24.03 causes issue with remote VPN
-
So I am not sure which forum this belongs in -- not sure if this is a NAT or IPSEC issue or what
I have a local network behind a pfsense router, it is connected via an ipsec tunnel to a remote google cloud compute environment, in that environment, there is a wireguard vpn server that people connect to and they can access the LAN behind the pfsense router and everything else they're allowed to
this has always worked, and instantly breaks in 24.03, and is instantly fixed by reverting to 23.09
otherwise the 24.03 update was fine
where should i start here?
normally when a client connects to the wireguard server, their traffic appears to originate from the ip address of the wireguard server -- this server can still ping devices on the other side of the ipsec tunnel and vice versa, ssh connections both ways are possible, but clients connected to it cannot access anything in the google cloud or the local lan
i have 5 remote sites, all directly connected via static routed ipsec tunnels to google cloud, they all have the same issue on 24.03, fixed by reverting to 23.09
actually they are working?? well i guess i found where to start
thanks if anyone has any ideas -
It's probably the Interface Bound state change in 24.03: https://docs.netgate.com/pfsense/en/latest/releases/24-03.html#general
Try reverting the global setting to floating as a test. If that fixes it you can look at where the state asymmetry is breaking and add specific rules to pass that.
If your IPSec tunnel is using route mode (VTI) it's probably there.
Steve
-
-
@stephenw10 yes that fixed it
i have another appliance that the update completely bricked tho, at a remote site, spent today setting up a spare to mail out to them lol
when i get the other one back i'll report what happened to it -
Well good and bad news then I guess!
We have some specific advice up for VTI tunnels with interface states now:
https://docs.netgate.com/pfsense/en/latest/config/advanced-firewall-nat.html#ipsec-vti-filteringFollowing that should allow you have the global value set to Interface Bound but still pass VTI using floating rules.
-
@stephenw10 ok well the spare, an sg-3100, died while i was getting it to recognize the interfaces. here's an issue i run into a lot -- the router that died was no a sg-3100, if you restore a config with mismatched interface names from the original device, in this case i had manually search/replaced most of them in the xml config file but missed one, every boot it will halt and ask if you want to configure vlans.
i had sent a usb cable with it so i was able to get the remote user to connect it to their laptop, install the usb drivers and connect with putty to the console of the device but nothing you can do from the console will let you bypass this error. maybe some kind of editing the conf file manually? but theres no mechanism from the console
so i had them connect the wifi to their phone hotspot, the wired interface to the pfsense router, and was able to get to the web interface on the router and delete all the vlans -- and then, i think the sd card in this router died of old age
so, i'm going to drive 4 hours up there and see if i can fix either of the two routers
i am crabby about this, mostly the original router dying after the update, we'll see if that was also caused by a faulty sd card. -
Urgh, I'm sorry.
If you import a config file in webgui and there is an interface mismatch it should take you to the assignments page in order to correct that before rebooting. However if you have a lot of sub-interfaces like vlans it can be easier to edit the config directly.
You can edit the config file directly from the command line using the EasyEditor (
ee
) and rebooting.The 3100 doesn't use an actual SD card, it has eMMC on-board which appears to the OS as mmcsd0. You can fit an m.2 SATA SSD and run from that though.
-
@stephenw10 ok the original Netgate SG-2440 was at a 'can't find /kernel/kernel' screen which, athough there is some documentation on the pfsense site, my freebsd knowledge is very poor and i wasn't able to figure out how to fix this, easily, while sitting there
i ended up restoring from a community edition image and then that worked, restored original config, everything was good
i will have to dig into what happened to the other unit which is one of the old ARM based units that i'm willing to bet was not kept as a 'spare' but as 'junk you should throw away'
we'll see! -
have been a netgate user for 5 years since inheriting them from predecessor
most devices we have are REALLY OLD and have done really well
my 2 cents out of this event are:- it would be nice if there was a portal (maybe there is) where i could go download any version of the firmware my license(s) entitles me to while the license(s) are active, it's really only an issue for the wg3100 as there's nowhere to download even community firmware in a 'emergency' like this one
- it would be cool if the capabilities of the ISO/boot disk were expanded to make it possible to 'repair an existing installation' somehow, under the assumption the boot/efi/partition/something is damaged or the wrong volume is selected / other stupid things like that that happen over time. i mean, right now its fine for someone who is familiar with freebsd and/or does not have a cluster of employees hovering behind them waiting for the router to come back up :)
-
Feature requests for the new Net Installer are welcome. It can already recover an existing config and use that in a clean install. It doesn't support the 3100 though.
-
@stephenw10 sorry i meant to follow up and ask, what do you think caused the 'missing /kernel/kernel' on that sg-2440 ?
i have another sg-2440 even farther away that i am about to upgrade and i wonder if there are any preventative measures i should check before doing so, free space, correct boot configuration, something like that?thanks for all your help by the way
have ordered a new 1100 to replace the dead 3100 -
Nothing specific. Is it upgrading from 23.09.1? Running UFS?
Some of the early RCC-VE devices like that had very small eMMC storage (4GB) which can be an issue.
-