4. No outbound traffic after upgrading 2.2 -> 2.3

No outbound traffic after upgrading 2.2 -> 2.3

  • M

    After performing the first 2.2 -> 2.3 upgrade, all my IPSec clients' traffic directed outside is being blocked. I can successfully establish a VPN connection and I can access the local LAN machines but there is no outbound traffic. Outbound firewall rules are there: I tried automatic and manual, but no luck. Firewall logs show a successful inquiry of the DNS and that's it. What could be the cause?

    Thanks!

    0
  • M

    Here it is a traffic capture when trying to trace route google.com from a mobile client:

    12:44:58.342297 (authentic,confidential): SPI 0xcaf0f9ef: IP 192.168.114.1.50301 > 192.168.112.1.53: UDP, length 39
    12:44:58.356951 (authentic,confidential): SPI 0x0f9348f0: IP 192.168.112.1.53 > 192.168.114.1.50301: UDP, length 55
    12:44:58.451584 (authentic,confidential): SPI 0xcaf0f9ef: IP 192.168.114.1.56686 > 199.27.76.73.80: tcp 0
    12:44:59.502230 (authentic,confidential): SPI 0xcaf0f9ef: IP 192.168.114.1.56686 > 199.27.76.73.80: tcp 0
    12:45:00.522433 (authentic,confidential): SPI 0xcaf0f9ef: IP 192.168.114.1.56686 > 199.27.76.73.80: tcp 0
    12:45:00.902535 (authentic,confidential): SPI 0xcaf0f9ef: IP 192.168.114.1.56678 > 17.167.194.232.443: tcp 0
    12:45:01.122549 (authentic,confidential): SPI 0xcaf0f9ef: IP 192.168.114.1.56679 > 17.167.194.180.443: tcp 0
    12:45:01.482605 (authentic,confidential): SPI 0xcaf0f9ef: IP 192.168.114.1.56680 > 17.167.194.203.443: tcp 0
    12:45:01.482655 (authentic,confidential): SPI 0xcaf0f9ef: IP 192.168.114.1.56686 > 199.27.76.73.80: tcp 0
    12:45:01.641769 (authentic,confidential): SPI 0xcaf0f9ef: IP 192.168.114.1.56681 > 17.167.194.179.443: tcp 0
    12:45:01.942641 (authentic,confidential): SPI 0xcaf0f9ef: IP 192.168.114.1.56682 > 17.167.194.119.443: tcp 0
    12:45:02.151136 (authentic,confidential): SPI 0xcaf0f9ef: IP 192.168.114.1.56683 > 17.167.194.152.443: tcp 0
    12:45:02.450459 (authentic,confidential): SPI 0xcaf0f9ef: IP 192.168.114.1.56684 > 17.167.192.180.443: tcp 0
    12:45:02.458415 (authentic,confidential): SPI 0xcaf0f9ef: IP 192.168.114.1.56686 > 199.27.76.73.80: tcp 0
    12:45:02.671127 (authentic,confidential): SPI 0xcaf0f9ef: IP 192.168.114.1.56685 > 17.167.194.177.443: tcp 0
    12:45:03.512175 (authentic,confidential): SPI 0xcaf0f9ef: IP 192.168.114.1.56686 > 199.27.76.73.80: tcp 0
    12:45:05.512765 (authentic,confidential): SPI 0xcaf0f9ef: IP 192.168.114.1.56686 > 199.27.76.73.80: tcp 0

    The pfsense box is 192.168.112.1 and acts as DNS.
    As you can see, traffic between subnets is OK. Also mobile > wan packets are not filtered.
    However, packets from the WAN to the client are not there.

    Any idea on what could be wrong?

    Thanks!

    0
  • C

    If it was working in 2.2.x, you probably need to enable the Unity plugin. VPN>IPsec, Advanced, enable Unity there then disconnect and reconnect your client. Check the Unity note here.
    https://doc.pfsense.org/index.php/Upgrade_Guide#Removed_features_that_are_disabled_on_upgrade

    0
  • M

    That was the problem! After re-enabling the Unity plugin, traffic is finally back as before.
    Thank you for your help.

    0
  • M

    I was setting up my first VPN today with pfsense 2.3 and had a similar problem (I could access any machine on the LAN, but I couldn't route anything to the Internet).  I turned on the Unity plug-in and things appeared to be working on the client, however, I suspect they weren’t working correctly.  If you look at Status->IPSec and then “show child SA entries”, on the right side you will see Bytes-In and Bytes-Out.  When I turned on the Unity Plug-in, Bytes-Out was zero as long as I tried to access anything on the Internet.  It only increased when I accessed a machine on the LAN.  My guess is the Unity Plugin directed the client to route Internet traffic locally instead of over the VPN.  Since I’m a complete noob with IPSec I don’t know that my conclusion is correct at all.  However, I’m guessing something wasn’t right…

    After playing around and trying a lot of different setting I found a setting that seems to work, but I don’t know what it’s really doing (I saw this in someone else's configuration).  In the Phase 2 settings there is an option for “Local Network”.  If I set this to “Network” of 0.0.0.0/0 the VPN appears to work, and the Bytes-Out increment on the Status page (after turning off the Unity Plugin).

    Again, I’m a complete noob with IPSec so I’m not sure what I did by setting the Local Network to 0.0.0.0/0.  Could someone that understands this better explain?  So far the only way the VPN appears to work (for me) is by either setting the Unity Plug-In or by setting the Local Network to 0.0.0.0/0.  I’m not sure which is better, or if I should turn off both options and keep looking at other settings.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2019 Rubicon Communications, LLC | Privacy Policy