UDP/ICMP is not working after upgrade to 2.6.0

Cool_Corona · Feb 20, 2022, 2:22 AM

What worked as always didnt work after upgrade to 2.6.0.

Nothing else changed besides the FW.

How to troubleshoot?

bepo · Feb 19, 2022, 4:12 PM

Hello,

I also noticed problems with Outbound NAT regarding to UDP traffic.

Packet Capture on OPT1:
login-to-view

Packet Capture on WAN:
login-to-view

So it seems the traffic is leaving the interface with working translation, but pfsense does not correctly forward the returning packets to the sender. This is also happening to simple DNS requests so its not a problem with OpenVPN.

Unfortunately, this strange behavior is limited to some interfaces. It happens on OPT1 but not on LAN.

NAT Rules are exactly the same except the source network.
login-to-view

Any hints for further debugging? Avoiding udp is not a proper way I'm afraid...

pdschulz · Feb 19, 2022, 4:12 PM

@bepo This is happening to all Captive portal enabled interfaces for all UDP traffic. Disable captive portal or downgrade to previous 2.5 version. 2.6 it appears broken after doing traces same as you did.

bepo · Feb 19, 2022, 9:58 PM

Thanks for this hint @pdschulz. Indeed there is a captive portal enabled on this interface. I opened a bug for this:

https://redmine.pfsense.org/issues/12834

Hopefully it gets fixed soon.

jake · Feb 20, 2022, 12:19 AM

I'm having the same issue with Captive Portal on an VLAN interface. I thought it was just a configuration problem.

stephenw10 · Feb 20, 2022, 1:41 AM

Ok, I've replicated this but I don't think it's anything to do with NAT The created NAT states looks correct.
It looks more like the Captive Portal itself is only passing TCP traffic outbound when you hit this.
Digging....

Steve

Cool_Corona · Feb 20, 2022, 9:47 AM

@pdschulz I didnt run CP on any interfaces and still no dice on 2.6

On 2.5.2 it works and runs happily

Mar 3, 2022, 9:44 PM

@cool_corona

I can confirm I had similar problems after upgrading to 2.6.0.
Setup: pfsense 2.6.0 with Unifi AP's and captive portal.

My first indication is that 3 different Mibox devices, running Android TV, came up with "internet connection problems". On the settings page I could see "connection, but no internet".

Most application on the mibox did not work, no amazon prime, no youtube, no vrtnu, ... BUT netflix worked.

Ipad and android phones did work however.
Linux / Windows laptops also seem to work.

On the Unifi Network Management Station I got "STUN" errors on the access points after the upgrade.

Disabling the captive portal and re-connecting the clients fixed the problems.
The STUN errors on Unifi also disappeared.

Gertjan · Mar 3, 2022, 9:44 PM

Read https://forum.netgate.com/topic/170300/new-system-patches-v2-0?_=1646343673426 - Apply patch (Redmine #12834) and case closed.

bepo · Mar 3, 2022, 10:18 PM

Maybe we should move discussion to the ticket only to prevent splitted information:
https://redmine.pfsense.org/issues/12834

I posted an update there. Its maybe still an issue with mac address bypasses.

Update: Its fixed. You have to reboot after applying the patch! Thanks for fixing :-)

stephenw10 · Mar 3, 2022, 10:18 PM

Only the mac bypass? How are you applying that? Hosts behind the portal that should be able to connect without logging in?

bepo · Mar 3, 2022, 10:19 PM

@stephenw10 See my update. It was my fault not rebooting after patching. Thanks!

BENROFU · Sep 19, 2023, 5:46 PM

I have a netgate Sg1100 with 22.01 release. I use captive portal, and cannot get wifi-call.
I have changed state timeouts on UDP as suggested in other posts but no diffrence.
Could it be that my pfsense+ 22.01 equals to 2.6.0 you are referring to here?

I tried to upgrade my system firmware yesterday but with no sucess. I see a lot of other with same problem with upgrading.
Still awaiting link to a recover image from netgate. Re-installed and old recoveryfile and back in business, but without wifi calls...

Can someone please shed some light on this issue?

stephenw10 · Sep 19, 2023, 5:52 PM

You need to apply the patch for captive portal in 22.01.

Or upgrade. How did it fail?

You will get the recovery image imminently though and installing 23.05.1 clean is probably a good idea if you have access and a backup config.

Steve

BENROFU · Sep 19, 2023, 6:06 PM

@stephenw10 Thanks for reply. I tried upgrade via webgui.

login-to-view
Never booted up again.

Connected serial and rebooted to this.
login-to-view

stephenw10 · Sep 19, 2023, 6:12 PM

Ah, Ok. Yes that was a known bug back in 22.01. Easier to reinstall 23.05.1 clean and restore your config from there.

BENROFU · Sep 19, 2023, 6:15 PM

@stephenw10
Yes, but if i do understand correct i cant download firmware updated, i need to open ticket with netgate?

I assume i have to wait and see if i get a reply for the ticket i just opened.

thanks again

stephenw10 · Sep 19, 2023, 6:38 PM

Yes. But I can see we replied to your ticket with a link ~30mins ago. (6mins after it was opened)

BENROFU · Sep 19, 2023, 6:40 PM

@stephenw10

Yes thanks! Just trying to install it now!

BENROFU · Sep 19, 2023, 8:13 PM

@BENROFU Perfect, with wifi calling