pfsense CE after update to 2.7.2 wireguard site to site tunnels no longer work
-
I have two pfsense boxes connected. One is pfsense 23.09.1 and one CE at 2.7.2.
A week and a half ago they were both 23.09 and 2.7.1 respectively and I had a wireguard tunnel set between them and it was working perfectly for months. I noticed right update the update that the tunnel seems up but no traffic going and now when I look at my dashboard in fact teh tunnel looks up but the gateway is down and showing 100% pocket loss. My backup job from my NAS which runs to go to the backup location (23.09) failed.
Anyone experienced this or is there a fix or something I can look at? Nothing seems different from before the update of both pfsense boxes. -
@alfaro I have two tunnels and on one I have seen similar. The only thing that worked was rebooting those pfSenses. And no problem since.
-
@Bob-Dig
Thank you for the reply. Multiple reboots with no change in behavior to either unit -
@alfaro Same thing happened to me on the 2.7.1 update.
Had to recreate the tunnels. Couldn't find another fix.
Weird thing was, 2 tunnels from CE to CE went down, the one tunnel from CE to pf+ still worked. So kinda the opposite of you but I would just rebuild the tunnels instead of wasting time. -
@Jarhead
Thank you for your reply.So, just erase them and start from scratch? Did you use all the same info? same secrets/keys? same ip ranges and ports? or really just completely different?
-
@alfaro I used all the same info. So copy the keys from both ends and use them to recreate the same tunnel.
Came right back up for me.Also, I have interfaces assigned to all my tunnels and I didn't even have to touch them.
-
@Jarhead said in pfsense CE after update to 2.7.2 wireguard site to site tunnels no longer work:
but I would just rebuild the tunnels instead of wasting time.
I wanted to avoid that so I tried everything else first and last thing was a reboot. Maybe what I did before and the reboot together fixed it, don't remember anymore what I exactly did there.
-
I have the same issue here and rebuilding the tunnels did not work (neither did rebooting). I run pfsense 2.7.2 as a virtual machine on proxmox v8 and since yesterday the peers are not connecting to my tunnel. It is very weird, because just one peer works and sometimes 2-3 other peers work temporarily. Until yesterday all worked well (the pfsense was on 2.7.1) and today I had these issues. Upgraded the pfsense to 2.7.2 but it did not solve the problem. Wireguard package is 0.2.1
PS: Packet Capture on WAN Interface shows incoming connections on wireguard port, but the pfsense just ignores that and does not response. The requests are dropped and not going through to the wireguard interface at all
-
@kryzmak I found out that it is not working when I use dynamic endpoint on the failed pfsense
This configuration does NOT work for me anymore:
pfsense 2.7.2 with option "dynamic endpoint" ENABLED <----- pfsense 2.7.0 with option "dynamic endpoint" DISABLED
This configuration does work:
pfsense 2.7.2 with option "dynamic endpoint" DISABLED <----- pfsense 2.7.0 with option "dynamic endpoint" ENABLED
I assume that it has something to do with my setup here (pfsense as a vm on a proxmox 8 host) but I have no clue where to look for misconfiguration. Traffic on wan interface comes in but is not forwarded to the wireguard interface (when serving as a dynamic endpoint). Is there some kernel option missing?
For my static sites that is ok for now. But there are as well a lot of road warriors with non static ip addresses, so I have to use the pfsense as the dynamic endpoint and can not switch... Sorry, if my description is not understandable (but I hope so), non native english speaker here. ;-)
-
@kryzmak Maybe not the best idea to run different versions?
Anyway, I just noticed a problem. I changed one option on a remote pfSense CE (slow VPS) in WireGuard: I disabled to "Hide Peers". After this, I couldn't connect or ping this remote pfSense anymore from my pc. But my local pfSense+ still was pinging the remote gateway and reported everything would be fine. The only thing helped was rebooting this remote pfSense.
So I have the feeling that WireGuard isn't running that smooth anymore.
-
It seems to be an error specific for my setup here and not regarding pfsense/wireguard. I only have this problem at our provider colocation and not at our own locations.
