24.03 VTI traffic issues even with floating state patch or workaround rules
-
Having some problems with traffic passing through routed IPSEC connections after upgrading one or both sides to 24.03 - have added the workaround floating rule and advanced settings to rules on ipsec interface (have not switched ipsec filter mode yet as lots of VTI interfaces..). Everything initially looks to be ok and BGP is working fine. Most traffic also passes as expected, SMB, RDP etc but for instance some ODBC connections and printing via a print server to various printers using port 9100 are exhibiting interface bound state issues. Printing to port 9100 for instance, jobs will queue and can sit there for hours but will eventually print, some will print within minutes of being sent others longer.. If I revert the default state policy to floating state then all traffic passes as expected.
I've also tried with the new patch (Automatically use floating states for IPsec rules (After applying, reload the filter or reboot., Redmine #15430)) instead of the workaround rule settings but same result.
-
So the only way I've found so far to have traffic passing the same way it was on 23.09.1 is by chaging the default firewall state policy to floating state... anything else (advanced rules with floating state and floating rule for isec interface, even floating state set on lan interface) and certain network connections fail or time out...
It is potentially just larger packets although SMB seems to always be fine. Checking different MTU MSS settings and fragmentation reassembly just in case but can ping with large packets unless df set as expected...
-
So.... with the default ipsec filter mode, interface bound states and vti tunnels traffic just does not successfully pass through in various cases. This is with ether the patch applied or manually adding the floating rule (tried with any direction as well) and setting the ipsec interface rules advanced option as floating state. Changing the default policy to floating state resolves all issues as does changing the ipsec filter mode and using interface bound state (not an option though if you have any tunnel mode connections). This has been tested on over 30 netgate devices now, 2100s, 4100, 4200 6100 and 7100 all exhibit the same behaviour.
With the patch or manual rules bgp, smb and http seem to work fine (without these pretty much everything is broken as expected), but for instance, printing on port 9100 or proxmox esxi storage will time out. It appears that somehow states are not always being tracked correctly and are then filtered...
Will file a bug
-
Latest patch has resolved this issue, just incase someone else experiences this issue...
-
@danjeman Hi, I have the same Problems that I cannot print over a VTI, which Patch solved the Problem for you, because I'm on 24.03 and I cannot get it to work with the Flow rules.
I could be doing something wrong with the Rules, but everything seems to work except printing.I've created Floating rules on the IPSec Interface and out Floating Rules on the Floating Interface on both sides.
Am I missing something? -
@dnacom you need system patches version 2.2.11_15 and then both floating state ipsec patches - redmine #15430 first then redmine #15606
You then don't need the floating rules or advanced options on rules.
-
@danjeman Thanks, for the fast response, I'll try this on my test environment.
Will this mess with the System Updates from the WebGUI later, or will the system update normally to the next stable build?
I ask because I never did an update on the PFSense beside the WebGUI Updates. -
@dnacom The next release would usually include the patch. You can either leave the patches installed and upgrade (will then still show the patch as installed in system patches) or revert the patches before upgrading and then upgrade as normal.
Hope that makes sense