VPN Clients cannot see internal network after 2.6 to 2.7 upgrade
-
@stephenw10 L2TP clients and they can see the firewall itself, I can ping it and login to pfsense 2.7 from L2TP client but cannot ping or access anything on the LAN. The Site to Site VPN (IPSec) connection to the 2.6 appliance is also working well.
-
Site to site between the 2.6 and 2.7 instances?
The LT2P clients are not trying to access something across the S2S tunnel?
Is it LT2P or actually L2TP over IPSec?
Do the clients see the expected routes?
-
The S2S tunnel is separate connection and
yes it is L2TP over IPSec are the remote clients that cannot connect to anything on the LAN. There are no expected routes outside of L2TP over IPSec clients being able to see the inside. Here is a screenshot of the Firewall-Rules-L2TP VPN
-
Are clients getting the expected routes to the LAN subnet?
If you try to ping something on the LAN from a client do you see that traffic coming over the VPN? Opening states?
-
@stephenw10 They are not getting their expected routes, they can only ping the border appliance (pfsense box) and cannot ping past that. Also if we ping from a device on the LAN to a L2TP client the traceroute stops at the border(pfsense box). What options do we have besides reverting back to v2.6?
-
Check the client logs, are they being passed that subnet info?
Check the server logs for any errors there.
I'm not aware of any specific changes in 2.7 that might cause this but L2TP connections are probably the least used VPN type.
Are you using the 'L2TP Clients' system alias in any rules? I assume not since that would also fail in 2.6.
Steve
-
@stephenw10 We powered up a backup of our 2.6 instance before we upgraded to 2.7 and that is working perfectly with our L2TP over IPSec clients. It is definitely something in 2.7 that is the problem and I've seen on other forums that the upgrade to 2.7 is giving issues, especially VPN issues.
-
Ok so what exactly is failing here if you compare clients on the two systems?
Do clients on the 2.6 server get routes to the internal subnet?
Is traffic blocked in 2.7?
-
@stephenw10 Yes that is the case. 2.6 gets the routes to the internal subnet and 2.7 is blocked to the internal subnet. We troubleshooted several different ways over the past week and just concluded that it is something in 2.7. We would have created a ticket with Netgate support but decided not to because 2.6 works without fail. And we'll just continue to work with that until possible 2.7.1/2.8 is the fix. But we are definitely open to any tips or something we may have overlooked.
-
@uptown said in VPN Clients cannot see internal network after 2.6 to 2.7 upgrade:
2.6 gets the routes to the internal subnet and 2.7 is blocked to the internal subnet.
There's a big difference between the client not getting a route and the client traffic being blocked. Really we need to know exactly what the difference at the client is between 2.6 and 2.7. Or that there is no difference at the client and the only thing different is at the firewall end.
-
@stephenw10 I'll explain it this way: We backed up the 2.6 server and then upgraded it to 2.7, with no configuration changes at all. When we discovered trouble with 2.7, we then switched over to the 2.6 backup we created which works well.
-
Yes I understand. But to diagnose the issue we need to know exactly what is failing. For example is the server failign to pass a route to the client at all? Or maybe it's passing it in some format the client is rejecting. Or maybe it's passing a route in exactly the same way, the client is using it but for some reason the firewall is blocking it. Or it could be a server end routing issue where hosts in the subnet behind the server cannot reply; though that seems unlikely.
-
@stephenw10 the pfSense 2.7 firewall is not passing the route through, on both ends when doing a trace the route dies at the 2.7 firewall.
-
Hmm, well if you traceroute to something on the LAN subnet from a VPN client and it's hitting pfSense at all then the client must have the correct route. Otherwise it would try to send it outside the VPN.
So that implies the firewall is either not routing it correctly or is blocking it. You don't see any blocked traffic though? Can I assume you don't see any passed traffic logged either?
-
I know this topic is a little old.
But we're also running into a similar issue, thought I add to it here.
Since we just started upgrading from v2.6 to v2.7.Doesn't look like this is a blocking issue.
It seems to be routing related.Problem is the same.
We have L2TP over IPSEC VPN setup.
On v2.6 when VPN is established anything on the LAN is accessible.
However after upgrading to v2.7 we can' see anything on the LAN expect the PFsense IP and L2TP server IP, plus the VPN client IP.Somehow nothing is getting routed from the VPN client to LAN beyond PFsense.
We're still pulling our hair out trying to troubleshoot this.
But we did find a difference betwen v2.6 and v2.7 in the routes table.
The remote LAN is 192.168.1.0/24
PFsense is on 192.168.1.1
L2TP server IP: 192.168.1.247
VPN client IP: 192.168.1.248In v2.6 the Gateway assignment looks like this (in the routes table):
192.168.1.1 Gateway: link#4
192.168.1.247 Gateway: link#9
192.168.1.248 Gateway: link#9But on v2.7 it looks like this:
192.168.1.1 Gateway: link#4
192.168.1.247 Gateway: link#4
192.168.1.248 Gateway: link#9You can see the gateway relation.
It seems to reversed.Let me know if this sheds some more light on the issue.
-
Hmm, well I wouldn't expect that to make much difference. I also don't expect to see three gateways in the same subnet though.
https://docs.netgate.com/pfsense/en/latest/vpn/l2tp/configuration.html#ip-addressingWhat does the routing table at the client look like after it connects?
-
The client end shows PFsense v2.7:
Network Destination Netmask Gateway Interface Metric 192.168.1.0 255.255.255.0 192.168.1.247 192.168.1.248 26 192.168.1.248 255.255.255.255 On-link 192.168.1.248 281
Even if we choose a completely different network for the VPN.
eg 10.10.10.1
Same thing.So were out of ideas. Don't understand why it works fine like this in v2.6 but not in v2.7
As mentioned, the difference we found was in the way the gateways are structured.Another thing I should add, is that we also have site-to-site IPSEC VPN tunnels setup between locations, and they can route to each other without any issue.
Infact, we can even ping the LAN on the remote IPSEC VPN from the client. But that same client cannot ping anything on the LAN it's initially VPN'd to.So the issue seems to be with the Mobile VPN, since site-to-site is fine.
It's very odd. Doesn't make much sense. -
Hmm, both ends of the L2TP are pfSense? I has assumed this was a remote access setup?
-
For L2TP were connecting with Windows built-in L2TP client.
So Windows connects to the PFsense L2TP via PFsense Mobile IPsec.Basically we setup the PFsense L2TP server.
And the PFsense IPsec Mobile Client.
Then remotely connect with Windows to PFsense. -
Ok, that's what I had assumed originally.
So is there a difference at the client routing table between 2.6 and 2.7?