1.2.3 to 2.0 errors

biggsy

Hi,

I cloned my 1.2.3 VM and upgraded the clone to 2.0.  After powering up 2.0, I had no access to the outside world and the following message was in the system logs:

php: : There were error(s) loading the rules: /tmp/rules.debug:52: 24\. is not a number /tmp/rules.debug:53: 24\. is not a number /tmp/rules.debug:55: 24\. is not a number /tmp/rules.debug:56: 24\. is not a number /tmp/rules.debug:63: 24\. is not a number pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [52]: nat on $WAN from $tonatsubnets port 500 to any port 500 -> [My WAN IP address]/32 port 500

Nothing that I know of referred to port 500 in the 1.2.3 config.

Any advice on where and what to look for?

Thanks.

ptt

have you checked your config with "Pre-2.0 Upgrade Check" package before upgrade ?

http://doc.pfsense.org/index.php/Upgrade_Guide

biggsy

@ptt:

have you checked your config with "Pre-2.0 Upgrade Check" package before upgrade ?

http://doc.pfsense.org/index.php/Upgrade_Guide

I uninstalled Open-VM-Tools but completely missed the pre-upgrade package thing as I skipped the international/special characters stuff as "not applicable here".  It's easy to redo the upgrade.  Gotta love virtual machines.

My fault for being too eager (OK, impatient) but perhaps the mention of the pre-upgrade package could be a bit more prominent in the guide.

Thanks

biggsy

Cloned again, removed the VMware Tools package and ran the pre-upgrade check.  It returned "OK".

Ran the upgrade again.  Same error:

Sep 20 21:50:37         php: : There were error(s) loading the rules: /tmp/rules.debug:52: 24\. is not a number /tmp/rules.debug:53: 24\. is not a number /tmp/rules.debug:55: 24\. is not a number /tmp/rules.debug:56: 24\. is not a number /tmp/rules.debug:63: 24\. is not a number pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [52]: nat on $WAN from $tonatsubnets port 500 to any port 500 -> 121.209.162.208/32 port 500
Sep 20 21:50:37         php: : New alert found: There were error(s) loading the rules: /tmp/rules.debug:52: 24\. is not a number /tmp/rules.debug:53: 24\. is not a number /tmp/rules.debug:55: 24\. is not a number /tmp/rules.debug:56: 24\. is not a number /tmp/rules.debug:63: 24\. is not a number pfctl: Syntax error in config file: pf rules not loaded The line in question reads [52]: nat on $WAN from $tonatsubnets port 500 to any port 500 -> 121.209.162.208/32 port 500
Sep 20 21:50:37         php: : The command '/sbin/pfctl -o basic -f /tmp/rules.debug' returned exit code '1', the output was '/tmp/rules.debug:52: 24\. is not a number /tmp/rules.debug:53: 24\. is not a number /tmp/rules.debug:55: 24\. is not a number /tmp/rules.debug:56: 24\. is not a number /tmp/rules.debug:63: 24\. is not a number pfctl: Syntax error in config file: pf rules not loaded'
Sep 20 21:50:37         php: : The gateway: opt2 is invalid or unknown, not using it.

Relevant section from rules.debug:

# Outbound NAT rules

# Subnets to NAT
tonatsubnets    = "{ 192.168.111.0/24 192.168.11.0/24 172.23.23.0/24\. 127.0.0.0/8  }"
nat on $WAN  from $tonatsubnets port 500 to any port 500 -> [My WAN IP]/32 port 500
nat on $WAN  from $tonatsubnets to any -> [My WAN IP]/32 port 1024:65535

nat on $DSL  from $tonatsubnets port 500 to any port 500 -> 192.168.1.2/32 port 500
nat on $DSL  from $tonatsubnets to any -> 192.168.1.2/32 port 1024:65535

Is "port 500" something to do with IPsec - which I've never used?

Where to from here?

wallabybob

@biggsy:

Is "port 500" something to do with IPsec - which I've never used?

And never configured?

I suspect the "port 500" is not a useful clue. On my system the similar section of /tmp/rules.debug reads like:

Outbound NAT rules

Subnets to NAT

tonatsubnets    = "{ 192.168.xyz.0/24 192.168.uvw.0/24 127.0.0.0/8  }"
nat on $WAN  from $tonatsubnets port 500 to any port 500 -> 192.168.abc.def/32 port 500 
nat on $WAN  from $tonatsubnets to any -> 192.168.abc.def/32 port 1024:65535

Load balancing anchor

rdr-anchor "relayd/*"

Perhaps the problem is not the port 500 but the [My WAN IP] (which is definitely not a number!). Does the string My WAN IP occur in your configuration file (/conf/config.xml)? If so, please show a couple of lines before and after each occurrence.

biggsy

Security by obscurity.

[My Wan IP] just replaced the real thing, which was there and was accurate.

Cheers

wallabybob

I think I've figured it out:

@biggsy:

Ran the upgrade again.  Same error:

Sep 20 21:50:37         php: : There were error(s) loading the rules: /tmp/rules.debug:52: 24\. is not a number /tmp/rules.debug:53: 24\. is not a number /tmp/rules.debug:55: 24\. is not a number /tmp/rules.debug:56: 24\. is not a number /tmp/rules.debug:63: 24\. is not a number pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [52]: nat on $WAN from $tonatsubnets port 500 to any port 500 -> 121.209.162.208/32 port 500
Sep 20 21:50:37         php: : New alert found: There were error(s) loading the rules: /tmp/rules.debug:52: 24\. is not a number /tmp/rules.debug:53: 24\. is not a number /tmp/rules.debug:55: 24\. is not a number /tmp/rules.debug:56: 24\. is not a number /tmp/rules.debug:63: 24\. is not a number pfctl: Syntax error in config file: pf rules not loaded The line in question reads [52]: nat on $WAN from $tonatsubnets port 500 to any port 500 -> 121.209.162.208/32 port 500
Sep 20 21:50:37         php: : The command '/sbin/pfctl -o basic -f /tmp/rules.debug' returned exit code '1', the output was '/tmp/rules.debug:52: 24\. is not a number /tmp/rules.debug:53: 24\. is not a number /tmp/rules.debug:55: 24\. is not a number /tmp/rules.debug:56: 24\. is not a number /tmp/rules.debug:63: 24\. is not a number pfctl: Syntax error in config file: pf rules not loaded'
Sep 20 21:50:37         php: : The gateway: opt2 is invalid or unknown, not using it.

The problem seems to be "24. is not a number". The quoted line includes the macro tonatsubnets which includes "24." on the third network (172.23.23.0/24.) At first I thought the trailing "." was a dust spot on my screen.

I don't know why the network mask is "24." rather than "24".

biggsy

Well spotted.  I see it now as well, despite looking at it more than a few times.

Just wonder where it came from.

wallabybob

@biggsy:

Just wonder where it came from.

Please post the output of the pfSense shell command grep 24 /conf/config.xml
Maybe the 24. is in the pfSense configuration file.

biggsy

First thing I checked when I got home.  Checked a backup config from last night and there's the culprit:

<openvpnserver><config><disable><protocol>UDP</protocol>
<dynamic_ip>on</dynamic_ip>
<local_port>1194</local_port>
<addresspool>172.23.23.0/24.</addresspool>
<nopool><local_network>192.168.111.0/24</local_network>
<remote_network><client2client><crypto>BF-CBC</crypto>
<auth_method>pki</auth_method>
<shared_key>Safe enough to just delete it?</shared_key></client2client></remote_network></nopool></disable></config></openvpnserver>

wallabybob

@biggsy:

Safe enough to just delete it?

Delete the "." in 172.23.23.0/24.?
Delete the 172.23.23.0/24.?
Delete the Openvpnserver section?

I'd try the first, then (if necessary) second, then third if I wasn't prepared to delete the whole section and reconfigure OpenVPN server.

biggsy

wallabybob and ptt,

Thanks to you both for helping find the problem.

I dropped the dot, restored the config and upgraded to 2.0 without a problem.

It's been an interesting month  - pfSense 2.0 and ESXi 5.0.  Sincere thanks and congratulations to the devs for the former.

Cheers,
biggsy