Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    1.2.3 to 2.0 errors

    Installation and Upgrades
    3
    12
    3806
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      biggsy last edited by

      Hi,

      I cloned my 1.2.3 VM and upgraded the clone to 2.0.  After powering up 2.0, I had no access to the outside world and the following message was in the system logs:

      php: : There were error(s) loading the rules: /tmp/rules.debug:52: 24\. is not a number /tmp/rules.debug:53: 24\. is not a number /tmp/rules.debug:55: 24\. is not a number /tmp/rules.debug:56: 24\. is not a number /tmp/rules.debug:63: 24\. is not a number pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [52]: nat on $WAN from $tonatsubnets port 500 to any port 500 -> [My WAN IP address]/32 port 500
      
      

      Nothing that I know of referred to port 500 in the 1.2.3 config.

      Any advice on where and what to look for?

      Thanks.

      1 Reply Last reply Reply Quote 0
      • ptt
        ptt Rebel Alliance last edited by

        have you checked your config with "Pre-2.0 Upgrade Check" package before upgrade ?

        http://doc.pfsense.org/index.php/Upgrade_Guide

        1 Reply Last reply Reply Quote 0
        • B
          biggsy last edited by

          @ptt:

          have you checked your config with "Pre-2.0 Upgrade Check" package before upgrade ?

          http://doc.pfsense.org/index.php/Upgrade_Guide

          I uninstalled Open-VM-Tools but completely missed the pre-upgrade package thing as I skipped the international/special characters stuff as "not applicable here".  It's easy to redo the upgrade.  Gotta love virtual machines.

          My fault for being too eager (OK, impatient) but perhaps the mention of the pre-upgrade package could be a bit more prominent in the guide.

          Thanks

          1 Reply Last reply Reply Quote 0
          • B
            biggsy last edited by

            Cloned again, removed the VMware Tools package and ran the pre-upgrade check.  It returned "OK".

            Ran the upgrade again.  Same error:

            Sep 20 21:50:37         php: : There were error(s) loading the rules: /tmp/rules.debug:52: 24\. is not a number /tmp/rules.debug:53: 24\. is not a number /tmp/rules.debug:55: 24\. is not a number /tmp/rules.debug:56: 24\. is not a number /tmp/rules.debug:63: 24\. is not a number pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [52]: nat on $WAN from $tonatsubnets port 500 to any port 500 -> 121.209.162.208/32 port 500
            Sep 20 21:50:37         php: : New alert found: There were error(s) loading the rules: /tmp/rules.debug:52: 24\. is not a number /tmp/rules.debug:53: 24\. is not a number /tmp/rules.debug:55: 24\. is not a number /tmp/rules.debug:56: 24\. is not a number /tmp/rules.debug:63: 24\. is not a number pfctl: Syntax error in config file: pf rules not loaded The line in question reads [52]: nat on $WAN from $tonatsubnets port 500 to any port 500 -> 121.209.162.208/32 port 500
            Sep 20 21:50:37         php: : The command '/sbin/pfctl -o basic -f /tmp/rules.debug' returned exit code '1', the output was '/tmp/rules.debug:52: 24\. is not a number /tmp/rules.debug:53: 24\. is not a number /tmp/rules.debug:55: 24\. is not a number /tmp/rules.debug:56: 24\. is not a number /tmp/rules.debug:63: 24\. is not a number pfctl: Syntax error in config file: pf rules not loaded'
            Sep 20 21:50:37         php: : The gateway: opt2 is invalid or unknown, not using it.
            
            

            Relevant section from rules.debug:

            # Outbound NAT rules
            
            # Subnets to NAT
            tonatsubnets    = "{ 192.168.111.0/24 192.168.11.0/24 172.23.23.0/24\. 127.0.0.0/8  }"
            nat on $WAN  from $tonatsubnets port 500 to any port 500 -> [My WAN IP]/32 port 500
            nat on $WAN  from $tonatsubnets to any -> [My WAN IP]/32 port 1024:65535
            
            nat on $DSL  from $tonatsubnets port 500 to any port 500 -> 192.168.1.2/32 port 500
            nat on $DSL  from $tonatsubnets to any -> 192.168.1.2/32 port 1024:65535
            
            

            Is "port 500" something to do with IPsec - which I've never used?

            Where to from here?

            1 Reply Last reply Reply Quote 0
            • W
              wallabybob last edited by

              @biggsy:

              Is "port 500" something to do with IPsec - which I've never used?

              And never configured?

              I suspect the "port 500" is not a useful clue. On my system the similar section of /tmp/rules.debug reads like:

              Outbound NAT rules

              Subnets to NAT

              tonatsubnets    = "{ 192.168.xyz.0/24 192.168.uvw.0/24 127.0.0.0/8  }"
              nat on $WAN  from $tonatsubnets port 500 to any port 500 -> 192.168.abc.def/32 port 500 
              nat on $WAN  from $tonatsubnets to any -> 192.168.abc.def/32 port 1024:65535

              Load balancing anchor

              rdr-anchor "relayd/*"

              Perhaps the problem is not the port 500 but the [My WAN IP] (which is definitely not a number!). Does the string My WAN IP occur in your configuration file (/conf/config.xml)? If so, please show a couple of lines before and after each occurrence.

              1 Reply Last reply Reply Quote 0
              • B
                biggsy last edited by

                Security by obscurity.

                [My Wan IP] just replaced the real thing, which was there and was accurate.

                Cheers

                1 Reply Last reply Reply Quote 0
                • W
                  wallabybob last edited by

                  I think I've figured it out:

                  @biggsy:

                  Ran the upgrade again.  Same error:

                  Sep 20 21:50:37         php: : There were error(s) loading the rules: /tmp/rules.debug:52: 24\. is not a number /tmp/rules.debug:53: 24\. is not a number /tmp/rules.debug:55: 24\. is not a number /tmp/rules.debug:56: 24\. is not a number /tmp/rules.debug:63: 24\. is not a number pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [52]: nat on $WAN from $tonatsubnets port 500 to any port 500 -> 121.209.162.208/32 port 500
                  Sep 20 21:50:37         php: : New alert found: There were error(s) loading the rules: /tmp/rules.debug:52: 24\. is not a number /tmp/rules.debug:53: 24\. is not a number /tmp/rules.debug:55: 24\. is not a number /tmp/rules.debug:56: 24\. is not a number /tmp/rules.debug:63: 24\. is not a number pfctl: Syntax error in config file: pf rules not loaded The line in question reads [52]: nat on $WAN from $tonatsubnets port 500 to any port 500 -> 121.209.162.208/32 port 500
                  Sep 20 21:50:37         php: : The command '/sbin/pfctl -o basic -f /tmp/rules.debug' returned exit code '1', the output was '/tmp/rules.debug:52: 24\. is not a number /tmp/rules.debug:53: 24\. is not a number /tmp/rules.debug:55: 24\. is not a number /tmp/rules.debug:56: 24\. is not a number /tmp/rules.debug:63: 24\. is not a number pfctl: Syntax error in config file: pf rules not loaded'
                  Sep 20 21:50:37         php: : The gateway: opt2 is invalid or unknown, not using it.
                  
                  

                  The problem seems to be "24. is not a number". The quoted line includes the macro tonatsubnets which includes "24." on the third network (172.23.23.0/24.) At first I thought the trailing "." was a dust spot on my screen.

                  I don't know why the network mask is "24." rather than "24".

                  1 Reply Last reply Reply Quote 0
                  • B
                    biggsy last edited by

                    Well spotted.  I see it now as well, despite looking at it more than a few times.

                    Just wonder where it came from.

                    1 Reply Last reply Reply Quote 0
                    • W
                      wallabybob last edited by

                      @biggsy:

                      Just wonder where it came from.

                      Please post the output of the pfSense shell command grep 24 /conf/config.xml
                      Maybe the 24. is in the pfSense configuration file.

                      1 Reply Last reply Reply Quote 0
                      • B
                        biggsy last edited by

                        First thing I checked when I got home.  Checked a backup config from last night and there's the culprit:

                        <openvpnserver><config><disable><protocol>UDP</protocol>
                        <dynamic_ip>on</dynamic_ip>
                        <local_port>1194</local_port>
                        <addresspool>172.23.23.0/24.</addresspool>
                        <nopool><local_network>192.168.111.0/24</local_network>
                        <remote_network><client2client><crypto>BF-CBC</crypto>
                        <auth_method>pki</auth_method>
                        <shared_key>Safe enough to just delete it?</shared_key></client2client></remote_network></nopool></disable></config></openvpnserver>

                        1 Reply Last reply Reply Quote 0
                        • W
                          wallabybob last edited by

                          @biggsy:

                          Safe enough to just delete it?

                          Delete the "." in 172.23.23.0/24.?
                          Delete the 172.23.23.0/24.?
                          Delete the Openvpnserver section?

                          I'd try the first, then (if necessary) second, then third if I wasn't prepared to delete the whole section and reconfigure OpenVPN server.

                          1 Reply Last reply Reply Quote 0
                          • B
                            biggsy last edited by

                            wallabybob and ptt,

                            Thanks to you both for helping find the problem.

                            I dropped the dot, restored the config and upgraded to 2.0 without a problem.

                            It's been an interesting month  - pfSense 2.0 and ESXi 5.0.  Sincere thanks and congratulations to the devs for the former.

                            Cheers,
                            biggsy

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post