Finally found https://redmine.pfsense.org/issues/8518 which is this bug (the extra incomplete gateway line). Fix seems to be to delete/comment out three lines in /etc/inc/filter.inc:
https://redmine.pfsense.org/projects/pfsense/repository/revisions/c9159949e06cc91f6931bf2326672df7cad706f4/diff/src/etc/inc/filter.inc?utf8=%E2%9C%93&type=inline A poster on that report says "When I try and add an IPv6 IP Alias VIP the error seems to appear" which would explain why we didn't see it on other 2.4.3_1 updates that have only IPv4 VIPs. I did try changing off the LAGG to just the one interface on WAN and that had the same symptom with the interface in the message. -- Steve Yates ITS, Inc. -----Original Message----- From: Steve Yates Sent: Wednesday, May 23, 2018 10:34 PM To: 'pfSense Support and Discussion Mailing List' <[email protected]> Subject: Syntax error in rules.debug for lagg0 (WAN) after upgrade to 2.4.3_1 After upgrading our HA routers from 2.4.2_1 to 2.4.3_1, every few minutes they are logging: There were error(s) loading the rules: /tmp/rules.debug:242: syntax error - The line in question reads [242]: pass out route-to ( lagg0 64.79.96.145 ) from to !/ tracker 1000005913 keep state allow-opts label "let out anything from firewall host itself" 64.79.96.145 is our WAN gateway. We have the WAN configured to use a one-interface LAGG to allow sharing CARP states if we ever use a different router with a different interface name. Searching /tmp/rules.debug for "lagg0" I see three lines at the top of the output: pass out route-to ( lagg0 64.79.96.145 ) from 64.79.96.149 to !64.79.96.144/29 tracker 1000005911 keep state allow-opts label "let out anything from firewall host itself" pass out route-to ( lagg0 64.79.96.145 ) from 64.79.96.150 to !64.79.96.144/29 tracker 1000005912 keep state allow-opts label "let out anything from firewall host itself" pass out route-to ( lagg0 64.79.96.145 ) from to !/ tracker 1000005913 keep state allow-opts label "let out anything from firewall host itself" .149 is the WAN IP, .150 the CARP shared IP. Given the first two are there, I'm not sure what the third is supposed to be? Re-applying the firewall rules does not clear it, though does appear to trigger it (presumably due to the rules reload). Suggestions? Steve Yates ITS, Inc. _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
