Gateway monitoring issues with 2.5.1
-
With PfSense I use four seperate VPN client connections to provide a failover if a vpn connection goes down. Up through version 2.5 this has worked flawlessly using the VPN endpoint IP as the monitor IP. The VPN gateway interfaces would come up quickly stabilizing at 0% packet loss on all four connections. Without making any configuration changes upgrading to version 2.51 causes 80%-100% packet loss on all four VPN gateway interfaces and I'm lucky if any of the interfaces drop below the 15% threshold to establish a connection. When I disable gateway monitoring on these everything works but I lose any failover capability. I'm using default dpinger settings. and as I said before no config changes were made.
Any ideas?
-
I have since discovered that I can enable gateway monitoring on one or two of VPN gateway interfaces and not experience packet loss but when I enable more than that the packet lost gets progressively worse and the gateway reports 100% loss but the VPN connections remains connected. I've tried setting the monitor IP to 8.8.8.8 and other addresses known to respond to pings with the same results. I've also found that the problem didn't manifest itself until after version 2.5.1.r.20210403.0300. I can roll back to that version and all four of my VPN client gateways come up with zero packet loss within seconds.
I find it very interesting that nobody else has experienced this issue since it's so easy for me to reproduce. I don't consider my VPN configuration unusual and it has worked for me for years. where should I start when troubleshooting this? logs? packet capture? This issue a;so persists with the most recent 2.6.0 developer version. -
So I guess there's no help here. I've rolled back to 2.4.5. There appears to be so many things wrong with 2.50/2.51 releases that it's very difficult to troubleshoot. It wouldn't surprise me to see people jumping ship. I have definitely considered alternatives.
-
@townsenk64 Hi! Indeed stay away from the 2.5 line of releases. I would love to get back to 2.4.5 -p1 but unfortunately the latest version of pfblockerng is not available on that older version of pfsense.
For now 2.5.0 is running fine after I manually upgraded unbound but honestly I am watching it like a hawk. I don’t trust it :(. The moment I can pinpoint some weird behavior in my network to pfsense I am going back to 2.4.5 -p1 with a separate Adguard Home server for adblocking. It is sad.
I ran 2.5.1 but that was horrible and nat just kept on dying and the only solution was rebooting. What other solutions are you looking for? I can use some ideas ...