Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfSense 2.8.0 - Routing stops intermittently after update from 2.7.2

    Scheduled Pinned Locked Moved NAT
    4 Posts 2 Posters 187 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      AWeidner
      last edited by AWeidner

      I have several locations connected to our main site via OpenVPN TAP-Connections. The setup aims to recreate a building connected directly to our main site. It allows to add VLAN tags to the VPN connection.

      After Upgrading the first location's pfSense to 2.8.0 i noticed, that several hosts in that location were not available on TCP connections from the main site. Connecting from that remote location to the main site worked as before.
      The pfSense in the remote Location is available from the main office all the time, just the hosts behind the remote bridge interface are not always available.

      I recreated the scenario with a spare pfSense (from scratch) and went into the same problem. The spare had 2.7.2 installed, traffic flowed in both directions. After Upgrading the spare to 2.8.0 TCP traffic from the main site to the remote site does not get through, the other direction works as expected.

      Funny behavior:
      After 'pinging' the remote hosts (that works!) i can connect to the former unresponsive hosts. For example:

      1. I want to connect via RDP to a host in the remote Location -> not working
      2. I ping that host from our main location, get a reply
      3. Now i can connect to that host via RDP

      That works for a few minutes, after which i have to repeat that procedure.

      Unsuccessfully tried so far:

      1. Set 'net.link.bridge.pfil_bridge' to 0
      2. Assigned bridge0 to the LAN interface (see https://docs.netgate.com/pfsense/en/latest/bridges/interfaces.html)
      3. Set 'Firewall State Policy' to 'Floating States'

      Successfully tried:

      1. 'pfctl -d', now everything works - reminding you, that the same rules worked when pfSense 2.7.2 was on that device

      Please: Don't turn this into a "Why don't you do it this and that way" or "What you are doing is bad" thread. It worked all the way from pfSense 2.3.2. Something was changed in pfSense 2.8.0 and i would like to know what it was.

      1 Reply Last reply Reply Quote 0
      • A
        AWeidner
        last edited by

        I probably found the culprit:

        System -> Advanced -> Firewall & NAT ->  Static route filtering:
Bypass firewall rules for traffic on the same interface

        This is enabled on all pfSense 2.7.2 devices and it looks like it gets disabled during the update to 2.8.0.

        After reenabling this option, traffic flows in both directions as before.

        GertjanG 1 Reply Last reply Reply Quote 0
        • GertjanG
          Gertjan @AWeidner
          last edited by Gertjan

          @AWeidner

          I've found :

          8e37ef25-4fb6-4638-ade4-2f7ef7a8cfab-image.png

          Ok with the "Please: Don't turn this", so just a question.
          This :

          This option only applies if one or more static routes have been defined. If it is enabled, traffic that enters and leaves through the same interface will not be checked by the firewall. This may be desirable in some situations where multiple subnets are connected to the same interface.
          matches your usage case ?

          You have Static routes, multiple sub nets ?

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          A 1 Reply Last reply Reply Quote 0
          • A
            AWeidner @Gertjan
            last edited by AWeidner

            @Gertjan said in pfSense 2.8.0 - Routing stops intermittently after update from 2.7.2:

            [...]matches your usage case ?

            You have Static routes, multiple sub nets ?

            Yes, the remote location has its own subnet and connects via a static route to the network in the main office. The default route of the remote location is set to the router that provides internet access in the remote location.

            1 Reply Last reply Reply Quote 1
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.