1.2.3 to 2.0 errors
-
Hi,
I cloned my 1.2.3 VM and upgraded the clone to 2.0. After powering up 2.0, I had no access to the outside world and the following message was in the system logs:
php: : There were error(s) loading the rules: /tmp/rules.debug:52: 24\. is not a number /tmp/rules.debug:53: 24\. is not a number /tmp/rules.debug:55: 24\. is not a number /tmp/rules.debug:56: 24\. is not a number /tmp/rules.debug:63: 24\. is not a number pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [52]: nat on $WAN from $tonatsubnets port 500 to any port 500 -> [My WAN IP address]/32 port 500Nothing that I know of referred to port 500 in the 1.2.3 config.
Any advice on where and what to look for?
Thanks.
-
have you checked your config with "Pre-2.0 Upgrade Check" package before upgrade ?
http://doc.pfsense.org/index.php/Upgrade_Guide
-
@ptt:
have you checked your config with "Pre-2.0 Upgrade Check" package before upgrade ?
http://doc.pfsense.org/index.php/Upgrade_Guide
I uninstalled Open-VM-Tools but completely missed the pre-upgrade package thing as I skipped the international/special characters stuff as "not applicable here". It's easy to redo the upgrade. Gotta love virtual machines.
My fault for being too eager (OK, impatient) but perhaps the mention of the pre-upgrade package could be a bit more prominent in the guide.
Thanks
-
Cloned again, removed the VMware Tools package and ran the pre-upgrade check. It returned "OK".
Ran the upgrade again. Same error:
Sep 20 21:50:37 php: : There were error(s) loading the rules: /tmp/rules.debug:52: 24\. is not a number /tmp/rules.debug:53: 24\. is not a number /tmp/rules.debug:55: 24\. is not a number /tmp/rules.debug:56: 24\. is not a number /tmp/rules.debug:63: 24\. is not a number pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [52]: nat on $WAN from $tonatsubnets port 500 to any port 500 -> 121.209.162.208/32 port 500 Sep 20 21:50:37 php: : New alert found: There were error(s) loading the rules: /tmp/rules.debug:52: 24\. is not a number /tmp/rules.debug:53: 24\. is not a number /tmp/rules.debug:55: 24\. is not a number /tmp/rules.debug:56: 24\. is not a number /tmp/rules.debug:63: 24\. is not a number pfctl: Syntax error in config file: pf rules not loaded The line in question reads [52]: nat on $WAN from $tonatsubnets port 500 to any port 500 -> 121.209.162.208/32 port 500 Sep 20 21:50:37 php: : The command '/sbin/pfctl -o basic -f /tmp/rules.debug' returned exit code '1', the output was '/tmp/rules.debug:52: 24\. is not a number /tmp/rules.debug:53: 24\. is not a number /tmp/rules.debug:55: 24\. is not a number /tmp/rules.debug:56: 24\. is not a number /tmp/rules.debug:63: 24\. is not a number pfctl: Syntax error in config file: pf rules not loaded' Sep 20 21:50:37 php: : The gateway: opt2 is invalid or unknown, not using it.Relevant section from rules.debug:
# Outbound NAT rules # Subnets to NAT tonatsubnets = "{ 192.168.111.0/24 192.168.11.0/24 172.23.23.0/24\. 127.0.0.0/8 }" nat on $WAN from $tonatsubnets port 500 to any port 500 -> [My WAN IP]/32 port 500 nat on $WAN from $tonatsubnets to any -> [My WAN IP]/32 port 1024:65535 nat on $DSL from $tonatsubnets port 500 to any port 500 -> 192.168.1.2/32 port 500 nat on $DSL from $tonatsubnets to any -> 192.168.1.2/32 port 1024:65535Is "port 500" something to do with IPsec - which I've never used?
Where to from here?
-
Is "port 500" something to do with IPsec - which I've never used?
And never configured?
I suspect the "port 500" is not a useful clue. On my system the similar section of /tmp/rules.debug reads like:
Outbound NAT rules
Subnets to NAT
tonatsubnets = "{ 192.168.xyz.0/24 192.168.uvw.0/24 127.0.0.0/8 }"
nat on $WAN from $tonatsubnets port 500 to any port 500 -> 192.168.abc.def/32 port 500
nat on $WAN from $tonatsubnets to any -> 192.168.abc.def/32 port 1024:65535Load balancing anchor
rdr-anchor "relayd/*"
Perhaps the problem is not the port 500 but the [My WAN IP] (which is definitely not a number!). Does the string My WAN IP occur in your configuration file (/conf/config.xml)? If so, please show a couple of lines before and after each occurrence.
-
Security by obscurity.
[My Wan IP] just replaced the real thing, which was there and was accurate.
Cheers
-
I think I've figured it out:
Ran the upgrade again. Same error:
Sep 20 21:50:37 php: : There were error(s) loading the rules: /tmp/rules.debug:52: 24\. is not a number /tmp/rules.debug:53: 24\. is not a number /tmp/rules.debug:55: 24\. is not a number /tmp/rules.debug:56: 24\. is not a number /tmp/rules.debug:63: 24\. is not a number pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [52]: nat on $WAN from $tonatsubnets port 500 to any port 500 -> 121.209.162.208/32 port 500 Sep 20 21:50:37 php: : New alert found: There were error(s) loading the rules: /tmp/rules.debug:52: 24\. is not a number /tmp/rules.debug:53: 24\. is not a number /tmp/rules.debug:55: 24\. is not a number /tmp/rules.debug:56: 24\. is not a number /tmp/rules.debug:63: 24\. is not a number pfctl: Syntax error in config file: pf rules not loaded The line in question reads [52]: nat on $WAN from $tonatsubnets port 500 to any port 500 -> 121.209.162.208/32 port 500 Sep 20 21:50:37 php: : The command '/sbin/pfctl -o basic -f /tmp/rules.debug' returned exit code '1', the output was '/tmp/rules.debug:52: 24\. is not a number /tmp/rules.debug:53: 24\. is not a number /tmp/rules.debug:55: 24\. is not a number /tmp/rules.debug:56: 24\. is not a number /tmp/rules.debug:63: 24\. is not a number pfctl: Syntax error in config file: pf rules not loaded' Sep 20 21:50:37 php: : The gateway: opt2 is invalid or unknown, not using it.The problem seems to be "24. is not a number". The quoted line includes the macro tonatsubnets which includes "24." on the third network (172.23.23.0/24.) At first I thought the trailing "." was a dust spot on my screen.
I don't know why the network mask is "24." rather than "24".
-
Well spotted. I see it now as well, despite looking at it more than a few times.
Just wonder where it came from.
-
Just wonder where it came from.
Please post the output of the pfSense shell command grep 24 /conf/config.xml
Maybe the 24. is in the pfSense configuration file. -
First thing I checked when I got home. Checked a backup config from last night and there's the culprit:
<openvpnserver><config><disable><protocol>UDP</protocol>
<dynamic_ip>on</dynamic_ip>
<local_port>1194</local_port>
<addresspool>172.23.23.0/24.</addresspool>
<nopool><local_network>192.168.111.0/24</local_network>
<remote_network><client2client><crypto>BF-CBC</crypto>
<auth_method>pki</auth_method>
<shared_key>Safe enough to just delete it?</shared_key></client2client></remote_network></nopool></disable></config></openvpnserver> -
Safe enough to just delete it?
Delete the "." in 172.23.23.0/24.?
Delete the 172.23.23.0/24.?
Delete the Openvpnserver section?I'd try the first, then (if necessary) second, then third if I wasn't prepared to delete the whole section and reconfigure OpenVPN server.
-
wallabybob and ptt,
Thanks to you both for helping find the problem.
I dropped the dot, restored the config and upgraded to 2.0 without a problem.
It's been an interesting month - pfSense 2.0 and ESXi 5.0. Sincere thanks and congratulations to the devs for the former.
Cheers,
biggsy
