pfSense 2.5.1 multi-WAN routing trouble
-
ok. this really has become a problem, i have tried a number of things but i need to revert back to 2.5.0.
Is the config.xml backward compatible with 2.5.0 ?
Can i simply re-install and restore the 2.5.1 xml?
-
@gwaitsi I am unable to answer your question. As I backup my configuration nighly on a server in my LAN, I did just roll back to the last configuration before going to 2.5.1.
The biggest problem in my view is that the Netgate team does not communicate at all about perspectives to resolve this. The choice now is either no real multi-WAN or a risky version of OpenSSL.
I did make a trip to the other end of my VPN to downgrade there to get everything working again. My personal next step will be to move from CARP-HA to two single routers and then convert one in the stack to OPNsense. It might be safer to have two options.
-
@gwaitsi for me, revert did not work. Did clean install
-
@gwaitsi Hi. The config should be backwards compatible. I have done this and imported my backup from 2.5 to 2.4.5 p1. However this was not on my production unit but my testlab pfSense. It did work but my Openvpn clients were messed up and my routing groups were not working properly. I had to manually fix that. Again, this was just an exercise for me and not something I will do on my production unit.
As always I have backups before I upgrade so in the end I just installed 2.4.5 p1 on my production unit and restored the config from that version.
-
I think with the attitude they have PfSense is https://www.youtube.com/watch?v=tH2w6Oxx0kQ
-
@peterzy i haven't given up on them, but when they say it is a kernel fix and can't be deployed as a patch, given the severity, it is very disheartening to see they don't release 2.5.1p1 to fix this issue.
Have started looking at untangle, but that is not a fair comparison because you have to pay to get the same features that are including in pfsense CE.
-
@gwaitsi said in pfSense 2.5.1 multi-WAN routing trouble:
2.5.1p1 to fix this issue.
It seems there is a 2.5.2 in the pipeline:
-
@gwaitsi Mostly the problem is with OpenVPN not beeing compatible.
Edit the config.xml en remove the OpenVPN sections. Only thing left to do after installing is recreating OpenVPN.
If it still won't work, also remove the packages sections. -
@fireodo Great spotting that!
-
@gwaitsi Hi. I have looked and testen Untangle as-well after this whole fiasco with Netgate. Unfortunately I could not get multi-wan port forwarding with OpenVPN to work there and from what I have read on their forums others have failed there as well. Besides They ask a lot of money if you want to have Wireguard...150 USD a year! Wtf
For the scenario I have I still believe pfSense is the best there is. Now I just wait for the next version which will fix the bugs we have and in the meantime I enjoy the stability and performance of 2.4.5 p1.
-
@fireodo said in pfSense 2.5.1 multi-WAN routing trouble:
It seems there is a 2.5.2 in the pipeline:
This would be good news!
-
They have a fix already: https://reviews.freebsd.org/R10:41063b40168b69b38e92d8da3af3b45e58fd98ca . The problem is that they did not fix it for the CE version.
-
I'm sure not everybody in my situation, by I have a few OpenVPN clients configured on the router and a single real WAN Gateway.
I ran into the problem reported here and after some troubleshooting I noticed that OpenVPN was adding a route to "0.0.0.0/1". Once I manually removed it, "route del 0.0.0.0/1" I noticed that my NAT started working. After further research I noticed that once of my OpenVPN Clients didn't have the "Don't pull routes" checked. After fixing this the issue is gone.
Hopefully this will help at least a few of those that are hitting this painful bug.
-
@geniepro Hi! That is great news! I have a couple of questions:
- does it survive a reboot?
- does port forwarding from your OpenVPN client now work?
Thank you for your help.
-
@vjizzle, no need to reboot anything, all I needed was NAT to form for the real WAN. I use OpenVPN only for some devices in my network to connect to the internet - bypass the ISP traffic sniffing.
If you have a single OpenVPN client, or you need NAT for a single OpenVPN connection, you could maybe manually add a route, something like "route add 0.0.0.0/1 XXX.XXX.XXX" pretty much you need to update your routes to have your connection that you want to NAT to be the default one. I don't know if there is an option to adjust the routes form GUI, or only through SSH.
-
@geniepro Thank you so yeah we can do a lot of stuff manually but still it does not solve the multiwan portforwarding issue we have. Will wait further when Netgate pleases to release an update for that bug.
-
@digdug3 I just noticed the same issue after upgradeing to 2.5.1. I have automated speed tests running and each interface and it stopped working on all except the current default getway.
-
@sschueller Hail Bro... I've solve this issue installing the 2.6 (experimental version). In my case, I've been installed the update of FreeRadius, and all WANS become to works perfect as ussualy. G. Luck !
-
So, I bit the bullet and upgraded to 2.60 dev. It was causing too many issues. So far so good.
- edit * I can confirm after a few days, all my post 2.5.1 issues are resolved, and I am back to where I was with 2.5.0. As much as I am appreciative of the efforts by all the developers and netgate for making the software available as open source (although I note it is also in their interests), it is unfathomable that an emergency release was not made to fix this, given the severity of the issue. I am just a simple home user with some redundant wan and vpn connections. I can't imagine the impact on an actual small business user. Even youtube videos were stuttering and repeating portions after the 2.5.1 upgrade, but that has all been resolved.
-
So Netgate made the decision to release 2.5.2. But first there will be a pfsense+ release and then after some weeks the pfsense ce release. This sadly confirms that pfsense CE users are treated like second-class citizens. But I am glad they are listening to the community and putting in effort for 2.5.2, although they should have figured this out themselves immediately as it happened.
Anyone test the 2.5.2 snapshot releases yet?