Upgraded 2.2.1 to 2.2.2 no traffic passing to wan
-
I updated 2.2.1 to 2.2.2. Traffic between the 3 local LANs still flows fine. Pfsense can ping internet sites, but nothing on the lan can talk to anything on the wan anymore! I had done a full backup prior to upgrading & restoring that didn't fix the problem. I have 2 wan connections load balancing. I also have an ipsec tunnel off site. The ipsec tunnel is up and machines on the local lan can talk to the remote lan. Please help! I apologize for typos as I'm being forced to use my phone.
Also, the show states diagnostic page is saying current total state count is 0 & no states were found. Snort has a status of stopped and won't start.
-
0 states means the filter isn't enabled, or maybe isn't loading. Do you have packet filtering disabled under System>Advanced, Firewall/NAT tab? If so, that's why.
-
No, the disable all packet filtering box is not checked.
-
You seeing any filter reload errors in the system log? If you run "pfctl -f /tmp/rules.debug" from a command prompt, what output do you get?
-
The fix was to remove the traffic shaping. Somehow the upgrade made the rules that had been generated by the wizard invalid. pfctl -f /tmp/rules.debug gave the following errors:
bandwidth for qInternet higher than interface
parent qInternet not found for qACK
parent qInternet not found for qP2P
parent qInternet not found for qVoIP
parent qInternet not found for qOthersHigh
parent qInternet not found for qOthersLow
pfctl: Syntax error in config file: pf rules not loaded.We'll see what happens when I re-run the wizard on 2.2.2.
-
That's the reason. Removing the shaper will fix quickly. What's the hardware you're using? Rough guess - Hyper-V?
-
@cmb:
That's the reason. Removing the shaper will fix quickly. What's the hardware you're using? Rough guess - Hyper-V?
No, a C2758 bought from the pfsense store. It's an 8 core Atom, 8GB RAM, SSD.
-
Shouldn't be a problem in that case. I guessed Hyper-V since it's weird about reporting its interface speeds.
Only way I can think of that happening on a C2758 is if you configured the shaper for > 100 Mb on an interface that's running at 100 Mb. Is that possibly the case?
The upgrade wouldn't have changed anything there, it was just pre-reboot you were still running a previous ruleset that loaded without errors, which was gone post-reboot.
-
@cmb:
Shouldn't be a problem in that case. I guessed Hyper-V since it's weird about reporting its interface speeds.
Only way I can think of that happening on a C2758 is if you configured the shaper for > 100 Mb on an interface that's running at 100 Mb. Is that possibly the case?
The upgrade wouldn't have changed anything there, it was just pre-reboot you were still running a previous ruleset that loaded without errors, which was gone post-reboot.
All the interfaces are running at 1Gb & I'm pretty sure the highest I had specified in the shaper was 300Mb. One LAN interface that was in the shaper is unplugged. Maybe that did it? I had specified the minimum bandwidth I wanted available to VoIP on that interface for when I start using it.