Roll Back? After Upgrade to PFSENSE 2.5.1 NAT, Rules, stopped working.

mpnunes

Hi,

Just upgraded on Friday to 2.5.1, spend the weekend trying to fix it without success. Moved to RC 2.5.2 and things seem to work better but still having some inbound traffic.

Is there a quick way to roll back to 2.4.x ?

Thank you.

SteveITS

Do you have multiple WANs? It does look like 2.5.2 will have a fix for that.

To answer your question the way to go backwards is to install 2.4.5 as new, and then restore your configuration backup from that version.

stephenw10

Yeah, that is fixed in 2.5.2. What's not working for you in 2.5.2-RC? That is going to go to release very soon, everything there should be working in the current RC.

The only way to go back to 2.4.5p1 is to reinstall and restore your backup config from before the upgrade. Unless you are running virtual and have a snapshot of course.

Steve

mpnunes

@steveits Yes. Multiple WAN.

stephenw10

If we don't know what's broken we can't fix it so if you're still seeing an issue in 2.5.2-RC we need to know what that is if you want it to be fixed in 2.5.2 release.

Steve

mpnunes

@stephenw10 said in Roll Back? After Upgrade to PFSENSE 2.5.1 NAT, Rules, stopped working.:

Yeah, that is fixed in 2.5.2. What's not working for you in 2.5.2-RC? That is going to go to release very soon, everything there should be working in the current RC.

The only way to go back to 2.4.5p1 is to reinstall and restore your backup config from before the upgrade. Unless you are running virtual and have a snapshot of course.

Steve

We have a CISCO router doing an IPSEC tunnel a rule on PFSENSE to route into the correct WAN. Rules forwarding it to a particular Gateway (WAN not the default) are blocking traffic.

stephenw10

Ok, so that's outbound traffic with policy routing to the Cisco gateway?

Is that on a separate interface?

And you are actually seeing that traffic blocked somewhere rather than just incorrectly routed?

What is actually blocked?

Steve

mpnunes

@stephenw10

• 3 WAN interfaces (WY (default gateway), WX, WZ)
• 1 LAN
• IPSEC Tunnel from (Exit IP from WZ) to Host B (HB)

Cisco Device -> LAN -> PfSense -> HB ... HB -> WZ -> LAN -> Cisco Device

Rules are:

• All IPv4 from Cisco Device in LAN interface will go out on Gateway WZ
• All IPv4 from HB in Gateway WZ will go to Cisco Device

I have a package capture.

We can test during next weekend (maybe tonight - Europe CET) what's blocked, right now we have a workaround that makes the WZ as default gateway while we sort how to fix it.

Any particular information you need us to collect?

Miguel.

stephenw10

Ok, so you have both outbound policy routing and a port forward in the other direction.

So the IPSec tunnel can establish in either direction. Which way does it actually establish? Both?

Is it failing to establish at all in 2.5.2?

I would not expect to require both those. Certainly the tunnel will only use one to create the states though it could use either if it's a site to site tunnel.

If it's actually blocking traffic what do the firewall logs look like? What rule is blocking?

Check the state table. Do you see states on the wrong interfaces?

Steve