No outbound traffic after upgrading 2.2 -> 2.3
-
After performing the first 2.2 -> 2.3 upgrade, all my IPSec clients' traffic directed outside is being blocked. I can successfully establish a VPN connection and I can access the local LAN machines but there is no outbound traffic. Outbound firewall rules are there: I tried automatic and manual, but no luck. Firewall logs show a successful inquiry of the DNS and that's it. What could be the cause?
Thanks!
-
Here it is a traffic capture when trying to trace route google.com from a mobile client:
12:44:58.342297 (authentic,confidential): SPI 0xcaf0f9ef: IP 192.168.114.1.50301 > 192.168.112.1.53: UDP, length 39
12:44:58.356951 (authentic,confidential): SPI 0x0f9348f0: IP 192.168.112.1.53 > 192.168.114.1.50301: UDP, length 55
12:44:58.451584 (authentic,confidential): SPI 0xcaf0f9ef: IP 192.168.114.1.56686 > 199.27.76.73.80: tcp 0
12:44:59.502230 (authentic,confidential): SPI 0xcaf0f9ef: IP 192.168.114.1.56686 > 199.27.76.73.80: tcp 0
12:45:00.522433 (authentic,confidential): SPI 0xcaf0f9ef: IP 192.168.114.1.56686 > 199.27.76.73.80: tcp 0
12:45:00.902535 (authentic,confidential): SPI 0xcaf0f9ef: IP 192.168.114.1.56678 > 17.167.194.232.443: tcp 0
12:45:01.122549 (authentic,confidential): SPI 0xcaf0f9ef: IP 192.168.114.1.56679 > 17.167.194.180.443: tcp 0
12:45:01.482605 (authentic,confidential): SPI 0xcaf0f9ef: IP 192.168.114.1.56680 > 17.167.194.203.443: tcp 0
12:45:01.482655 (authentic,confidential): SPI 0xcaf0f9ef: IP 192.168.114.1.56686 > 199.27.76.73.80: tcp 0
12:45:01.641769 (authentic,confidential): SPI 0xcaf0f9ef: IP 192.168.114.1.56681 > 17.167.194.179.443: tcp 0
12:45:01.942641 (authentic,confidential): SPI 0xcaf0f9ef: IP 192.168.114.1.56682 > 17.167.194.119.443: tcp 0
12:45:02.151136 (authentic,confidential): SPI 0xcaf0f9ef: IP 192.168.114.1.56683 > 17.167.194.152.443: tcp 0
12:45:02.450459 (authentic,confidential): SPI 0xcaf0f9ef: IP 192.168.114.1.56684 > 17.167.192.180.443: tcp 0
12:45:02.458415 (authentic,confidential): SPI 0xcaf0f9ef: IP 192.168.114.1.56686 > 199.27.76.73.80: tcp 0
12:45:02.671127 (authentic,confidential): SPI 0xcaf0f9ef: IP 192.168.114.1.56685 > 17.167.194.177.443: tcp 0
12:45:03.512175 (authentic,confidential): SPI 0xcaf0f9ef: IP 192.168.114.1.56686 > 199.27.76.73.80: tcp 0
12:45:05.512765 (authentic,confidential): SPI 0xcaf0f9ef: IP 192.168.114.1.56686 > 199.27.76.73.80: tcp 0The pfsense box is 192.168.112.1 and acts as DNS.
As you can see, traffic between subnets is OK. Also mobile > wan packets are not filtered.
However, packets from the WAN to the client are not there.Any idea on what could be wrong?
Thanks!
-
If it was working in 2.2.x, you probably need to enable the Unity plugin. VPN>IPsec, Advanced, enable Unity there then disconnect and reconnect your client. Check the Unity note here.
https://doc.pfsense.org/index.php/Upgrade_Guide#Removed_features_that_are_disabled_on_upgrade -
That was the problem! After re-enabling the Unity plugin, traffic is finally back as before.
Thank you for your help. -
I was setting up my first VPN today with pfsense 2.3 and had a similar problem (I could access any machine on the LAN, but I couldn't route anything to the Internet). I turned on the Unity plug-in and things appeared to be working on the client, however, I suspect they weren’t working correctly. If you look at Status->IPSec and then “show child SA entries”, on the right side you will see Bytes-In and Bytes-Out. When I turned on the Unity Plug-in, Bytes-Out was zero as long as I tried to access anything on the Internet. It only increased when I accessed a machine on the LAN. My guess is the Unity Plugin directed the client to route Internet traffic locally instead of over the VPN. Since I’m a complete noob with IPSec I don’t know that my conclusion is correct at all. However, I’m guessing something wasn’t right…
After playing around and trying a lot of different setting I found a setting that seems to work, but I don’t know what it’s really doing (I saw this in someone else's configuration). In the Phase 2 settings there is an option for “Local Network”. If I set this to “Network” of 0.0.0.0/0 the VPN appears to work, and the Bytes-Out increment on the Status page (after turning off the Unity Plugin).
Again, I’m a complete noob with IPSec so I’m not sure what I did by setting the Local Network to 0.0.0.0/0. Could someone that understands this better explain? So far the only way the VPN appears to work (for me) is by either setting the Unity Plug-In or by setting the Local Network to 0.0.0.0/0. I’m not sure which is better, or if I should turn off both options and keep looking at other settings.