Error loading rules With Load Balancing in 02-14-2007 and 02-18-2007 SNAPSHOTS

ltark

Hello,

I am not sure to put this message in this forum or in the Routing and Dual WAN or
in the Firewall forums, but here we go:

My problem is:

I have instaled pfsense whith the following configuration:

LAN IP Address: 10.0.0.1/16 static

WAN IP Address: 10.1.0.254/24 static
WAN IP Gateway: 10.1.0.1
WAN Router IP: 10.1.0.1

OPT1 IP Address: 10.2.0.254/24
OPT1 IP Gateway: 10.2.0.1
OPT1 Router IP: 10.2.0.1

I used the 1.0.1 version and applied the pfSense-Full-Update-1.0.1-SNAPSHOT-02-09-2007.tgz snaphot.

I followed the instructions of the http://doc.pfsense.org/index.php/Multi-Wan/Load-Balancing document
and all worked perfectly with Dual WAN, Load Balancing and FailOver.

Then I applied the pfSense-Full-Update-1.0.1-SNAPSHOT-02-14-2007.tgz snapshot and all stopped working.
The same with the pfSense-Full-Update-1.0.1-SNAPSHOT-02-18-2007.tgz snapshot.

I got the following error:

**php: : There were error(s) loading the rules: /tmp/rules.debug:
405: syntax error pfctl: Syntax error in config file: pf rules not loaded

• The line in question reads [405]: pass in log quick on $lan route-to
  { ( WAN1BalanceWan2 ) , ( WAN1BalanceWan2 ) } round-robin from 10.0.0.0/16
  to <notrouters>keep state queue (qlandef, qlanacks) label "USER_RULE: LAN->Wan1+Wan2"</notrouters>**

If I examine the /tmp/rules.debug file, I find the following line near the end of the file.

pass in quick on $lan  route-to { (  WAN1BalanceWAN2 ) , (  WAN1BalanceWAN2 ) } round-robin
from 10.0.0.0/16 to  <notrouters>keep state  queue (qlandef, qlanacks)  label "USER_RULE: LAN->Wan1+Wan2"</notrouters>

WAN1BalanceWAN2  is the pool for load balancing.

This line is caused by a Firewall rule at the LAN interface that I putted following the instruction early mentioned.
It is a rule like this:
If Protocol Source Port Destination Port Gateway Description
LAN any Lan Subnet any !Routers any WAN1BalanceWAN2 LAN->Wan1+Wan2

But if I disable this rule, apply changes, enable again this rule and apply changes all works well again and
rhe line at /tmp/rules.debug has changed to:

pass in quick on $lan  route-to { ( rl1 10.1.0.1 ) , ( rl2 10.2.0.1 ) } round-robin
from 10.0.0.0/16 to <notrouters>keep state  queue (qlandef, qlanacks)  label "USER_RULE: LAN->Wan1+Wan2"</notrouters>

Aparently, only at Boot time pf dont Knows hot to translate { (  WAN1BalanceWAN2 ) , (  WAN1BalanceWAN2 ) }
to { ( rl1 10.1.0.1 ) , ( rl2 10.2.0.1 ) }. But it does well later.

Is this a bug?

In the meantime I will use pfSense-Full-Update-1.0.1-SNAPSHOT-02-09-2007.tgz again.
But I would like that this work in the 1.0.2 version.

Luis Tark

hoba

Edit your pools, delete all members and readd them. There have been some changes in between these updates in the way the poolmembers are handled. This is also reflected by some config.xml changes. Deleting the poolmembers and readding them to the pools that you already have will fix this.

ltark

Hello hoba:

Thank you for your quick answer.

I have tried removing and re-creating the pools rigth now but the same error ocurred.

At reboot rules were not charged and nothing worked.

Disabling and enabling any rule of the firewall fixed the problem.

But I know that at the next reboot the system will fail again.

I am a novice in FreeBSD. But I think that something has changed in the
order of things the system does at Boot.

I thint that at Boot, the system loads rules before knowing what pools exists.

May be a silly idea, but I dont Know much about the inner side of pfsense.

Thank you.

Best regards.

Luis Tark

hoba

In that case I recommend a reinstall from a snapshotbuild. Then reupload your config and recreate the pools. You don't need to delete the entire pools but only to delete the poolmembers and readd them back with the new logic.

ltark

Hello hoba,

All Ok now.

I have installed from scratch the last ISO (02-20-2007), restored my config, recreated the pools as you said, and all worked fine.

Thank you very much.

Luis Tark

hoba

Must have been some updateglitch.

foof

Same problem here.  Using cd-rom snap from 3/15/07.

LAN static, WAN PPPoE (isp), OPT1 static (different isp)

Set up as OPT1 primary, WAN as failover.

If both are up when reloading rules everything is fine.  If OPT1 goes down there is no failover and after a few seconds the syntax error appears as an alert.  Any reload while OPT1 is down and it errors.

Even switching from failover to balancing doesn't help.

This is from scratch.  No previous config, just the basics for outgoing connections.

hoba

There is a known problem with using pppoe interfaces in pools. It's not fixed yet.