Inbound NAT with Multi WAN broken with 21.02?
-
Same here.
-> deleted all port forwarding & nat rules (incoming and outgoing) and checked that all corresponding FW rules are also deleted -> reboot -> added new port forwarding rules with "add associated firewall rules" -> same behavior (not working if I'm not on the default gateway)
-> deleted again all port forwarding & nat rules and checked that all corresponding FW rules are deleted -> added new port forwarding rules without "add associated firewall rules" -> added the firewall rules manually -> same behavior (not working if I'm not on the default gateway)Even outbound nat is not working if I'm not on the default gateway.
Even more: system update shows "unable to check for updates" because my SG-3100 is searching for armv7 packages, which are definitely not existing on Netgate file server (checked this via browser an from ssh console of the SG-3100).
Too bad. For the meantime I've switched my default gateway to the slow DSL connection (with static IP) so I have the chance to get my eMail server up and running again. But now my 20x faster fiber connection is useless :-(
-
Glad to see I am not alone on this. I had heard some OpenVPN client issues could be present, so when that failed at first I thought I was going to have to go down that hole. Then I started getting down notices for my external services. That is when I realized none of my NAT rules were working properly.
Dual Wan config like the others. It looks like deleting and adding rules back is not working for anyone else so I guess we just sit and wait for a response?
For now I disabled CARP so that it would fail back to my older version unit.
-
Hmmm... I've seen that there is a hotfix (pfSense Plus 21.02-p1) for the nat problem... Installed it, but still the same error :-(
Someone else who already installed the hotfix?
Michael
-
Hello.
I have not read the hotfix release notes, but the ticket for this NAT regression is not assigned yet / still open : https://redmine.pfsense.org/issues/11436
So i doubt it is corrected in the hotfix...
(and the post https://forum.netgate.com/topic/161058/nat-issue-after-21-02-upgrade/4 seems to confirm that the hotfix still have the problem)For my setup, I will wait at least this ticket closed before trying again the 21.02 branch as the multi WAN inbound is mandatory for me.
Adam
-
I am also seeing this problem, on a SG-4860 running 21.02-p1.
Dual WAN, and NAT only works on the default WAN.Was hoping the hotfix would be the answer. Just installed it tonight, but it didn't fix the issue.
-Jeff
-
Has anyone contacted support on this? With enough people complaining in the forums I thought this would be an obvious and urgent issue to fix. I admit I haven't contacted support because my production environment required I quickly revert back to the old environment to keep things running. I figured with everything downgraded contacting support wouldn't be to useful other than to be another vote that this is a problem.
-
Hello,
It seems the community support was already contacted for this : ticket Regression 11436
It's priority is "very high" but the ticket has not yet been assigned since 17/02/2021.
And worse, the problem seems to begin with the 2.5 devel branch reported in december 2020 and not corrected since.@phatty i only have "community support" for my XG-7100 so can't contact the paid support for that problem. I've have reverted to 2.4.5p1 as well.
I can't imagine paid support customer not to use multi WAN inbound, so maybe they got an exclusive hotfix from paid support ?
Since this regression comes in 2.5 devel and was never corrected in devel branch, this should have been a no go for the pfSense+ 21.02 release on stable channel ...
Adam
-
Hi,
We also have the problem on a 2x XG-1537 cluster. This is very problematic.
Note that we have noticed a strange behavior with this bug. Simplified network topology :
FW2 (WAN IP) - Port fwd -> pfSense HA - Port fwd -> Srv.The FW2 is our second WAN. Port forwarding from this second WAN therefore no longer works because of the bug. While performing tests with OpenVPN and netcat (in UDP only), here is what we found:
- The first packet sent by the client reaches the server (port forwarding therefore works)
- The return packet sent by the server reaches the client. So far so good
- From there, all packets sent by the client arrive to the pfSense cluster (we see them with tcpdump on the link with the FW2) but they disappear silently and are never transmitted to the server
- On the other hand, all the packets sent from the server to the client arrive to the client (which makes sense since the bug concerns port forwarding)
Hope this bug is fixed quickly.
-
Hi,
I have same problem with SG-5100 and 21.02. Tried to install 2.4 but there is no download link on Netgate website. Why no comment from Netgate about this issue? Multiple WAN isn't uncommon these days.... so it affects lots of people.
Adam -
@nazgulix If you contact support they will provide you a link to download 2.4 firmware.
Also, assuming your NAT rules are focused on your primary WAN, if you set pfSense default routing to your primary WAN instead of auto things will work.
It is really disappointing such a bug was allowed to be released on a so called stable release. I also ran into an issue with OpenVPN not liking my CA Certificate causing me to downgrade security requirements to authenticate my users for the time being.
The band-aid of updating pfSense routing does work in my environment as I had hard coded NAT items to use my Fiber WAN vs cable modem.
-
@phatty Thanks for hint with default gateway. Unfortunately I have both "primary" WANs and there are diffrent NATs on each of them. I found pendrive with 2.4 but it didn't install ( some kernel errors ), don't have time for it now. Simply put SG-5100 on shelve and install fresh 2.4 on PC with 6 NICs. And will wait for a fix from Netgate.
Like you said that is release called "plus" and it supposed to be stable, but for now it's pfSense plus bugs... :(
-
Hello,
Just a little bit of patience, the ticket for this problem is in progress and is now assigned : Regression #11436
Seing the target version for the correction (2.5.1) it seems there will be no "hotfix" and will probably need to wait the release of the 2.5.1 (21.03 in pf+ ? maybe 21.04 ?^^)
Adam
-
Hi,
I must say im pretty disappointed from a "professional" firewall vendor...
The ticket for that "problem" is not really progressing (only ppl says +1 "i got the same problem in xxx/same situation").Until this regression not corrected, and given recently i have read This news (external phoronix link) i think i'll may wait pfSense to switch to FreeBSD 13.0(.1) before trying again the so called "stable" 21.02(21.XX because it's supposed to be versionned by date if im not wrong) branch on my XG-7100 firewall.
I suggest all that got the problem to do the same. (unless you have a "lab" and time to help the support of course ^^)
Adam -
I've been breaking my head over this..
Our site in france using a SG-3100 that also uses multi-wan has the same issue!
-
Two months later without any fix. My customers are getting more and more impatient.
I now have to tell them to switch to a professional supported platform as I will do now. Giving Sophos a chance now.
So:
"Goodbye Netgate" -> "Hello professional supported appliances" !!!Hope for everyone staying at Netgate to get someday a fix.
Bye,
Michael -