BUG: pfsense 2.4.4 update_breaks http/https from LAN - workaround



  • After upgrading from 2.4.3 I found my web access no longer worked from either of my LAN segments, though nslookup, traceroute, smtp/pop, etc was work.

    i have two VPN connections with a gateway group setup
    System/Routing/Gateways

    • Default IPv4 = VPNGW

    System/Routing/Gateway Groups
    VPNGW = VPN1 Tier1, VPN2 Tier2

    Firewall Rules
    WAN
    WAN - Block All IPv4/6

    LAN
    LAN - Block All IPv4/6
    CHINA - Allow IP Table GW = WAN
    NET - Allow DNSSEC/TELNET GW = VPNGW
    POP - Allow SMTPS/POP3S GW = VPNGW
    HTTP - Allow HTTP/HTTPS GW = VPNGW **

    The above config worked in 2.4.3 but stopped after upgrading to 2.4.4
    I found that by setting the GW for HTTP to * resolved the issue, so new config is

    LAN
    LAN - Block All IPv4/6
    CHINA - Allow IP Table GW = WAN
    NET - Allow DNSSEC/TELNET GW = VPNGW
    POP - Allow SMTPS/POP3S GW = VPNGW
    HTTP - Allow HTTP/HTTPS GW = *

    traceroute port 80 shows it going via VPN, but i imagine we should be able to force the gateway,
    even if the default gateway is the same.


  • Netgate Administrator

    Is this in 2.4.4p2? There were some issues with the new default gateway group setting in 2.4.4 but they were mostly resolved in p1.

    Is it actually routing http/s traffic over the VPN in that setup? There should be no difference in having VPNGW set as default gateway or policy routing to it.

    Steve



  • it is p2 and should be no difference, but for some reason there is.
    according to traceroute port 80 it goes via the vpn as intended


  • Netgate Administrator

    The clients are using assigned DNS servers directly?

    If they are using unbound in pfSense I could imagine some change in the default gateway handling making a difference there perhaps.

    Steve