Upgrade to 2.6.0 causes voip to no longer work and I can't ping the internet
-
Upgrade to 2.6.0 causes voip to no longer work and I can't ping the internet from my PC
Luckily I have a back up computer with a much older version
why can't I download a 2.5 version which worked?
Or how can I fix this problem?
I keep getting these errors in the log I don't understand what this means
Feb 17 15:36:00 sshguard 30068 Now monitoring attacks.
Feb 17 15:36:00 sshguard 61375 Exiting on signal.I am regretting the upgrade I won't be upgrading in the future especially as I can't even download the last version I had.... I will be stuck on a much older version from 2019
-
@keithunder Netgate doesn't leave old versions up, there are many threads here over the years debating that. Just download it when you update.
If you install an old version you can set System/Update to upgrade to the prior stable version, so as not to upgrade to the latest. So you can reinstall, change versions, update, then restore your config, and end up on 2.5.2.
re: sshguard, it looks for failed logins to block those IPs.
re: no traffic, do you have any limiters? There are a few threads I've skimmed about problems with multiple LAN interfaces and limiters.
-
Always always always have a copy of the OS available and backup from recent times in case you ever have to rebuild..
Ive been bitten as well and it is usually while Im on a remote site somewhere and can't easily run down to Staples or other supply store for what I need to bring back a router from a bad (insert issue here)..
Can you ping an IP address through the router? Is it just DNS that seems to be failing?
Can you ping from the router?
-
@chpalmer The DNS is working fine. I had no problem browsing from my PC. I can also ping for example 8.8.8.8 from the pfsense gui. I just can't ping it from my PC and my voip phone won't work.
Luckily I have a replacement pfsense computer and when I installed it everything went back to normal.
I am now on 2.5.1 and I won't be updating anytime soon!
Your backup advice is absolutely spot on .. when we bought the pfsense computer we bought 2 identical models with exactly the same configuration...
I don't know what I would have done without the backup!
-
It would be nice to understand what issues were causing your headache there..
I have VOIP running fine and can ping from my desktop just fine. Just tried it. So something seems to be up with your configuration. I would be curious if you are running any changes or if you kept your LAN rules default..
Last version should absolutely be kept available to people who run into such problems and need to go back.. at least for a couple of months.
-
@chpalmer
These are the Lan rules I haven't changed them for ages :)
I kind of understand most of them :)
Not sure they are all necessary.))States Protocol Source Port Destination Port Gateway Queue Schedule Description Actions
1 /22.37 MiB
* * * LAN Address 55555
22 * * Anti-Lockout Rule
47 /722.98 MiB
IPv4 * SingleIp * * * Singleip none off load balance
3.625 K/54.06 GiB
IPv4 * LAN net * * * LOadbalance none default lan> any
0 /0 B
IPv4 UDP * * * ZeroAccess * none Log Zeroaccess
0 /0 B
IPv4 TCP Allowed_SMTP * * 25 (SMTP) * none Allow SMTP
0 /0 B
IPv4 TCP LAN net * * 25 (SMTP) * none Block SMTP Traffic To Avoid Spamming
0 /0 B
IPv4 TCP/UDP 172.17.17.26 * * 161 (SNMP) * none Allow SMNP to Cacti
0 /0 B
IPv4 TCP/UDP LAN net * * 161 (SNMP) * none Block SNMP
0 /0 B
IPv4 * LAN net * * * * none Default allow LAN to any rule
0 /0 B
IPv4 UDP 172.17.16.238 * 172.17.17.254 53 (DNS) * none Easy Rule: Passed from Firewall Log View
https://i.postimg.cc/HW8ctgVT/screenshot-132.png -
I don't see any evidence that anything on the LAN is actually using the "allow all" rule. You don't appear to have any rules above that to allow ping.
Can you do an actual screen shot of your LAN rules page?
-
-
Your first three rules are taking all the traffic..
Anything below them has seen no traffic whatsoever since your box was rebooted.
Rules are parsed from top to bottom. If you are trying to block something totally it needs to go on top above any allow all type rule.Bottom rule.. are both of those addresses in the same subnet? If so that rule will do nothing for you. If you have two different subnets there then that is passing through your router to get there and legit. Otherwise addresses within the same subnet trying to reach each other never touch the router. And your allow all rule above that rule will trump it anyways.
How big is your subnet?
-
@chpalmer LOL .. I think the bottom rule was dropped there rather than delete it
The top two were written by me from an article I read primarily for when we were using 2 internet providers at the same timeThe bottom line is that these rules are not causing the problem?
-
Difficult to say as things seem fairly complicated. Can you move the default "allow all" to the very top and try it again some time? Just drag and drop. then save.
I would guess that you do not need any of those other rules at this point. But Im not there to look what else you have going. But the allow all rule will trump anything below it if at the top.
Another thing to consider is that something that was broke and allowed a mistake to work in 2.5 could have been fixed in 2.6 and visa versa.. 2.6 could have an issue with something you had working in the past.
That is why Im being a pain in the ass right now and asking you all these questions to try and make sure that is not the case.. or at least to learn and have some documentation here for others to search later should they run into the same issue you are having with 2.6
I started using pfsense pre 1.0 and had to go back and forth a bit until I learned how to make my particular VOIP company work with this router. Now I have about 22 of them out there becaused Ive finally started to understand them at a point that I usually don't have any trouble.. ;)
Looking at your LAN page.. what is "SingleIP"? I wonder if that has something causing the issues..
-
@chpalmer Subnet
The subnet mask is 255.255.254.0 and on the lan the ipaddresses are 172.17.16-17.1-254 -
@keithunder said in Upgrade to 2.6.0 causes voip to no longer work and I can't ping the internet:
@chpalmer Subnet
The subnet mask is 255.255.254.0 and on the lan the ipaddresses are 172.17.16-17.1-254Yeah so my SWAG is correct. You would never need a rule between two devices on your LAN..
I use 172.31.125.0/24 here myself as my primary LAN. My VOIP is on another interface and not allowed access to my LAN. Although with my "allow all" rule on my LAN I can reach my VOIP interface when needed.
VOIP Interface.
Block VOIP LAN
Allow VOIP ALLBasically that goes with all my interfaces.. if somehow I get a hacked camera (on their own interfaces as well) that camera can not see my LAN.
Cam Interface
Block CAM Lan
Allow CAM AllMake sense? This is good stuff to store in the back of your head in case you need it later.
-
@chpalmer You are not being a pain I am grateful for your responses!
Single ip just uses a different gateway group the other one is loadbalance.
Currently they are identical .. but they can come in useful for diagnostic purposes .. I can muck about with the 3 different ISPs without affecting anyone else.It may well be something broke that was fixed in the latest version. it would be nice to know what it was
this kept appearing in the system log
Feb 17 15:36:00 sshguard 30068 Now monitoring attacks.
Feb 17 15:36:00 sshguard 61375 Exiting on signal.I have no idea what this means
-
SSH is a terminal (for lack of a better word for it... stop typing now haters) connection. Have you ever used something like Putty to connect to your router? So has the rest of the world if you have port 22 open to on the WAN.
My guess is (because Im not sure) that SSHguard is the security program in place to keep that from happening.. If it is going up and down I wonder if your WAN is not stable.. I need to look at my logs and see if that is common between us..
Just looked and I do not have that in my logs. Keep forgetting I can see my router from this laptop while out and about via a VPN I have active..
That said I do not have that in the last 200 lines of my logs. That is interesting.
-
@keithunder said in Upgrade to 2.6.0 causes voip to no longer work and I can't ping the internet:
this kept appearing in the system log
Feb 17 15:36:00 sshguard 30068 Now monitoring attacks.
Feb 17 15:36:00 sshguard 61375 Exiting on signal.Look at thread https://forum.netgate.com/topic/169923/tons-sshguard-log-entries-and-its-not-enabled
-
The last two versions are available on the download servers still:
https://nyifiles.netgate.com/mirror/downloads/sshguard monitors the logs for failed login attempts, of any sort not just SSH, and reacts by blocking source IPs after a number of failures.
@keithunder said in Upgrade to 2.6.0 causes voip to no longer work and I can't ping the internet:
this kept appearing in the system log
Feb 17 15:36:00 sshguard 30068 Now monitoring attacks.
Feb 17 15:36:00 sshguard 61375 Exiting on signal.What you are seeing there is not an error it's sshguard restarting when the log files rotate to monitor the new log.
Steve
-
@chpalmer So either
- the old version is faulty and the new version fixes the problem causing my misconfiguation to block ping and voip
OR
2. The new version has a bug and my configuration is unusual and is causing the error.Assuming it is 1. what rules can I safely ditch on my Lan?
Which of these services can safely go?
-
@keithunder said in Upgrade to 2.6.0 causes voip to no longer work and I can't ping the internet:
why can't I download a 2.5 version which worked?
2.5.2 is still available. Go to the download page, DO NOT SELECT AN ARCHITECTURE, simply hit download. You end up in a directory that still includes the 2.5.1 and 2.5.2 versions.
-
@revengineer Excellent thank you
