No access from WAN

PatRyan

Upgraded from 25.07 to 25.11. Now I have no access via WAN. HAProxy & OpenVPN worked fine on 25.07 but do not allow any WAN traffic on 25.11.

HAProxy & OpenVPN still respond fine on LAN just not from WAN. I don't see any obvious errors in the logs.

Everything inside the firewall seems to be working. No issues getting out. Just can't get in.

patient0

@PatRyan do you see your connection attempt in Diagnostics / pfTop from your outside IP?

And are you on the latest 25.11.a.20250927.0600?

PatRyan

@patient0 On the latest 25.11. Also did this on the initial build. I don't see my outside IP hit at all with pfTop. Really odd.

Reverting back to 25.07 I see the hits in pfTop.

Gertjan

@PatRyan said in No access from WAN:

Now I have no access via WAN. HAProxy & OpenVPN worked fine on 25.07 but do not allow any WAN traffic on 25.11.

Did you WAN IP change ?

patient0

@PatRyan said in No access from WAN:

I don't see my outside IP hit at all with pfTop. Really odd

Mmmh you really should see it. If I do a nc to my WAN IP to a random TCP port (which is not open) I can see it in pfTop.

And you can access the internet from LAN? as @Gertjan mentioned, has the WAN IP changed (http://ifconfig.me for example)?

PatRyan

@Gertjan no WAN IP changes. Reverting back to 25.07, same WAN IP and everything works. Updating to 25.11 and no WAN access.

marcosm

Look at a packet capture under Diagnostics - if you see the packets there then make sure it's not a rule blocking it by adding a floating pass/quick rule at the top. Alternatively you can temporarily disable the filter (also disables NAT) with pfctl -d.

PatRyan

OK some additional testing. I do see traffic hitting from outside including that which should be making it through. Again this has worked fine prior to 25.11. Tried this on the 1006 build last night.

I use HAProxy to access several resources behind the firewall. I also have pfBlockerNG running. Floating rules are in use as setup by pfBlockerNG. Most of the floating rules are allow with only pfBlockerNG v4 and v6 as deny. On the WAN I have two allow rules for ports 80 and 443 for HAProxy.

With 25.11 traffic doesn't get in through the WAN. It gets denied from the built-in default deny rule. If I create a floating rule that allows any IP and any protocol on WAN then traffic gets through. If I create a rule on WAN that allows any / any but not a floating rule then traffic does not get through.

Thoughts on what data / info I can send to Netgate for review?

marcosm

There are a lot of factors that can come into play. Since you've confirmed it's a filtering issue, the next thing I'd try is comparing the rulesets between the working and non-working states.

If you'd like, you may get a status output by going to /status.php and downloading the file generated there. Do that when it's working and when it's broken then upload the files here for review:
https://nc.netgate.com/nextcloud/s/fRDaDPyQ3ggpj2F

PatRyan

@marcosm Two files have been uploaded. The version numbers are in the file names.
Thanks