After upgrade to 2.4.0 | issue with LAN connectivity [SOLVED]

  • Hi folks,

    currently experiencing the issue that all LAN-clients are not able to reach the Gateway/Internet. This problem came up right after the upgrade from 2.3.x at 3 different systems.

    • @Hyper-v host + @Proxmox/KVM host + barebone host

    While changeing the "Upstream-Gateway" at the LAN-interface setting I was able to send 4 ICMP-requests during apply. But then reachability stopped again.

    Do you have any hint how to fix that?

    • All LAN-clients are allowed to access any destination.
    • at this allow all from lan to any rule within the firewall configuration I see the connection attempts
    • disabling the firewall does not show up any success
    • interfaces are all up and addressed
    • access from WAN to the pf's is possible - thats all =/
    • I am seeing the


  • LAYER 8 Netgate

    You do not set an upstream gateway on a LAN interface. That is almost never correct and never has been correct except in certain rare circumstances.

    Setting an upstream gateway on an interface makes it a WAN.

  • Hi Derelict,

    it was just a try by setting the "upstream gateway" @LAN. Even when its set to "none" (as it should be) there is no connection.
    Just during the time when the changes are beeing applied I get 4 icmps out and then it stops working again.


  • LAYER 8 Netgate

    Going to need more information.

  • Hi,

    basically its a very simple setup:
    Two interfaces (WAN and LAN), I can access the pfsense through WAN from internet.
    The gateway configured at the WAN-interface is the default gateway. There is only a little bunch of NAT-rules to LAN clients (http/https/ssh) configured on.

    Clients behind the LAN-interface are addressed static with the default GW of our beloved pfsense and its LAN-interface.
    There are just these 3 default rules at the firewall LAN-tab (antilockout, allow from/to all for ipv4 and same for ipv6)

    Arp-resolution does work - pfsense recognizes the clients vice-versa. I even see the connection attempts @tcpdump.

    tcpdump -i hn1 -vn
    tcpdump: listening on hn1, link-type EN10MB (Ethernet), capture size 262144 bytes
    19:22:43.994255 IP (tos 0x0, ttl 64, id 51753, offset 0, flags [DF], proto ICMP (1), length 84) > ICMP echo request, id 28245, seq 488, length 64
    19:22:44.994238 IP (tos 0x0, ttl 64, id 51951, offset 0, flags [DF], proto ICMP (1), length 84) > ICMP echo request, id 28245, seq 489, length 64
    19:22:45.994124 IP (tos 0x0, ttl 64, id 52072, offset 0, flags [DF], proto ICMP (1), length 84) > ICMP echo request, id 28245, seq 490, length 64
    19:22:46.994223 IP (tos 0x0, ttl 64, id 52116, offset 0, flags [DF], proto ICMP (1), length 84) > ICMP echo request, id 28245, seq 491, length 64

    When I am connecting remotely with OpenVPN, then I am able to reach the LAN-IP of the pfsense. But I am not able to access the LAN-clients. Even through the Site2Site tunnels I reach the LAN-IPs of these pfsenses (when using a remote/"road-warrior" client), but anyway not able to reach any of the LAN-clients.

    netstat -rn output:
    Destination                       Gateway                            Flags     Netif Expire
    default                           87.x.x.1                              UGS         hn0                        link#6                                 UHS         lo0                     link#6                                 U           hn1
    WAN-Monitor-IP                    87.x.x.1 (WAN-Gateway)   UGHS        hn0
    87.x.x.0/24                       link#5                                 U           hn0
    87.x.x.y (pf-WAN-IP)             link#5                                UHS         lo0
    87.x.x.2 (IP-alias)              link#5                                UHS         lo0
    87.x.x.2/32                       link#5                                 U           hn0
    87.x.x.y (pf-WAN-IP)             link#5                                UHS         lo0
    87.x.x.y (pf-WAN-IP) /32         link#5                                U           hn0                          link#1                                UH          lo0
    178.x.x.237 (Site2Site peer that is monitored) 87.x.x.1(WAN-Gateway)       UGHS        hn0 (LAN-Network)     link#6                                U           hn1                      link#6                               UHS         lo0        UGHS        hn1

    Everything was working like charm before the upgrade. And no changes to the firewall or the routing was done.
    If you need more information please let it me know.


  • Hi folks,

    found the issue after some time - deactivating the Monitor-IP for LAN (checkbox) did not help - the Monitor-IP must be removed completely from the gateway configuration.

    Hosts that are defined as Monitor-IP for the gateway are unable to send or receive ANY traffic. Not even arp-ping is possible. I do not how to fix that issue, I guess it's a bug that came up.


  • LAYER 8 Netgate

    It is not a bug. Host addresses that are defined as a monitor IP address have a specific host route out the interface they are defined on.

    Same thing with DNS servers in System > General if you define a gateway there.

    This is necessary for Multi-WAN, which is a feature people seem to like.

Log in to reply