Port forwarding headaches
-
clean install since upgrade from 2.1.5 fail with mountroot issue (there is plenty of other thread about that)
the config was rebuilt by hand. No config file reuse.
i've tryed to log packets via related rules but firewall log seem in problem too (see thread in firewall section)
i'm thinking going back to 2.1.5 since NAT seem to be in trouble in 2.2 but can try some diagnostic/workaround before
-
There is no such issue. Nuke all the broken manual firewall rules you created. Create port forwards in Firewall - NAT - Port Forwarding. Click Apply. Check that Outboud NAT is at Automatic (Outbound tab). Done.
-
That the way i always did
i've deleted and remake those Port forward numbered of time to be sure i haven't do a mistake : still nothing
even with hybrid or manual outbound rule, it does not work
also, my pbx (3CX) use stun server to diagnose firewall port forward and some time in the same test it just won't connect to the stun server BUT internet is working fine and can resolve DNS query
that's a really weird trouble :S
-
Ok, this is clearly related to 2.2
I have to explain that i run PFSense in a Xenserver 6.5 VM
I stopped the 2.2 and reinstall a fresh 2.1.5 on another VM WITH THE SAME CONFIG DONE MANUALLY (no backup/restaore) and now port forwarding work as expected2.2 is installed with xentools, 2.1.5 no xentools (since not available)
i guess there is two possible thing :
1- Xentools giving issue
2- 2.2 having weird issue with port forwardingany idea where to start for diagnostic ? i can provide config file for analysis
-
Lets think about it.. If 2.2 was having in general port forwarding issues. I would think the boards would be LIT UP like a xmas tree.. I would of thought this would of shown up in beta, RC, etc..
But what I have seen is some weird threads where having problem win xen.. My guess is xen..
I can tell you for sure I am running on esxi, and 2.2 was running before the RC, etc.. And have had zero issue with port forwarding, etc..
To be honest I think there should be a new sticky somewhere, when posting a problem not only should you state what version your running, be it i386 or 64 but clarification on if on actual hardware or VM, if vm what software is it on, etc..
If you would of mentioned xen in your OP, I could of pointed to other threads where users having odd issues with xen. Here is one that comes fresh to my mind.
https://forum.pfsense.org/index.php?topic=86827.0 -
XenServer 6.2 workaround here: https://forum.pfsense.org/index.php?topic=85797.0
It has zero to do with port forwarding. -
Perhaps it's a bug
Most of the bugs in pfSense are in the Layer 8 code base. It's pretty complicated stuff. They try and try release after release but they just can't seem to get it right.
Glad you got it working.
-
^ hehehehe yeah I would agree layer 8 is a HUGE problem..
I find layer 8 a huge PITA at work as well, it is a very complicated problem dealing with layer 8.. No matter how clear you try and code the solution - it has problems there..
-
Yeah - My layer 8 has issues to death…
-
But what I have seen is some weird threads where having problem win xen.. My guess is xen..
that make sense for my NAT issue. I probably have other issue since i have'nt enought time to do complete test
i probably found the cause in this thread : https://forum.pfsense.org/index.php?topic=85797.0
i'll try to sort that out with the solution in there.
i was testing 2.2 on my VM at home before deploying it at work on a physical machine (Lenovo RS140). Despite the highly probable Xen issue , 2.2 seem to run pretty well.
willl come back with feedback
-
got some news.
it is related to xentools and freebsd 10.1 xn nic
see :
https://forum.pfsense.org/index.php?topic=85797.0
https://forum.pfsense.org/index.php?topic=86827.0Credit goes to cmb , phadm and jpenninkhof for the solution
STEP 1 : on PfSense webconfiguration
disabling hardware checksum offloading under System>Advanced, Networking
checked :
Disable hardware checksum offload
Disable hardware TCP segmentation offload
Disable hardware large receive offloadGoal : disable Hardware offload on PfSense
STEP 2 : on XenServer Console
#xe vm-vif-list uuid=VMUUID
#xe vif-param-set uuid=VIFUUID other-config:ethtool-tx="off"
#xe vif-param-set uuid=VIFUUID other-config:ethtool-rx="off"Goal : obtain VIF UUID of LAN and WAN of the VM and disables hardware offload
STEP 3 : Reboot VM and voila !
all works as expected
this seem to be a temporary solution i guess -
got some news.
it is related to xentools and freebsd 10.1 xn nic