UDP packages dropped
-
Hello,
upgrading to 2.7.0 including all patches the problem is not solved jet.I've built a rule for testing purpose only to allow all traffic from WAN to LAN and a second one from LAN to WAN with logging enabled. The FW logs show the entries, so the rules match.
I can see the UDP packages WAN=>LAN and LAN=>WAN on the LAN site, but only the WAN=>LAN packages on the WAN site using the "packet capture" tool, showing the right IPs and ports.So finally the UDP traffic from LAN to WAN is dropped, no log entry gives a hint. The old 2.5.2 release forwards the UDP packages in both directions without any problems.
Is this a known issue and is there any workaround available?
Harry -
@hs_pfsenseuser said in UDP packages dropped:
So finally the UDP traffic from LAN to WAN is dropped
When you install pfSense, any (like close to "all") traffic from LAN to WAN passes. UDP will work for sure.
You've found initially one firewall rule on LAN - it worked.Btw : Traffic from WAN to LAN needs more then a firewall rule. It's called a NAT rule, which included a firewall rule. With only a firewall rule, you can't use LAN resources from 'WAN'.
@hs_pfsenseuser said in UDP packages dropped:
I've built a rule for testing purpose only to allow
What rules ? What interface ?
Can you detail ? -
@Gertjan said in UDP packages dropped:
When you install pfSense, any (like close to "all") traffic from LAN to WAN passes. UDP will work for sure.
You've found initially one firewall rule on LAN - it worked.Exactly that's my problem. The direction LAN => WAN is the problem.
Btw : Traffic from WAN to LAN needs more then a firewall rule. It's called a NAT rule, which included a firewall rule. With only a firewall rule, you can't use LAN resources from 'WAN'.
Sorry for my short details. NAT is clear. I've built a static port outbound rule for UDP traffic.
@hs_pfsenseuser said in UDP packages dropped:
What rules ? What interface ?
Can you detail ?ISV == Fritzbox == WAN Private Class C == PFSense == LAN also Private Class C and others
Testing setup uses only private network:- Local DECT phone on Fritzbox connected to WAN interface
- Local SIP phone connected to LAN interface and registered in Fritzbox
- Firewall testing rule WAN: Fritzbox as source and SIP phone as target, allow all UDP traffic on all ports
- Firewall testing rule LAN: SIP phone as source and Fritzbox phone as target, allow all UDP traffic on all ports
- Hybrid Outbound NAT: Fritzbox as source, udp/*, Destination *, WAN Address as NAT address, static port
- Testing with several keep alive times for UDP on PFSense side and port activity time on FB side
Test 1:
- Initiate Call by Local SIP phone for DECT phone
- Incoming Call on DECT side, pickup OK and bidi audio on dynamic UDP ports also OK. Packet capture shows packages on both interfaces for both IPs (SIP and FB)
Test 2:
- Initiate Call by DECT phone for SIP phone
- Incoming Call on SIP side, pickup OK and audio on dynamic UDP ports mostly only from DECT to SIP (uni directional). Packet capture shows Fritzbox packages on both interfaces and SIP packages only on LAN side.
- Logging of the firewall rule shows the match for the UDP rules (WAN and LAN), but no traffic is routed from LAN to WAN.
- Captured SIP packages show the right source IP (SIP) and IP endpoint (Fritzbox)
- Sometimes bidi audio works without any changes in PFSense
My problem is, that the same setup worked for years with PFSense 2.5.2. With release 2.6 the problems with UDP started. So I skipped 2.6. towards 2.7.0. Maybe the big changes under the hood are the reason for this and I have to adjust my settings. But I have no idea, what the problem is.
