan  route-to { ( rl1 ) , ( rl2 ) } round-robin
    from to <notrouters>keep state  queue (qlandef, qlanacks)  label "USER_RULE: LAN->Wan1+Wan2"</notrouters>

    Aparently, only at Boot time pf dont Knows hot to translate { (  WAN1BalanceWAN2 ) , (  WAN1BalanceWAN2 ) }
    to { ( rl1 ) , ( rl2 ) }. But it does well later.

    Is this a bug?

    In the meantime I will use pfSense-Full-Update-1.0.1-SNAPSHOT-02-09-2007.tgz again.
    But I would like that this work in the 1.0.2 version.

    Luis Tark

  • Edit your pools, delete all members and readd them. There have been some changes in between these updates in the way the poolmembers are handled. This is also reflected by some config.xml changes. Deleting the poolmembers and readding them to the pools that you already have will fix this.

  • Hello hoba:

    Thank you for your quick answer.

    I have tried removing and re-creating the pools rigth now but the same error ocurred.

    At reboot rules were not charged and nothing worked.

    Disabling and enabling any rule of the firewall fixed the problem.

    But I know that at the next reboot the system will fail again.

    I am a novice in FreeBSD. But I think that something has changed in the
    order of things the system does at Boot.

    I thint that at Boot, the system loads rules before knowing what pools exists.

    May be a silly idea, but I dont Know much about the inner side of pfsense.

    Thank you.

    Best regards.

    Luis Tark

  • In that case I recommend a reinstall from a snapshotbuild. Then reupload your config and recreate the pools. You don't need to delete the entire pools but only to delete the poolmembers and readd them back with the new logic.

  • Hello hoba,

    All Ok now.

    I have installed from scratch the last ISO (02-20-2007), restored my config, recreated the pools as you said, and all worked fine.

    Thank you very much.

    Luis Tark

  • Must have been some updateglitch.

  • Same problem here.  Using cd-rom snap from 3/15/07.

    LAN static, WAN PPPoE (isp), OPT1 static (different isp)

    Set up as OPT1 primary, WAN as failover.

    If both are up when reloading rules everything is fine.  If OPT1 goes down there is no failover and after a few seconds the syntax error appears as an alert.  Any reload while OPT1 is down and it errors.

    Even switching from failover to balancing doesn't help.

    This is from scratch.  No previous config, just the basics for outgoing connections.

  • There is a known problem with using pppoe interfaces in pools. It's not fixed yet.