<![CDATA[NAT seems hosed somehow with 2.5.1 upgrade. Same bug as #11805?]]>

<![CDATA[NAT seems hosed somehow with 2.5.1 upgrade. Same bug as #11805?]]>Upgraded to 2.5.1 on 2021-04-18. Having issues with ingress traffic. I'm seeing a bunch of SE and SEW flags set on the TCP handshake both on firewall and DMZ host. Handshake never completes. When I drop the OpenVPN client on pfSense (Multiwan?) things work. I have a firewall rule on the LAN interface to route 80,443,53 and 43 over the VPN. Not sure if this is related somehow. Ran out of time to troubleshoot this morning. Am I just banging my head against the wall here? Maybe related to this bug? https://redmine.pfsense.org/issues/11805

tcpdump traffic from webserver and pfSense:

Apache VM
----------------
06:47:44.451602 IP 222.2.2.2.5827 > 68.119.167.56.443: Flags [S], seq 4093835398, win 65535, options [mss 1460,nop,wscale 12,sackOK,TS val 3880969012 ecr 0], length 0
06:47:44.451986 IP 10.10.10.10.443 > 222.2.2.2.5827: Flags [S.E], seq 1390155107, ack 4093835399, win 28960, options [mss 1460,sackOK,TS val 20398265 ecr 3880961610,nop,wscale 7], length 0
06:47:44.936939 IP 222.2.2.2.5546 > 68.119.167.56.443: Flags [S], seq 3797137893, win 65535, options [mss 1460,nop,wscale 12,sackOK,TS val 1136144916 ecr 0], length 0
06:47:44.937449 IP 10.10.10.10.443 > 222.2.2.2.5546: Flags [S.E], seq 1866981311, ack 3797137894, win 28960, options [mss 1460,sackOK,TS val 20398386 ecr 1136113112,nop,wscale 7], length 0
06:47:45.022398 IP 10.10.10.10.443 > 222.2.2.2.5887: Flags [S.E], seq 521861789, ack 3799908651, win 28960, options [mss 1460,sackOK,TS val 20398408 ecr 182595627,nop,wscale 7], length 0


pfSense em0
-------------------
06:47:44.205914 IP 222.2.2.2.5827 > 10.10.10.10.443: Flags [S], seq 4093835398, win 65535, options [mss 1460,nop,wscale 12,sackOK,TS val 3880969012 ecr 0], length 0
06:47:44.205964 IP 10.10.10.10.443 > 222.2.2.2.5827: Flags [S.E], seq 1390155107, ack 4093835399, win 28960, options [mss 1460,sackOK,TS val 20398265 ecr 3880961610,nop,wscale 7], length 0
06:47:44.691259 IP 222.2.2.2.5546 > 10.10.10.10.443: Flags [S], seq 3797137893, win 65535, options [mss 1460,nop,wscale 12,sackOK,TS val 1136144916 ecr 0], length 0
06:47:44.691306 IP 10.10.10.10.443 > 222.2.2.2.5546: Flags [S.E], seq 1866981311, ack 3797137894, win 28960, options [mss 1460,sackOK,TS val 20398386 ecr 1136113112,nop,wscale 7], length 0
06:47:44.776250 IP 10.10.10.10.443 > 222.2.2.2.5887: Flags [S.E], seq 521861789, ack 3799908651, win 28960, options [mss 1460,sackOK,TS val 20398408 ecr 182595627,nop,wscale 7], length 0

]]>https://forum.netgate.com/topic/163089/nat-seems-hosed-somehow-with-2-5-1-upgrade-same-bug-as-11805RSS for NodeSat, 18 Apr 2026 01:42:14 GMTMon, 19 Apr 2021 12:26:21 GMT60<![CDATA[Reply to NAT seems hosed somehow with 2.5.1 upgrade. Same bug as #11805? on Mon, 19 Apr 2021 13:20:54 GMT]]>This looks like a bug yes. Check: https://redmine.pfsense.org/issues/11805#change-53054

And the following forum post: https://forum.netgate.com/topic/162924/to-2-5-1-or-not-that-is-the-question/65?_=1618838285034

]]>https://forum.netgate.com/post/978685https://forum.netgate.com/post/978685Mon, 19 Apr 2021 13:20:54 GMT