Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    No outbound traffic after upgrading 2.2 -> 2.3

    Scheduled Pinned Locked Moved IPsec
    5 Posts 3 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mcmara
      last edited by

      After performing the first 2.2 -> 2.3 upgrade, all my IPSec clients' traffic directed outside is being blocked. I can successfully establish a VPN connection and I can access the local LAN machines but there is no outbound traffic. Outbound firewall rules are there: I tried automatic and manual, but no luck. Firewall logs show a successful inquiry of the DNS and that's it. What could be the cause?

      Thanks!

      1 Reply Last reply Reply Quote 0
      • M
        mcmara
        last edited by

        Here it is a traffic capture when trying to trace route google.com from a mobile client:

        12:44:58.342297 (authentic,confidential): SPI 0xcaf0f9ef: IP 192.168.114.1.50301 > 192.168.112.1.53: UDP, length 39
        12:44:58.356951 (authentic,confidential): SPI 0x0f9348f0: IP 192.168.112.1.53 > 192.168.114.1.50301: UDP, length 55
        12:44:58.451584 (authentic,confidential): SPI 0xcaf0f9ef: IP 192.168.114.1.56686 > 199.27.76.73.80: tcp 0
        12:44:59.502230 (authentic,confidential): SPI 0xcaf0f9ef: IP 192.168.114.1.56686 > 199.27.76.73.80: tcp 0
        12:45:00.522433 (authentic,confidential): SPI 0xcaf0f9ef: IP 192.168.114.1.56686 > 199.27.76.73.80: tcp 0
        12:45:00.902535 (authentic,confidential): SPI 0xcaf0f9ef: IP 192.168.114.1.56678 > 17.167.194.232.443: tcp 0
        12:45:01.122549 (authentic,confidential): SPI 0xcaf0f9ef: IP 192.168.114.1.56679 > 17.167.194.180.443: tcp 0
        12:45:01.482605 (authentic,confidential): SPI 0xcaf0f9ef: IP 192.168.114.1.56680 > 17.167.194.203.443: tcp 0
        12:45:01.482655 (authentic,confidential): SPI 0xcaf0f9ef: IP 192.168.114.1.56686 > 199.27.76.73.80: tcp 0
        12:45:01.641769 (authentic,confidential): SPI 0xcaf0f9ef: IP 192.168.114.1.56681 > 17.167.194.179.443: tcp 0
        12:45:01.942641 (authentic,confidential): SPI 0xcaf0f9ef: IP 192.168.114.1.56682 > 17.167.194.119.443: tcp 0
        12:45:02.151136 (authentic,confidential): SPI 0xcaf0f9ef: IP 192.168.114.1.56683 > 17.167.194.152.443: tcp 0
        12:45:02.450459 (authentic,confidential): SPI 0xcaf0f9ef: IP 192.168.114.1.56684 > 17.167.192.180.443: tcp 0
        12:45:02.458415 (authentic,confidential): SPI 0xcaf0f9ef: IP 192.168.114.1.56686 > 199.27.76.73.80: tcp 0
        12:45:02.671127 (authentic,confidential): SPI 0xcaf0f9ef: IP 192.168.114.1.56685 > 17.167.194.177.443: tcp 0
        12:45:03.512175 (authentic,confidential): SPI 0xcaf0f9ef: IP 192.168.114.1.56686 > 199.27.76.73.80: tcp 0
        12:45:05.512765 (authentic,confidential): SPI 0xcaf0f9ef: IP 192.168.114.1.56686 > 199.27.76.73.80: tcp 0

        The pfsense box is 192.168.112.1 and acts as DNS.
        As you can see, traffic between subnets is OK. Also mobile > wan packets are not filtered.
        However, packets from the WAN to the client are not there.

        Any idea on what could be wrong?

        Thanks!

        1 Reply Last reply Reply Quote 0
        • C
          cmb
          last edited by

          If it was working in 2.2.x, you probably need to enable the Unity plugin. VPN>IPsec, Advanced, enable Unity there then disconnect and reconnect your client. Check the Unity note here.
          https://doc.pfsense.org/index.php/Upgrade_Guide#Removed_features_that_are_disabled_on_upgrade

          1 Reply Last reply Reply Quote 0
          • M
            mcmara
            last edited by

            That was the problem! After re-enabling the Unity plugin, traffic is finally back as before.
            Thank you for your help.

            1 Reply Last reply Reply Quote 0
            • M
              mobovutpg
              last edited by

              I was setting up my first VPN today with pfsense 2.3 and had a similar problem (I could access any machine on the LAN, but I couldn't route anything to the Internet).  I turned on the Unity plug-in and things appeared to be working on the client, however, I suspect they weren’t working correctly.  If you look at Status->IPSec and then “show child SA entries”, on the right side you will see Bytes-In and Bytes-Out.  When I turned on the Unity Plug-in, Bytes-Out was zero as long as I tried to access anything on the Internet.  It only increased when I accessed a machine on the LAN.  My guess is the Unity Plugin directed the client to route Internet traffic locally instead of over the VPN.  Since I’m a complete noob with IPSec I don’t know that my conclusion is correct at all.  However, I’m guessing something wasn’t right…

              After playing around and trying a lot of different setting I found a setting that seems to work, but I don’t know what it’s really doing (I saw this in someone else's configuration).  In the Phase 2 settings there is an option for “Local Network”.  If I set this to “Network” of 0.0.0.0/0 the VPN appears to work, and the Bytes-Out increment on the Status page (after turning off the Unity Plugin).

              Again, I’m a complete noob with IPSec so I’m not sure what I did by setting the Local Network to 0.0.0.0/0.  Could someone that understands this better explain?  So far the only way the VPN appears to work (for me) is by either setting the Unity Plug-In or by setting the Local Network to 0.0.0.0/0.  I’m not sure which is better, or if I should turn off both options and keep looking at other settings.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.