No outbound traffic after upgrading 2.2 -> 2.3



  • After performing the first 2.2 -> 2.3 upgrade, all my IPSec clients' traffic directed outside is being blocked. I can successfully establish a VPN connection and I can access the local LAN machines but there is no outbound traffic. Outbound firewall rules are there: I tried automatic and manual, but no luck. Firewall logs show a successful inquiry of the DNS and that's it. What could be the cause?

    Thanks!



  • Here it is a traffic capture when trying to trace route google.com from a mobile client:

    12:44:58.342297 (authentic,confidential): SPI 0xcaf0f9ef: IP 192.168.114.1.50301 > 192.168.112.1.53: UDP, length 39
    12:44:58.356951 (authentic,confidential): SPI 0x0f9348f0: IP 192.168.112.1.53 > 192.168.114.1.50301: UDP, length 55
    12:44:58.451584 (authentic,confidential): SPI 0xcaf0f9ef: IP 192.168.114.1.56686 > 199.27.76.73.80: tcp 0
    12:44:59.502230 (authentic,confidential): SPI 0xcaf0f9ef: IP 192.168.114.1.56686 > 199.27.76.73.80: tcp 0
    12:45:00.522433 (authentic,confidential): SPI 0xcaf0f9ef: IP 192.168.114.1.56686 > 199.27.76.73.80: tcp 0
    12:45:00.902535 (authentic,confidential): SPI 0xcaf0f9ef: IP 192.168.114.1.56678 > 17.167.194.232.443: tcp 0
    12:45:01.122549 (authentic,confidential): SPI 0xcaf0f9ef: IP 192.168.114.1.56679 > 17.167.194.180.443: tcp 0
    12:45:01.482605 (authentic,confidential): SPI 0xcaf0f9ef: IP 192.168.114.1.56680 > 17.167.194.203.443: tcp 0
    12:45:01.482655 (authentic,confidential): SPI 0xcaf0f9ef: IP 192.168.114.1.56686 > 199.27.76.73.80: tcp 0
    12:45:01.641769 (authentic,confidential): SPI 0xcaf0f9ef: IP 192.168.114.1.56681 > 17.167.194.179.443: tcp 0
    12:45:01.942641 (authentic,confidential): SPI 0xcaf0f9ef: IP 192.168.114.1.56682 > 17.167.194.119.443: tcp 0
    12:45:02.151136 (authentic,confidential): SPI 0xcaf0f9ef: IP 192.168.114.1.56683 > 17.167.194.152.443: tcp 0
    12:45:02.450459 (authentic,confidential): SPI 0xcaf0f9ef: IP 192.168.114.1.56684 > 17.167.192.180.443: tcp 0
    12:45:02.458415 (authentic,confidential): SPI 0xcaf0f9ef: IP 192.168.114.1.56686 > 199.27.76.73.80: tcp 0
    12:45:02.671127 (authentic,confidential): SPI 0xcaf0f9ef: IP 192.168.114.1.56685 > 17.167.194.177.443: tcp 0
    12:45:03.512175 (authentic,confidential): SPI 0xcaf0f9ef: IP 192.168.114.1.56686 > 199.27.76.73.80: tcp 0
    12:45:05.512765 (authentic,confidential): SPI 0xcaf0f9ef: IP 192.168.114.1.56686 > 199.27.76.73.80: tcp 0

    The pfsense box is 192.168.112.1 and acts as DNS.
    As you can see, traffic between subnets is OK. Also mobile > wan packets are not filtered.
    However, packets from the WAN to the client are not there.

    Any idea on what could be wrong?

    Thanks!



  • If it was working in 2.2.x, you probably need to enable the Unity plugin. VPN>IPsec, Advanced, enable Unity there then disconnect and reconnect your client. Check the Unity note here.
    https://doc.pfsense.org/index.php/Upgrade_Guide#Removed_features_that_are_disabled_on_upgrade



  • That was the problem! After re-enabling the Unity plugin, traffic is finally back as before.
    Thank you for your help.



  • I was setting up my first VPN today with pfsense 2.3 and had a similar problem (I could access any machine on the LAN, but I couldn't route anything to the Internet).  I turned on the Unity plug-in and things appeared to be working on the client, however, I suspect they weren’t working correctly.  If you look at Status->IPSec and then “show child SA entries”, on the right side you will see Bytes-In and Bytes-Out.  When I turned on the Unity Plug-in, Bytes-Out was zero as long as I tried to access anything on the Internet.  It only increased when I accessed a machine on the LAN.  My guess is the Unity Plugin directed the client to route Internet traffic locally instead of over the VPN.  Since I’m a complete noob with IPSec I don’t know that my conclusion is correct at all.  However, I’m guessing something wasn’t right…

    After playing around and trying a lot of different setting I found a setting that seems to work, but I don’t know what it’s really doing (I saw this in someone else's configuration).  In the Phase 2 settings there is an option for “Local Network”.  If I set this to “Network” of 0.0.0.0/0 the VPN appears to work, and the Bytes-Out increment on the Status page (after turning off the Unity Plugin).

    Again, I’m a complete noob with IPSec so I’m not sure what I did by setting the Local Network to 0.0.0.0/0.  Could someone that understands this better explain?  So far the only way the VPN appears to work (for me) is by either setting the Unity Plug-In or by setting the Local Network to 0.0.0.0/0.  I’m not sure which is better, or if I should turn off both options and keep looking at other settings.