Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    NAT forward rules

    General pfSense Questions
    3
    7
    811
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      Ofloo last edited by

      ALIX 2d13 latest image 2.2-RELEASE FreeBSD 10.1-RELEASE-p4 built on Thu Jan 22 14:04:25 CST 2015

      I was able to add new rules, without a problem. But after enableing "UPNP & NAT-PMP", now whenever I want to add a new forward rule, php-fpm increases cpu slowly and then crashes and website gives error

      500 - Internal Server Error
      
      lighttpd[46824]: (mod_fastcgi.c.2562) unexpected end-of-file (perhaps the fastcgi process died): pid: 0 socket: unix:/var/run/php-fpm.socket
      kernel: pid 65338 (php-fpm), uid 0, was killed: out of swap space
      lighttpd[46824]: (mod_fastcgi.c.3346) response not received, request sent: 968 on socket: unix:/var/run/php-fpm.socket for /firewall_nat_edit.php?dup=2, closing connection
      

      It's not a memory issue, because it crashes without using all the memory, ..

      And I've disabled UPNP & NAT-PMP, however it doesn't go away.

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis last edited by

        kernel: pid 65338 (php-fpm), uid 0, was killed: out of swap space
        

        On Alix there is only 256MB real memory and no swap space. So that "out of swap space" message really means "out of real memory".
        Something is causing PHP to go into a spin and allocate a load of memory. On a 256MB system like that it will exhaust real memory before it exhausts the PHP allowed virtual address space for the process.

        There is code that extends the firewall_nat_edit page:
        /usr/local/pkg/firewall_nat/input_validation
        /usr/local/pkg/firewall_nat/pre_write_config
        /usr/local/pkg/firewall_nat/htmlphpearly
        /usr/local/pkg/firewall_nat/pre_interfaces_edit
        /usr/local/pkg/firewall_nat/htmlphplate

        I guess that code is installed by some package - does your system have any of those files in /usr/local/pkg/firewall_nat ?
        That might be a source of unusual things starting to happen and not going away.

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • O
          Ofloo last edited by

          That directory doesn't exist:

          /usr/local/pkg/firewall_nat/

          And ok it goes from 123M to 56M however there's still free memory. However once the CPU hits 100% it just crashes.

          1 Reply Last reply Reply Quote 0
          • P
            phil.davis last edited by

            firewall_nat_edit.php has a call to gen_subnet_max() - and gen_subnet_max() has a nasty bug on 32-bit systems which will cause code to loop through IP addresses up to 255.255.255.255, consuming a little memory and CPU in the process.
            In this case it looks like it is called when there are VIPs, so if you have VIPs then firewall_nat_edit might go into a spin.

            It is fixed by commit: https://github.com/pfsense/pfsense/commit/e69a0cf3a216c8647a6def4eee41ab01319ce90f

            Whatever the problem is here, you certainly want this fix anyway - as the bug sends various things into a spin where gen_subnet_max() is called.

            As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
            If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

            1 Reply Last reply Reply Quote 0
            • O
              Ofloo last edited by

              This was the reason thank you very much.

              EDIT: only the fix doesn't work, Fatal error: Cannot redeclare gen_subnetv4_max() (previously declared in /etc/inc/util.inc:323) in /etc/inc/util.inc on line 355

              I had to download the whole file and now it works https://raw.githubusercontent.com/pfsense/pfsense/master/etc/inc/util.inc

              1 Reply Last reply Reply Quote 0
              • P
                phil.davis last edited by

                Line 323 is function gen_subnetv4($ipaddr, $bits)

                I guess you had some editing error  :(

                As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                1 Reply Last reply Reply Quote 0
                • H
                  heper last edited by

                  imho it's best to use the system->patches addon to insert commits

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post