Outbound NAT Issue - VPNWAN



  • I recently upgraded to pfSense 2.4.4 and have been using it without issue for a few days. However, this morning at about 1:30am a problem seems to have cropped up, and I woke up to find the Internet to be unreachable from clients.

    I went through the steps in "Troubleshooting Network Connectivity" and where I run into problems is with pinging Internet addresses from the LAN. I can ping the LAN IP of the firewall, the WAN IP of the firewall, and the WAN IP of the gateway just fine. If I ssh out to the firewall I find that things like "curl http://www.google.com" succeed. Also Unbound seems to be working fine, and "nslookup www.google.com" works fine from clients. But "ping 8.8.8.8" from LAN clients fails.

    The Troubleshooting guide suggests triple checking Outbound NAT, but isn't more specific than that. I've tried turning Outbound NAT off and then back on, but that was no help. I've poked around in /var/log but nothing in the logs seems helpful. One suspicious thing though is I haven't seen any blocked connections from the Internet to firewall WAN IP, and normally I see blocks every so often from traffic trying to connect to port 23 etc.

    Any ideas of other steps I can try?



  • One thing I didn't mention is that I route all LAN traffic over a VPN connection. I found that disabling the VPNWAN restored connectivity to the Internet for LAN clients.

    Then, restoring a config file I had saved as a backup from a few days ago got things working over VPNWAN again.

    As I mentioned, there wasn't any change on my part that seemed to cause the initial breakage. I wonder if Outbound NAT over the VPNWAN stopped working for some reason, perhaps there is a subtle bug in pfSense 2.4.4.

    For now all I can do is wait and see if it happens again.



  • What kind of vpn?
    Why were you checking outbound nat when you have a vpn?
    What is the exact config. Does vpn accept traffic from a single ip or the whole lan? (without nat). Is it a managed service or just a host you are using somewhere?
    Did the successful test run through the vpn or the firewall has local access?
    Did you try just restarting the vpn client?
    What if the vpn server had an outage?



  • @netblues said in Outbound NAT Issue - VPNWAN:

    What kind of vpn?

    OpenVPN

    Why were you checking outbound nat when you have a vpn?

    Because the Troubleshooting guide recommended checking it when the other steps succeeded but pinging 8.8.8.8 failed.

    What is the exact config. Does vpn accept traffic from a single ip or the whole lan? (without nat). Is it a managed service or just a host you are using somewhere?

    It is a managed service. All traffic from the LAN is tunneled through it.

    Did the successful test run through the vpn or the firewall has local access?

    That is a good question, I'm not sure. I know that "curl http://www.google.com" worked fine from the firewall, but I don't know if it was going out over the regular WAN or the VPN tunnel.

    Did you try just restarting the vpn client?

    Well I didn't try that on its own. But I did reboot the whole firewall a couple of times, which would have included restarting the VPN client of course.

    What if the vpn server had an outage?

    Nope that wasn't the issue because I could use the VPN just fine from my cell phone over its LTE network. Both the WAN and VPNWAN were shown as Online and with healthy RTT and RTTsd values.

    Also, thanks for taking an interest! I sort of suspect the issue will arise again at some point, since it seemed to occur randomly in the first place, so I'm happy to take ideas of things to look at or try if/when it does break down again.