1.2.3 to 2.0 errors



  • Hi,

    I cloned my 1.2.3 VM and upgraded the clone to 2.0.  After powering up 2.0, I had no access to the outside world and the following message was in the system logs:

    php: : There were error(s) loading the rules: /tmp/rules.debug:52: 24\. is not a number /tmp/rules.debug:53: 24\. is not a number /tmp/rules.debug:55: 24\. is not a number /tmp/rules.debug:56: 24\. is not a number /tmp/rules.debug:63: 24\. is not a number pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [52]: nat on $WAN from $tonatsubnets port 500 to any port 500 -> [My WAN IP address]/32 port 500
    
    

    Nothing that I know of referred to port 500 in the 1.2.3 config.

    Any advice on where and what to look for?

    Thanks.


  • Rebel Alliance

    have you checked your config with "Pre-2.0 Upgrade Check" package before upgrade ?

    http://doc.pfsense.org/index.php/Upgrade_Guide



  • @ptt:

    have you checked your config with "Pre-2.0 Upgrade Check" package before upgrade ?

    http://doc.pfsense.org/index.php/Upgrade_Guide

    I uninstalled Open-VM-Tools but completely missed the pre-upgrade package thing as I skipped the international/special characters stuff as "not applicable here".  It's easy to redo the upgrade.  Gotta love virtual machines.

    My fault for being too eager (OK, impatient) but perhaps the mention of the pre-upgrade package could be a bit more prominent in the guide.

    Thanks



  • Cloned again, removed the VMware Tools package and ran the pre-upgrade check.  It returned "OK".

    Ran the upgrade again.  Same error:

    Sep 20 21:50:37         php: : There were error(s) loading the rules: /tmp/rules.debug:52: 24\. is not a number /tmp/rules.debug:53: 24\. is not a number /tmp/rules.debug:55: 24\. is not a number /tmp/rules.debug:56: 24\. is not a number /tmp/rules.debug:63: 24\. is not a number pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [52]: nat on $WAN from $tonatsubnets port 500 to any port 500 -> 121.209.162.208/32 port 500
    Sep 20 21:50:37         php: : New alert found: There were error(s) loading the rules: /tmp/rules.debug:52: 24\. is not a number /tmp/rules.debug:53: 24\. is not a number /tmp/rules.debug:55: 24\. is not a number /tmp/rules.debug:56: 24\. is not a number /tmp/rules.debug:63: 24\. is not a number pfctl: Syntax error in config file: pf rules not loaded The line in question reads [52]: nat on $WAN from $tonatsubnets port 500 to any port 500 -> 121.209.162.208/32 port 500
    Sep 20 21:50:37         php: : The command '/sbin/pfctl -o basic -f /tmp/rules.debug' returned exit code '1', the output was '/tmp/rules.debug:52: 24\. is not a number /tmp/rules.debug:53: 24\. is not a number /tmp/rules.debug:55: 24\. is not a number /tmp/rules.debug:56: 24\. is not a number /tmp/rules.debug:63: 24\. is not a number pfctl: Syntax error in config file: pf rules not loaded'
    Sep 20 21:50:37         php: : The gateway: opt2 is invalid or unknown, not using it.
    
    

    Relevant section from rules.debug:

    # Outbound NAT rules
    
    # Subnets to NAT
    tonatsubnets    = "{ 192.168.111.0/24 192.168.11.0/24 172.23.23.0/24\. 127.0.0.0/8  }"
    nat on $WAN  from $tonatsubnets port 500 to any port 500 -> [My WAN IP]/32 port 500
    nat on $WAN  from $tonatsubnets to any -> [My WAN IP]/32 port 1024:65535
    
    nat on $DSL  from $tonatsubnets port 500 to any port 500 -> 192.168.1.2/32 port 500
    nat on $DSL  from $tonatsubnets to any -> 192.168.1.2/32 port 1024:65535
    
    

    Is "port 500" something to do with IPsec - which I've never used?

    Where to from here?



  • @biggsy:

    Is "port 500" something to do with IPsec - which I've never used?

    And never configured?

    I suspect the "port 500" is not a useful clue. On my system the similar section of /tmp/rules.debug reads like:

    Outbound NAT rules

    Subnets to NAT

    tonatsubnets    = "{ 192.168.xyz.0/24 192.168.uvw.0/24 127.0.0.0/8  }"
    nat on $WAN  from $tonatsubnets port 500 to any port 500 -> 192.168.abc.def/32 port 500 
    nat on $WAN  from $tonatsubnets to any -> 192.168.abc.def/32 port 1024:65535

    Load balancing anchor

    rdr-anchor "relayd/*"

    Perhaps the problem is not the port 500 but the [My WAN IP] (which is definitely not a number!). Does the string My WAN IP occur in your configuration file (/conf/config.xml)? If so, please show a couple of lines before and after each occurrence.



  • Security by obscurity.

    [My Wan IP] just replaced the real thing, which was there and was accurate.

    Cheers



  • I think I've figured it out:

    @biggsy:

    Ran the upgrade again.  Same error:

    Sep 20 21:50:37         php: : There were error(s) loading the rules: /tmp/rules.debug:52: 24\. is not a number /tmp/rules.debug:53: 24\. is not a number /tmp/rules.debug:55: 24\. is not a number /tmp/rules.debug:56: 24\. is not a number /tmp/rules.debug:63: 24\. is not a number pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [52]: nat on $WAN from $tonatsubnets port 500 to any port 500 -> 121.209.162.208/32 port 500
    Sep 20 21:50:37         php: : New alert found: There were error(s) loading the rules: /tmp/rules.debug:52: 24\. is not a number /tmp/rules.debug:53: 24\. is not a number /tmp/rules.debug:55: 24\. is not a number /tmp/rules.debug:56: 24\. is not a number /tmp/rules.debug:63: 24\. is not a number pfctl: Syntax error in config file: pf rules not loaded The line in question reads [52]: nat on $WAN from $tonatsubnets port 500 to any port 500 -> 121.209.162.208/32 port 500
    Sep 20 21:50:37         php: : The command '/sbin/pfctl -o basic -f /tmp/rules.debug' returned exit code '1', the output was '/tmp/rules.debug:52: 24\. is not a number /tmp/rules.debug:53: 24\. is not a number /tmp/rules.debug:55: 24\. is not a number /tmp/rules.debug:56: 24\. is not a number /tmp/rules.debug:63: 24\. is not a number pfctl: Syntax error in config file: pf rules not loaded'
    Sep 20 21:50:37         php: : The gateway: opt2 is invalid or unknown, not using it.
    
    

    The problem seems to be "24. is not a number". The quoted line includes the macro tonatsubnets which includes "24." on the third network (172.23.23.0/24.) At first I thought the trailing "." was a dust spot on my screen.

    I don't know why the network mask is "24." rather than "24".



  • Well spotted.  I see it now as well, despite looking at it more than a few times.

    Just wonder where it came from.



  • @biggsy:

    Just wonder where it came from.

    Please post the output of the pfSense shell command grep 24 /conf/config.xml
    Maybe the 24. is in the pfSense configuration file.



  • First thing I checked when I got home.  Checked a backup config from last night and there's the culprit:

    <openvpnserver><config><disable><protocol>UDP</protocol>
    <dynamic_ip>on</dynamic_ip>
    <local_port>1194</local_port>
    <addresspool>172.23.23.0/24.</addresspool>
    <nopool><local_network>192.168.111.0/24</local_network>
    <remote_network><client2client><crypto>BF-CBC</crypto>
    <auth_method>pki</auth_method>
    <shared_key>Safe enough to just delete it?</shared_key></client2client></remote_network></nopool></disable></config></openvpnserver>



  • @biggsy:

    Safe enough to just delete it?

    Delete the "." in 172.23.23.0/24.?
    Delete the 172.23.23.0/24.?
    Delete the Openvpnserver section?

    I'd try the first, then (if necessary) second, then third if I wasn't prepared to delete the whole section and reconfigure OpenVPN server.



  • wallabybob and ptt,

    Thanks to you both for helping find the problem.

    I dropped the dot, restored the config and upgraded to 2.0 without a problem.

    It's been an interesting month  - pfSense 2.0 and ESXi 5.0.  Sincere thanks and congratulations to the devs for the former.

    Cheers,
    biggsy


Log in to reply