Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT seems hosed somehow with 2.5.1 upgrade. Same bug as #11805?

    Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
    2 Posts 2 Posters 482 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      Dave R2
      last edited by

      Upgraded to 2.5.1 on 2021-04-18. Having issues with ingress traffic. I'm seeing a bunch of SE and SEW flags set on the TCP handshake both on firewall and DMZ host. Handshake never completes. When I drop the OpenVPN client on pfSense (Multiwan?) things work. I have a firewall rule on the LAN interface to route 80,443,53 and 43 over the VPN. Not sure if this is related somehow. Ran out of time to troubleshoot this morning. Am I just banging my head against the wall here? Maybe related to this bug? https://redmine.pfsense.org/issues/11805

      tcpdump traffic from webserver and pfSense:

      Apache VM
----------------
06:47:44.451602 IP 222.2.2.2.5827 > 68.119.167.56.443: Flags [S], seq 4093835398, win 65535, options [mss 1460,nop,wscale 12,sackOK,TS val 3880969012 ecr 0], length 0
06:47:44.451986 IP 10.10.10.10.443 > 222.2.2.2.5827: Flags [S.E], seq 1390155107, ack 4093835399, win 28960, options [mss 1460,sackOK,TS val 20398265 ecr 3880961610,nop,wscale 7], length 0
06:47:44.936939 IP 222.2.2.2.5546 > 68.119.167.56.443: Flags [S], seq 3797137893, win 65535, options [mss 1460,nop,wscale 12,sackOK,TS val 1136144916 ecr 0], length 0
06:47:44.937449 IP 10.10.10.10.443 > 222.2.2.2.5546: Flags [S.E], seq 1866981311, ack 3797137894, win 28960, options [mss 1460,sackOK,TS val 20398386 ecr 1136113112,nop,wscale 7], length 0
06:47:45.022398 IP 10.10.10.10.443 > 222.2.2.2.5887: Flags [S.E], seq 521861789, ack 3799908651, win 28960, options [mss 1460,sackOK,TS val 20398408 ecr 182595627,nop,wscale 7], length 0


pfSense em0
-------------------
06:47:44.205914 IP 222.2.2.2.5827 > 10.10.10.10.443: Flags [S], seq 4093835398, win 65535, options [mss 1460,nop,wscale 12,sackOK,TS val 3880969012 ecr 0], length 0
06:47:44.205964 IP 10.10.10.10.443 > 222.2.2.2.5827: Flags [S.E], seq 1390155107, ack 4093835399, win 28960, options [mss 1460,sackOK,TS val 20398265 ecr 3880961610,nop,wscale 7], length 0
06:47:44.691259 IP 222.2.2.2.5546 > 10.10.10.10.443: Flags [S], seq 3797137893, win 65535, options [mss 1460,nop,wscale 12,sackOK,TS val 1136144916 ecr 0], length 0
06:47:44.691306 IP 10.10.10.10.443 > 222.2.2.2.5546: Flags [S.E], seq 1866981311, ack 3797137894, win 28960, options [mss 1460,sackOK,TS val 20398386 ecr 1136113112,nop,wscale 7], length 0
06:47:44.776250 IP 10.10.10.10.443 > 222.2.2.2.5887: Flags [S.E], seq 521861789, ack 3799908651, win 28960, options [mss 1460,sackOK,TS val 20398408 ecr 182595627,nop,wscale 7], length 0
      1 Reply Last reply Reply Quote 0
      • V
        vjizzle
        last edited by

        This looks like a bug yes. Check: https://redmine.pfsense.org/issues/11805#change-53054

        And the following forum post: https://forum.netgate.com/topic/162924/to-2-5-1-or-not-that-is-the-question/65?_=1618838285034

        1 Reply Last reply Reply Quote 1
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.