No internet after upgrading to 2.7.1-ce from 2.7.0-ce

coldfire7

@stephenw10 said in No internet after upgrading to 2.7.1-ce from 2.7.0-ce:

Hmm, hard to see how that could affect traffic on the DOT interface, which I assume is WAN1?

Yeah, it doesn't make sense to me either. WAN1=DOT WAN2=DHK

@stephenw10 said in No internet after upgrading to 2.7.1-ce from 2.7.0-ce:

With WAN2 connected and all the NAT rules enabled is working traffic still using WAN1?

Yeah, as long as the interface is enabled, it doesn't have to be connected.

Also, note both WANs are PPPoE.

stephenw10

Ah, is it possible they share the same gateway address? The two PPPoE links I have hit that issue.

coldfire7

@stephenw10 Nope, totally different IP prefixes.

I noticed something else. The NAT address changes from DHK addresses to opt1ip when I disable the WAN 2 (DHK) interface, this doesn't happen in CE 2.7.0 or older versions.

SteveITS

@coldfire7 Well that sounds awfully suspicious. Does that part of the config file change when you make that change and redownload it?

avi68

I've had the same experience as you. I posted in the wrong section but the issues are exactly the same.

https://forum.netgate.com/topic/184213/openvpn-client-and-device-routing

coldfire7

@SteveITS

The only difference is <target></target> vs <target>opt1ip</target>. In CE 2.7.0 it's empty.

# 2.7.0

<rule>
	<source>
		<network>lan_v4</network>
	</source>
	<sourceport></sourceport>
	<descr><![CDATA[LAN --&gt; DHK]]></descr>
	<target></target>
	<targetip></targetip>
	<targetip_subnet></targetip_subnet>
	<interface>opt1</interface>
	<poolopts></poolopts>
	<source_hash_key></source_hash_key>
	<ipprotocol>inet</ipprotocol>
	<destination>
		<any></any>
	</destination>
	<created>
		<time>1592833956</time>
		<username><![CDATA[admin@10.0.0.100 (Local Database)]]></username>
	</created>
	<updated>
		<time>1676068535</time>
		<username><![CDATA[admin@10.0.0.100 (Local Database)]]></username>
	</updated>
</rule>

# 2.7.1 (DHK Interface Disabled)

<rule>
    <source>
        <network>lan_v4</network>
    </source>
    <sourceport></sourceport>
    <descr><![CDATA[LAN --&gt; DHK]]></descr>
    <target>opt1ip</target>
    <interface>opt1</interface>
    <poolopts></poolopts>
    <source_hash_key></source_hash_key>
    <ipprotocol>inet</ipprotocol>
    <destination>
        <any></any>
    </destination>
    <created>
        <time>1592833956</time>
        <username><![CDATA[admin@10.0.0.100 (Local Database)]]></username>
    </created>
    <updated>
        <time>1676068535</time>
        <username><![CDATA[admin@10.0.0.100 (Local Database)]]></username>
    </updated>
    <target_subnet></target_subnet>
</rule>

# 2.7.1 (DHK Interface Enabled)

<rule>
    <source>
        <network>lan_v4</network>
    </source>
    <sourceport></sourceport>
    <descr><![CDATA[LAN --&gt; DHK]]></descr>
    <target>opt1ip</target>
    <interface>opt1</interface>
    <poolopts></poolopts>
    <source_hash_key></source_hash_key>
    <ipprotocol>inet</ipprotocol>
    <destination>
        <any></any>
    </destination>
    <created>
        <time>1592833956</time>
        <username><![CDATA[admin@10.0.0.100 (Local Database)]]></username>
    </created>
    <updated>
        <time>1676068535</time>
        <username><![CDATA[admin@10.0.0.100 (Local Database)]]></username>
    </updated>
    <target_subnet></target_subnet>
</rule>

stephenw10

Hmm, interesting there was a change the system aliases available there.

How exactly are you disabling the interface?

stephenw10

Do you have any floating rules will all interfaces selected? Match rules for traffic shaping perhaps?

stephenw10

Struggling to replicate that here. If I disable a WAN interface then manual OBN rules on it become invalid and the ruleset shows:
# Missing interface 'opt1' for rule 'Test'

Automatic rules are simply not added for it.

OBN rules on the main WAN are still created and function as expected.

The OBN page does show opt1ip the same as you see but it doesn't impact anything.

I do also note the auto OBN rules do not show a translation address in the gui for some reason. But that also doesn't affect function.

SteveITS

@coldfire7 said in No internet after upgrading to 2.7.1-ce from 2.7.0-ce:

The only difference is <target></target> vs <target>opt1ip</target>. In CE 2.7.0 it's empty.

So it's <target></target> before you disable the interface? (I guess, I was asking for the difference between enabled/disabled, not 2.7.0 and 2.7.1)

stephenw10

It's <target>opt1ip</target> in 2.7.1 whether or not opt1 is enabled. The difference is that when opt1 is disabled opt1ip is not valid.

But in my test case the ruleset is still correctly generated. The only quirk is that the gui then shows the system alias. That probably shouldn't happen but it's only in the gui.

stephenw10

Ok it appears to be the OBN rules running together: https://redmine.pfsense.org/issues/15024

So here the rules for DHK are commented out when the DHK interface is disabled but ends up breaking the following rule which in each case is the DOT rule.

You should be able to see that in the generated rules.debug file.

coldfire7

@stephenw10 said in No internet after upgrading to 2.7.1-ce from 2.7.0-ce:

How exactly are you disabling the interface?

@stephenw10 said in No internet after upgrading to 2.7.1-ce from 2.7.0-ce:

Do you have any floating rules will all interfaces selected? Match rules for traffic shaping perhaps?

Yes, one for stopping outbound RFC1918. While I was troubleshooting yesterday I disabled that rule to see if that was causing the problem.

stephenw10

It's that OBN rule bug as shown in the report above. Almost certainly.