Routing over site-to-site IPsec tunnels is broken since early December



  • Routing over site-to-site IPsec tunnels is broken in snapshots since over a month! It was OK until early November builds (I've got Nov 9 build running OK) but doesn't work in more recent builds. Tunnel is established, you can ping remote end directly from router but no traffic from subnet behind tunnel is actually routed. Please fix it guys!



  • are you sure its not a config issue i was using a mid december snapshot until this morning (updated) and its been working fine throughout

    i have an IPsec tunnel setup and its routing fine between the endpoints perfectly, i can reach the remote lan from local and reach the local lan from remote

    probably a good idea to describe your config



  • It works fine for me and I just setup a new box and new install to our datacenter running 12-28 snapshot last week and upgraded our office from 2.0.2 to latest snap also.

    Must be a config issue.

    My only issues with 2.1.x is that ipsec mobile clients cant use a different WAN connection over the tunnel but I have another thread for that.

    Tunnel traffic itself works perfectly fine as far as I can tell for site-to-site and mobile clients.



  • Can you please try with tomorrow snapshots and see if the functionality has been restored?



  • Hi
    I test 2.1 since August. I do upgrades to newer snapshots every ~2 weeks and everything was absolutely fine until December. After upgrade from November 9 version to December ones IPsec tunnels stopped working properly, so this is not configuration issue. Maybe something has change with automatic upgrade procedure than? I'll try to install newest snapshot, delete and re-define all tunnels.



  • @ermal:

    Can you please try with tomorrow snapshots and see if the functionality has been restored?

    I did instal today's snapshot and make some tests. I even deleted all tunnels and re-created it. No change - tunnels are up but no routes to remote subnets are inserted, traffic is send to default gateway not through tunnels. Obviously I can add additional routes manually but this is not the way it should be. Any ideas?

    Best Regards

    Marcin



  • You are talking about policy routing traffic or static routed traffic?

    Adding routes and policy routing are 2 different thigns.



  • Problem found! And this is a bug for sure!

    I have dual WAN configuration. If there are any additional firewall rules defined for LAN side  (in my case two rules that send traffic from selected IP through WAN1 or WAN2) all IPsec routes are ignored and no traffic is send to IPsec tunnel anymore! If this LAN rules are disabled and only default 'pass all through default gateway' is active, IPsec tunnel routing is back to normal. Seems that 2.0.2 suffer from exactly the same bug : http://forum.pfsense.org/index.php/topic,57237.0.html



  • That's how things are supposed to work without the negation work around we put in place to prevent you from foot shooting. The other linked thread is after upgrade to 2.1, not 2.0.2. 2.1 has changed some in this regard and that needs to be re-evaluated.


  • Rebel Alliance Developer Netgate

    It's sort of a catch 22, none of the options are all that great.

    If you put the negate rules above user rules with quick on, then all internal hosts can reach all hosts on the VPN - many people don't want this.
    If you put the negate rules above user rules with quick off, a block rule or other rule that matches can make them be skipped entirely.
    If you put the negate rules below the user rules with quick on then user rules with a gateway set wouldn't be bypassed.

    Best way is always to use your own negate rules.


  • Netgate Administrator

    @jimp:

    Best way is always to use your own negate rules.

    +1 on that.
    I was in fact relying on my own negate rules (or lack thereof) to isolate my wifi. Suddenly I found my wifi clients could access other subnets. If negate rules are to be added automatically they must show some warning IMHO.

    Steve

    Apologies for this thread hi-jack.  ;)



  • @stephenw10:

    @jimp:

    Best way is always to use your own negate rules.

    +1 on that.
    I was in fact relying on my own negate rules (or lack thereof) to isolate my wifi. Suddenly I found my wifi clients could access other subnets. If negate rules are to be added automatically they must show some warning IMHO.

    Steve

    Apologies for this thread hi-jack.  ;)

    +1 on huge warning labels for all pfsense releases … i've seen numerous posts on this forum somewhat related to this.
    It confuses most users why traffic passes when they haven't made a rule to let it pass, or made an effort with policy routing to prevent it from passing.

    Would it be hard to backport the 'disable negate rules' checkbox to 2.0.3 ?
    it would safe me lots of time ... now i have to isolate every vlan/vpn manually and spend lots of time whenever i add another one.


  • Rebel Alliance Developer Netgate

    The checkbox is already there on 2.0.2/2.0.3 to disable negate rules.


  • Netgate Administrator

    So it is!
    I had been following that addition but thought it was 2.1 only. Thanks.
    Still it seems a significant change. When were the negate rules introduced? How did I miss that?  ::)

    Steve



  • @stephenw10:

    When were the negate rules introduced? How did I miss that?  ::)

    6-7 years ago IIRC. Long ways back, I believe the original 1.2 release was the first stable release that had them, which was almost 5 years ago.


  • Netgate Administrator

    Ha! Well that explains how I missed it.
    Have their behaviour been changed more recently? When I first went to a dual WAN setup, under 1.2.3, I started experimenting with load-balancing and policy routing. I had to add my own rules to allow access to local subnets using the default gateway otherwise nothing was accessible. Perhaps I am misunderstanding the purpose of the negate rules but I thought that's exactly what they did.  :-\ Something seems to have changed between now and then since I no longer need those rules (with negate rules not disabled).

    It's the change of behaviour that worries me. Of course it could be that was previously mistaken about how things were working.  ::)

    Either way I'm glad to have the check box to disable negate rules. Personally I much prefer to have everything visible, or as much as possible at least.

    Steve


Locked