OPNsense Forum
Archive => 18.1 Legacy Series => Topic started by: godfather007 on April 08, 2018, 07:46:19 am
-
Hi,
For a while I'm trying to upgrade from 1.7 to 1.8 without success.
After an export and import NAT does not work anymore.
From the host i can ping the internet but from my private it cannot be reached: "errors loading the rules /tmp/rules.debug.158"
The lines in there look like this:
scrub on re1_vlan534 all
scrub on re1_vlan536 all
scrub on re1_vlan538 all
scrub on re0_vlan34 all
scrub on gif0 all
157:no rdr proto carp all
158:nat on re0_vlan34 inet from (re1:network) to any port $500 -> re0_vlan34 static-port # Automatic outbound rule
159:nat on re0_vlan34 inet from (re1_vlan502:network) to any port $500 -> re0_vlan34 static-port # Automatic outbound rule
160:nat on re0_vlan34 inet from (re1_vlan504:network) to any port $500 -> re0_vlan34 static-port # Automatic outbound rule
161:nat on re0_vlan34 inet from (re1_vlan506:network) to any port $500 -> re0_vlan34 static-port # Automatic outbound rule
nat on re0_vlan34 inet from (re1_vlan508:network) to any port $500 -> re0_vlan34 static-port # Automatic outbound rule
nat on re0_vlan34 inet from (re1_vlan510:network) to any port $500 -> re0_vlan34 static-port # Automatic outbound rule
I already switched from "automatic" to "manual" NAT-outbound setting, hoping the wrong bit would flip back to functional state.
Any idea where this could be coming from?
-
Is there a more elaborate error message?
Looks a bit like re1:network is not configured, do you have it assigned somehwere but no IPv4 configured?
Cheers,
Franco
-
Hi Franco,
re1:network is my mgmt subnet for native vlan0 comms. It has only ipv4 assigned.
-
Go to System: Settings: Advanced and set "Firewall Maximum Table Entries" to 500000. We're working on this.
Not sure about the other error... one at a time. :)
Cheers,
Franco
-
Hi,
it is already a few months later.
Unfortunately, the error remains. Whatever i try, entire config or seperate compartmens (like vlan, interfaces, aliasses, firewallrules).
Whenever i import the old 17 config into the latest 18.1.6 it gives an error like this:
opnsense: /usr/local/etc/rc.filter_configure: New alert found: There were error(s) loading the rules: /tmp/rules.debug:154: macro '500' not defined - The line in question reads [154]: nat on re0_vlan34 inet from (re1:network) to any port $500 -> re0_vlan34:0 static-port # Automatic outbound rule
RE1 is the default interface for mgmt, has an IP and 20 vlans (with each of them an IP).
I get cramp in my stumach thinking of manually defining the entire config (like going from pfsense to opnsense).
Any idea? Someone?
-
Macro $500 is not defined... what is it supposed to be.. a stray port alias that maybe no longer exists?
Posting the error message a few months ago would probably not have caused this to be overlooked.
Cheers,
Franco
-
Errr, so i should find it in a alias-definition that does not exist anymore?
I will have a more detailed look between the rules and eventually the /tmp/rules.debug file.
Thanks
-
Worst case, find out what 500 was about, look it up in the alias definitions and if its not there create it and add the contents back. That should bring the rules back to life immediately.
Additionally if you could share with me your config.xml section that has alias "500" I can see why it's not converted/written to the system.
Cheers,
Franco
-
Hi Franco,
i've been searching in the file and, apart from my 500, 502, 50x vlan definitions i cannot find something odd.
If you could have a glance? Just attach it here online? :-\
Musch appreciated
-
Send it to franco@opnsense.org and I'll have a look.
Cheers,
Franco
-
Hi Franco,
were you able to have a look at it?
Regards,
Martijn
-
Hi Martijn,
I didn't see a mail? When did you send it?
Cheers,
Franco
-
I will give it another try with an alternative address :-)
-
Hi Franco,
did it come through this time?
-
Found it, thanks. Will have a look now. :)
-
Martijn,
I inspected the config but found no reference to a port alias named "500".
The imported config runs and gives no errors when doing:
# pfctl -f /tmp/rules.debug
What am I missing?
Cheers,
Franco
-
PS: I used 18.1.13 to do the import...
-
Hi Franco, did you manage to find anything?
Thanks
-
No, the restore worked on 18.1.13, hence:
Martijn,
What am I missing?
Cheers,
Franco
-
Thanks!
Strange anyway :-)
-
Woops.... and then i pressed "update" to 18.7.1 .... broken again :-(
It was working though... at 18.7 :-(
Email says:
There were error(s) loading the rules: /tmp/rules.debug:153: macro '500' not defined - The line in question reads [153]: nat on re0_vlan34 inet from (re1:network) to any port $500 -> re0_vlan34:0 static-port # Automatic outbound rule
Should i maybe recreate the re0_vlan34 interface??
-
Strange,
i took the day to rebuild the whole thing from scratch... having the same issue.
It is like i'm not understanding something..
The box itself has a WAN IP address through dhcp @ vlan34, it can download packages (like letsencrypt) but it does not function as the gateway for my assigned subnets.
It is checked as the default gateway, ip monitoring has been enabled & re-disabled.... no luck with this.
-
Wow.... after manually copying all my config to my other box i experienced the same.
I found that in de aliases is something wrong after deleting whole parts until i got it working.
Strange thing (i don't know yet) but it has to be a limit of aliases or a misplaced character.
Anyway i did not need those aliases anymore...
Happy user again :-)