pfSense 2.5.1 multi-WAN routing trouble
-
Dear All,
This issue is likely related to this one, just expanded to a CARP and multi-WAN setting:
https://forum.netgate.com/topic/162935/pfsense-2-5-1-not-recognizing-my-default-ipv4-route
I am using four pfsense units for a two-location SOHO situation for a long time. Each location hast two units in CARP configuration connected to two internet lines. VPN is OpenVPN connections using both lines. There is no real ffr-type failover, but that was not an issue so far.
I did upgrade all four devices to 2.5.1 not noticing any trouble initially. My default gateway IPv4 was set to LoadBalancedGroup.
After a time, I did notice the following issues:-
Only one of the two WANs did accept VPN dialin connections. I detected that this depends on the default gateway chosen - which is worst if it is load balancing. My setup NATs the respective ports to localhost with corresponding firewall rules to OpenVPN server instances listening on localhost.
-
Only one of my two site-to-site VPN connections did work. Obviously, this also depends on the default gatway and it gets tricky in the case of load balancing. Getting routes assigned takes longer than previously.
-
Websites behind haproxy listening on the WAN interfaces are reachable on both WANs in principle. However, there is immense quality degradation on the interface which is not the default gateway. I did notice that first on a Nexcloud instance where one could upload small files but one would loose the server connections upon uploading only slightly larger files (> 200 KB).
-
I have a mail gatway on a virtual machine connected to both WANs. The setup is NAT and corresponding firewall rule forwarding to two virtual NICs of the machine - each corresponding to one WAN. For the outbound direction, the virtual machine knows which NIC is which WAN and firewall rules direct the traffic accordingly based on the origin. The mail server was only reachable via the default gateway. Otherwise, smtp/telnet would be mute. The same was true for a custom-port sftp instance.
In my primary location, I did downgrade both CARP units back to 2.5.0 and everything was fine again. In my secondary unit, I am unable to do so. Afterwards, the primary location was again performing as before and as expected.
Does this sound like a strange setup on my side or like a bug? If it is a bug, will it be fixed rapidly? For the secondary location, a fix without a downgrade would be ideal, as upgrades can be done, but downgrading requires plugging cables locally.
Regards,
Michael Schefczyk
-
-
Same. Dual wan config, but only one at the time will accept incoming connection after upgrade to 2.5.1. I have mail on one and web server on another. Both wan addresses wont accept incoming connections at the same time as before. If I choose default gateway my dual wan grou then pfsense anyway will choose one out from dual group as “default” and services from another wan wont work
-
Same issue with failover dual WAN, no CARP.
Incoming traffic is only working on the "default" gateway. This used to work for years before 2.5.1 -
@digdug3 I downgraded to 2.4.5 for now
-
@raudraido Agree.
If it takes to long to fix this then I will have to downgrade to 2.5.0
Had no issues there. For now I removed all traffic on the 2nd WAN.
Fingers crossed there won't be any issue on the 1st. -
Since I did file a bug report which was classified as a duplicate (would not have found the original bug report without that), we know that the developers know:
https://redmine.pfsense.org/issues/11805
What we still lack is communcations in terms of what is likely to happen when.
-
@michaelschefczyk I reverted to 2.5.0 and all is working again.
-
@digdug3 I revert back 2.4.5.1 because I have seen so many complains with 2.5.0 as well. Also everything now works as intended.
-
@michaelschefczyk said in pfSense 2.5.1 multi-WAN routing trouble:
What we still lack is communcations in terms of what is likely to happen when.
look like we must wait for 2.6.0, since this is an issue in the kernel.
No idea to handle this issue for me now, since we need the openssl fix. -
Hail Folks, I'm experiencing something like this... On my PFSense Server I use OpenVPN + Radius Connection, everything was working good, but after update from 2.5.0 to 2.5.1 every connection wich comes from my second (WAN - OPT) works for a minute and the connection get drop. There's no reason for it.. cuz, I Haven't change anything on firewall... If anyone have any clue to me.. I will appreciate a lot. Thanks in advance.
-
@theone The only workaround I have found so far(in case someone needs it)
System >> Advanced >> Firewall & NATBypass firewall rules for traffic on the same interface
This is workaround but definitely a bug in 2.5.1
-
@peterzy To my regret I don't have static routes. Policy based only.
-
@digdug3 How did you reverted to 2.5.0 ?
-
@makq I have pfSense installed as a VM, so I can just roll back.
Otherwise, if you still have a backup of an older pfsense config file, you can reinstall pfSense and restore the backup of the config file. -
ok. this really has become a problem, i have tried a number of things but i need to revert back to 2.5.0.
Is the config.xml backward compatible with 2.5.0 ?
Can i simply re-install and restore the 2.5.1 xml?
-
@gwaitsi I am unable to answer your question. As I backup my configuration nighly on a server in my LAN, I did just roll back to the last configuration before going to 2.5.1.
The biggest problem in my view is that the Netgate team does not communicate at all about perspectives to resolve this. The choice now is either no real multi-WAN or a risky version of OpenSSL.
I did make a trip to the other end of my VPN to downgrade there to get everything working again. My personal next step will be to move from CARP-HA to two single routers and then convert one in the stack to OPNsense. It might be safer to have two options.
-
@gwaitsi for me, revert did not work. Did clean install
-
@gwaitsi Hi. The config should be backwards compatible. I have done this and imported my backup from 2.5 to 2.4.5 p1. However this was not on my production unit but my testlab pfSense. It did work but my Openvpn clients were messed up and my routing groups were not working properly. I had to manually fix that. Again, this was just an exercise for me and not something I will do on my production unit.
As always I have backups before I upgrade so in the end I just installed 2.4.5 p1 on my production unit and restored the config from that version.
-
I think with the attitude they have PfSense is https://www.youtube.com/watch?v=tH2w6Oxx0kQ
-
@peterzy i haven't given up on them, but when they say it is a kernel fix and can't be deployed as a patch, given the severity, it is very disheartening to see they don't release 2.5.1p1 to fix this issue.
Have started looking at untangle, but that is not a fair comparison because you have to pay to get the same features that are including in pfsense CE.