Inbound NAT with Multi WAN broken with 21.02?
-
Hello,
It seems the community support was already contacted for this : ticket Regression 11436
It's priority is "very high" but the ticket has not yet been assigned since 17/02/2021.
And worse, the problem seems to begin with the 2.5 devel branch reported in december 2020 and not corrected since.@phatty i only have "community support" for my XG-7100 so can't contact the paid support for that problem. I've have reverted to 2.4.5p1 as well.
I can't imagine paid support customer not to use multi WAN inbound, so maybe they got an exclusive hotfix from paid support ?
Since this regression comes in 2.5 devel and was never corrected in devel branch, this should have been a no go for the pfSense+ 21.02 release on stable channel ...
Adam
-
Hi,
We also have the problem on a 2x XG-1537 cluster. This is very problematic.
Note that we have noticed a strange behavior with this bug. Simplified network topology :
FW2 (WAN IP) - Port fwd -> pfSense HA - Port fwd -> Srv.The FW2 is our second WAN. Port forwarding from this second WAN therefore no longer works because of the bug. While performing tests with OpenVPN and netcat (in UDP only), here is what we found:
- The first packet sent by the client reaches the server (port forwarding therefore works)
- The return packet sent by the server reaches the client. So far so good
- From there, all packets sent by the client arrive to the pfSense cluster (we see them with tcpdump on the link with the FW2) but they disappear silently and are never transmitted to the server
- On the other hand, all the packets sent from the server to the client arrive to the client (which makes sense since the bug concerns port forwarding)
Hope this bug is fixed quickly.
-
Hi,
I have same problem with SG-5100 and 21.02. Tried to install 2.4 but there is no download link on Netgate website. Why no comment from Netgate about this issue? Multiple WAN isn't uncommon these days.... so it affects lots of people.
Adam -
@nazgulix If you contact support they will provide you a link to download 2.4 firmware.
Also, assuming your NAT rules are focused on your primary WAN, if you set pfSense default routing to your primary WAN instead of auto things will work.
It is really disappointing such a bug was allowed to be released on a so called stable release. I also ran into an issue with OpenVPN not liking my CA Certificate causing me to downgrade security requirements to authenticate my users for the time being.
The band-aid of updating pfSense routing does work in my environment as I had hard coded NAT items to use my Fiber WAN vs cable modem.
-
@phatty Thanks for hint with default gateway. Unfortunately I have both "primary" WANs and there are diffrent NATs on each of them. I found pendrive with 2.4 but it didn't install ( some kernel errors ), don't have time for it now. Simply put SG-5100 on shelve and install fresh 2.4 on PC with 6 NICs. And will wait for a fix from Netgate.
Like you said that is release called "plus" and it supposed to be stable, but for now it's pfSense plus bugs... :(
-
Hello,
Just a little bit of patience, the ticket for this problem is in progress and is now assigned : Regression #11436
Seing the target version for the correction (2.5.1) it seems there will be no "hotfix" and will probably need to wait the release of the 2.5.1 (21.03 in pf+ ? maybe 21.04 ?^^)
Adam
-
Hi,
I must say im pretty disappointed from a "professional" firewall vendor...
The ticket for that "problem" is not really progressing (only ppl says +1 "i got the same problem in xxx/same situation").Until this regression not corrected, and given recently i have read This news (external phoronix link) i think i'll may wait pfSense to switch to FreeBSD 13.0(.1) before trying again the so called "stable" 21.02(21.XX because it's supposed to be versionned by date if im not wrong) branch on my XG-7100 firewall.
I suggest all that got the problem to do the same. (unless you have a "lab" and time to help the support of course ^^)
Adam -
I've been breaking my head over this..
Our site in france using a SG-3100 that also uses multi-wan has the same issue!
-
Two months later without any fix. My customers are getting more and more impatient.
I now have to tell them to switch to a professional supported platform as I will do now. Giving Sophos a chance now.
So:
"Goodbye Netgate" -> "Hello professional supported appliances" !!!Hope for everyone staying at Netgate to get someday a fix.
Bye,
Michael -