UDP/ICMP is not working after upgrade to 2.6.0
-
What worked as always didnt work after upgrade to 2.6.0.
Nothing else changed besides the FW.
How to troubleshoot?
-
-
Hello,
I also noticed problems with Outbound NAT regarding to UDP traffic.
Packet Capture on OPT1:
Packet Capture on WAN:
So it seems the traffic is leaving the interface with working translation, but pfsense does not correctly forward the returning packets to the sender. This is also happening to simple DNS requests so its not a problem with OpenVPN.
Unfortunately, this strange behavior is limited to some interfaces. It happens on OPT1 but not on LAN.
NAT Rules are exactly the same except the source network.
Any hints for further debugging? Avoiding udp is not a proper way I'm afraid...
-
@bepo This is happening to all Captive portal enabled interfaces for all UDP traffic. Disable captive portal or downgrade to previous 2.5 version. 2.6 it appears broken after doing traces same as you did.
-
Thanks for this hint @pdschulz. Indeed there is a captive portal enabled on this interface. I opened a bug for this:
https://redmine.pfsense.org/issues/12834
Hopefully it gets fixed soon.
-
I'm having the same issue with Captive Portal on an VLAN interface. I thought it was just a configuration problem.
-
Ok, I've replicated this but I don't think it's anything to do with NAT The created NAT states looks correct.
It looks more like the Captive Portal itself is only passing TCP traffic outbound when you hit this.
Digging....Steve
-
-
@pdschulz I didnt run CP on any interfaces and still no dice on 2.6
On 2.5.2 it works and runs happily
-
-
I can confirm I had similar problems after upgrading to 2.6.0.
Setup: pfsense 2.6.0 with Unifi AP's and captive portal.My first indication is that 3 different Mibox devices, running Android TV, came up with "internet connection problems". On the settings page I could see "connection, but no internet".
Most application on the mibox did not work, no amazon prime, no youtube, no vrtnu, ... BUT netflix worked.
Ipad and android phones did work however.
Linux / Windows laptops also seem to work.On the Unifi Network Management Station I got "STUN" errors on the access points after the upgrade.
Disabling the captive portal and re-connecting the clients fixed the problems.
The STUN errors on Unifi also disappeared. -
-
-
Read https://forum.netgate.com/topic/170300/new-system-patches-v2-0?_=1646343673426 - Apply patch (Redmine #12834) and case closed.
-
Maybe we should move discussion to the ticket only to prevent splitted information:
https://redmine.pfsense.org/issues/12834I posted an update there. Its maybe still an issue with mac address bypasses.
Update: Its fixed. You have to reboot after applying the patch! Thanks for fixing :-)
-
Only the mac bypass? How are you applying that? Hosts behind the portal that should be able to connect without logging in?
-
@stephenw10 See my update. It was my fault not rebooting after patching. Thanks!
-
-
-
-
-
I have a netgate Sg1100 with 22.01 release. I use captive portal, and cannot get wifi-call.
I have changed state timeouts on UDP as suggested in other posts but no diffrence.
Could it be that my pfsense+ 22.01 equals to 2.6.0 you are referring to here?I tried to upgrade my system firmware yesterday but with no sucess. I see a lot of other with same problem with upgrading.
Still awaiting link to a recover image from netgate. Re-installed and old recoveryfile and back in business, but without wifi calls...Can someone please shed some light on this issue?
-
You need to apply the patch for captive portal in 22.01.
Or upgrade. How did it fail?
You will get the recovery image imminently though and installing 23.05.1 clean is probably a good idea if you have access and a backup config.
Steve
-
@stephenw10 Thanks for reply. I tried upgrade via webgui.
Never booted up again.Connected serial and rebooted to this.
-
Ah, Ok. Yes that was a known bug back in 22.01. Easier to reinstall 23.05.1 clean and restore your config from there.
-
@stephenw10
Yes, but if i do understand correct i cant download firmware updated, i need to open ticket with netgate?I assume i have to wait and see if i get a reply for the ticket i just opened.
thanks again
-
Yes. But I can see we replied to your ticket with a link ~30mins ago. (6mins after it was opened)
-
Yes thanks! Just trying to install it now!
-
@BENROFU Perfect, with wifi calling