Last upgrade messed up firewall



  • For quite some time I have been enjoying Pfsense. But now I'm not. I'm in another country, trying to connect to vpn, (windows) and it seems the last PFsense update royally messed with the firewall settings.

    I have a DMZ in which the vpn server resides. I can establish a VPN fine, but the segment that is assigned when connecting to the VPN, suddenly has no access whatsoever to the normal LAN network, despite the firewall rules explicitly allowing the VPN subnet to do so.

    192.168.0.0 is the normal LAN, 192.168.1.0 is the DMZ in which the VPN server resides, it has limited access to the lan (that still seems to work) but 192.16.0.2 (the VPN segment) has absolutely no access to the normal LAN anymore.

    I noticed some notice about outgoing nat stuff, hybrid blah blah blah, but am pissed, as this setup has worked for a very long time, until the last update. Luckily I can get in through the actual vpn server via mstsc, (that vpn server does have an address in the 192.168.0.2 subnet) but would like to know why my explicit allow rules for this segment to have unlimited access to all other subnets, suddenly stopped working ?

    Anything apparent from the update ?


  • LAYER 8 Netgate

    What did you upgrade from?

    How is it that you have 192.168.0.0 and 192.168.0.2 subnets? Those look like they should be in the same subnet if a "normal" /24 is applied (since you didn't specify.)



  • Sorry, should be:

    Lan 192.168.0.0 /24
    DMZ 192.168.1.0/24
    VPN 192.168.2.0/24
    Guest 192.168.3.0/24

    and for Ipv6

    lan 2001:984:2023:0::/64
    dmz 2001:984:2023:1::/64
    vpn 2001:984:2023:2::/64
    guest 2001:984:2023:3::/64

    I do an upgrade whenever the web GUI tells me there is an update, I check monthly (roughly around Microsoft's patch Tuesday, so a few weeks ago).

    I am guessing somehow a route went missing for the vpn subnet, as it seems the only thing I can reach is the IP address of the RAS adapter, I cannot get beyond that, so in retrospect, it might not have been the upgrade off pfsense, but of the ras server itself. Not entirely sure yet.

    mea culpa, it's not pfsense, it's not the ras server either. I just checked on a WIn8vm on my desktop at work (which I left on) and there the vpn is working normally, full access to lan, traffic routed out via VPN server to the internet, full ipv4/ipv6 connectivity. I see from the IP display on this forum that I am routed out via the wifi I use here, so I'm guessing the anniverary update (windows 10) by default does not route traffic out to the internet via the VPN, that might explain why I cannot reach anything beyond the VPN subnet !

    last edit: indeed client side config, properties of the VPN connection, networking, ipv4, advanced, use default gateway on remote network was unchecked. Checked it and voila everything is working again, including IPV6, when I now get my ip address, I indeed get the ipv6 address instead of the ipv4 gateway of the wifi I am using here. Close this thread :)


Log in to reply