Port Forward Doesn't Work With Multi-WAN

GhostlyBox

Hi all,

I'm trying to do a port forward from one of my WAN interfaces (VDSL) to a webserver. I use another WAN connection (4G router) as my main outbound internet access as the speed is a lot better, but maintain the VDSL connection for remote access and, now, running a web service.

But if I set the 4G connection as my default gateway or use a load balanced setup where the WAN connection will roll over to the VDSL connection in the event of packet loss, I can see the initial SYN packet hit my webserver which responds with a SYN ACK (captured this via packet capture on both the web server and using pfSense to capture packets on the VDSL interface), but the initiating machine outside of the network never receives the SYN ACK.

If I disable the 4G interface, everything works fine?

Can anyone allude to what I'm doing wrong? I've had this working on older versions of pfSense. Currently using: 2.5.1-RELEASE (amd64) built on Mon Apr 12 07:50:14 EDT 2021.

viragomann

@ghostlybox
This might be the reason: https://redmine.pfsense.org/issues/11805

GhostlyBox

@viragomann Many thanks, much appreciated... This explains it perfectly. Was going mad for a moment as I was certain it used to work when I've implemented before.

Guess I'm rolling back to 2.5.0 or going with a dev release, which isn't ideal.

Cool_Corona

@ghostlybox You could wait a couple of days for the 2.5.2 release...

GhostlyBox

@Cool_Corona Not gonna lie... I'm impatient and just bumped to 2.6.0a as didn't realize the 2.5.2 release was imminent. But thanks anyway!

But yeah, 2.6.0a working just fine.

sisko212

I upgraded to 2.5.2rc because i needed to fix the issue, but looks like the patch doesn't fully works.
While works for tcp connections, for udp it is not.
For instance i have a pbx on dmz with some port forwards between wan and internal dmz server.
The pbx (asterisk based) is able to make a connection to the voip carrier, but when an incoming call starts, so the carrier has to open an udp/rtp channel, the voip flow has no audio at all.

psp

@sisko212 said in Port Forward Doesn't Work With Multi-WAN:

I upgraded to 2.5.2rc because i needed to fix the issue, but looks like the patch doesn't fully works.
While works for tcp connections, for udp it is not.

Thanks for pointing this out. If confirmed, you saved us a bunch of problems with our production systems.

sisko212

@psp
Yeah, unfortunately the pfsense quality is getting worse and worse with each new release. Netgate is probably ditching it or dedicating more resources to their products and is missing out on several things to the CE version

jimp

We haven't seen any failures with UDP in our internal testing of reply-to on 2.5.2-RC. The fix in pf was not specific to TCP, so it's unlikely to be related to whatever problem you're seeing with that PBX.