PfSense 2.1 to 2.15 - OpenVPN Tunnel up - but cannot pass traffic since upgrade


  • Background, I have had a pfSense 2.1 router running for a while now in a VM - with traffic routed over OpenVPN to a popular provider.

    Wanting to upgrade to the latest version 2.1.5 in readiness for a server upgrade.  Rather than risk my existing setup, I created a clone of my existing VM - did a fresh install of 2.1.5 and restored my config.  I found my lan routing worked fine, but was not routing traffic over the VPN as it was before.

    After many, many hours trying to trouble shoot the issue I simply could not pass any traffic over the established OpenVPN tunnel.  Getting no where - I did another fresh install and started from scratch step by step, proving I had routing out to the WAN then setting up the OpenVPN client, and then once that was confirmed and up then attempting to route traffic over it.  Used this great tutorial https://forum.pfsense.org/index.php?topic=76015.0

    But still nothing, a real puzzle - and its affecting my sleep now !! LOL

    Logs show vpn is up - getting no errors - and getting the "Initialization Sequence Completed" - get an ip etc.  If I amend my lan rule to route through to my WAN all working fine, but simply route to the VPN and all fails.

    From the pfsense box I can ping the assigned gateway the other side of the tunnel, yet I cannot ping any other address.

    My old setup works fine still - so cannot blame my vpn provider.

    I need some help in diagnosing this further - as far as I can tell the only change is the move from pfsense 2.1 to 2.15

    Please help my sanity! :-)

    GC


  • Update  I have now got the OpenVPN working to pass traffic but still left with my original issue.

    In pfsense 2.1 I used a URL  alias and LAN rules for example to point traffic to openVPN - this has been working fine for over a year.

    Restoring the same config onto 2.1.5 and this is not working - seems to pass to the wrong gateway not OpenVPN as specified.  I can see this by watching spikes on the traffic graphs.  Changing the rule to a block rule blocks those sites, suggesting the rule is working on the alias correctly - but as a pass rule does not send to the correct interface.

    Does anyone know of any issues restoring a config from an earlier version?

    Many thanks

    GC


  • Update 2

    Some further progress - purely by chance I unchecked "Skip rules when gateway is down" and I have now got back the behavior expected with LAN policy rules being followed.

    I set this rule so that traffic was NOT sent to the default gateway when the openvpn link is down - this worked fine in 2.1 but the behavior here has changed.

    Also, I have a dual openvpn setup, that was nicely load balanced - in this latest version only one of the VPN links is ever used with all the connections going out on the one link.

    I am struggling to take this further without some help.  Will revert to previous VM for now.