subject:"Re\: \[pfSense\] Syntax error in rules.debug for lagg0 \(WAN\) after upgrade to 2.4.3

Re: [pfSense] Syntax error in rules.debug for lagg0 (WAN) after upgrade to 2.4.3_1

2018-05-24 Thread Steve Yates

Finally found https://redmine.pfsense.org/issues/8518 which is this bug (the 
extra incomplete gateway line).  Fix seems to be to delete/comment out three 
lines in /etc/inc/filter.inc:

https://redmine.pfsense.org/projects/pfsense/repository/revisions/c9159949e06cc91f6931bf2326672df7cad706f4/diff/src/etc/inc/filter.inc?utf8=%E2%9C%93=inline

A poster on that report says "When I try and add an IPv6 IP Alias VIP the error 
seems to appear" which would explain why we didn't see it on other 2.4.3_1 
updates that have only IPv4 VIPs.

I did try changing off the LAGG to just the one interface on WAN and that had 
the same symptom with the interface in the message.

--

Steve Yates
ITS, Inc.


-Original Message-
From: Steve Yates 
Sent: Wednesday, May 23, 2018 10:34 PM
To: 'pfSense Support and Discussion Mailing List' 
Subject: Syntax error in rules.debug for lagg0 (WAN) after upgrade to 2.4.3_1

After upgrading our HA routers from 2.4.2_1 to 2.4.3_1, every few minutes they 
are logging:

There were error(s) loading the rules: /tmp/rules.debug:242: syntax error - The 
line in question reads [242]: pass out  route-to ( lagg0 64.79.96.145 ) from  
to !/ tracker 105913 keep state allow-opts label "let out anything from 
firewall host itself"

64.79.96.145 is our WAN gateway.  We have the WAN configured to use a 
one-interface LAGG to allow sharing CARP states if we ever use a different 
router with a different interface name.

Searching /tmp/rules.debug for "lagg0" I see three lines at the top of the 
output:

pass out  route-to ( lagg0 64.79.96.145 ) from 64.79.96.149 to !64.79.96.144/29 
tracker 105911 keep state allow-opts label "let out anything from firewall 
host itself"
pass out  route-to ( lagg0 64.79.96.145 ) from 64.79.96.150 to !64.79.96.144/29 
tracker 105912 keep state allow-opts label "let out anything from firewall 
host itself"
pass out  route-to ( lagg0 64.79.96.145 ) from  to !/ tracker 105913 keep 
state allow-opts label "let out anything from firewall host itself"

.149 is the WAN IP, .150 the CARP shared IP.  Given the first two are there, 
I'm not sure what the third is supposed to be?

Re-applying the firewall rules does not clear it, though does appear to trigger 
it (presumably due to the rules reload).

Suggestions?

Steve Yates
ITS, Inc.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Syntax error in rules.debug for lagg0 (WAN) after upgrade to 2.4.3_1

2018-05-23 Thread Steve Yates

I found Suricata won't start, and I'm guessing the error Suricata is 
logging when it terminates (leaving its .pid file behind), "23/5/2018 -- 
22:42:18 -  -- [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - alert-pf: Could 
not validate pf table: snort2c, module init failed." ...is related to this...?

--

Steve Yates
ITS, Inc.

-Original Message-
From: Steve Yates 
Sent: Wednesday, May 23, 2018 10:34 PM
To: 'pfSense Support and Discussion Mailing List' 
Subject: Syntax error in rules.debug for lagg0 (WAN) after upgrade to 2.4.3_1

After upgrading our HA routers from 2.4.2_1 to 2.4.3_1, every few minutes they 
are logging:

There were error(s) loading the rules: /tmp/rules.debug:242: syntax error - The 
line in question reads [242]: pass out  route-to ( lagg0 64.79.96.145 ) from  
to !/ tracker 105913 keep state allow-opts label "let out anything from 
firewall host itself"

64.79.96.145 is our WAN gateway.  We have the WAN configured to use a 
one-interface LAGG to allow sharing CARP states if we ever use a different 
router with a different interface name.

Searching /tmp/rules.debug for "lagg0" I see three lines at the top of the 
output:

pass out  route-to ( lagg0 64.79.96.145 ) from 64.79.96.149 to !64.79.96.144/29 
tracker 105911 keep state allow-opts label "let out anything from firewall 
host itself"
pass out  route-to ( lagg0 64.79.96.145 ) from 64.79.96.150 to !64.79.96.144/29 
tracker 105912 keep state allow-opts label "let out anything from firewall 
host itself"
pass out  route-to ( lagg0 64.79.96.145 ) from  to !/ tracker 105913 keep 
state allow-opts label "let out anything from firewall host itself"

.149 is the WAN IP, .150 the CARP shared IP.  Given the first two are there, 
I'm not sure what the third is supposed to be?

Re-applying the firewall rules does not clear it, though does appear to trigger 
it (presumably due to the rules reload).

Suggestions?

Steve Yates
ITS, Inc.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Syntax error in rules.debug for lagg0 (WAN) after upgrade to 2.4.3_1

Re: [pfSense] Syntax error in rules.debug for lagg0 (WAN) after upgrade to 2.4.3_1

2 matches

Site Navigation

Mail list logo

Footer information