4. Upgraded 2.2.1 to 2.2.2 no traffic passing to wan

Upgraded 2.2.1 to 2.2.2 no traffic passing to wan

  • M

    I updated 2.2.1 to 2.2.2. Traffic between the 3 local LANs still flows fine. Pfsense can ping internet sites, but nothing on the lan can talk to anything on the wan anymore! I had done a full backup prior to upgrading & restoring that didn't fix the problem. I have 2 wan connections load balancing. I also have an ipsec tunnel off site. The ipsec tunnel is up and machines on the local lan can talk to the remote lan. Please help! I apologize for typos as I'm being forced to use my phone.

    Also, the show states diagnostic page is saying current total state count is 0 & no states were found. Snort has a status of stopped and won't start.

    0
  • C

    0 states means the filter isn't enabled, or maybe isn't loading. Do you have packet filtering disabled under System>Advanced, Firewall/NAT tab? If so, that's why.

    0
  • M

    No, the disable all packet filtering box is not checked.

    0
  • C

    You seeing any filter reload errors in the system log? If you run "pfctl -f /tmp/rules.debug" from a command prompt, what output do you get?

    0
  • M

    The fix was to remove the traffic shaping. Somehow the upgrade made the rules that had been generated by the wizard invalid. pfctl -f /tmp/rules.debug gave the following errors:

    bandwidth for qInternet higher than interface
    parent qInternet not found for qACK
    parent qInternet not found for qP2P
    parent qInternet not found for qVoIP
    parent qInternet not found for qOthersHigh
    parent qInternet not found for qOthersLow
    pfctl: Syntax error in config file: pf rules not loaded.

    We'll see what happens when I re-run the wizard on 2.2.2.

    0
  • C

    That's the reason. Removing the shaper will fix quickly. What's the hardware you're using? Rough guess - Hyper-V?

    0
  • M

    @cmb:

    That's the reason. Removing the shaper will fix quickly. What's the hardware you're using? Rough guess - Hyper-V?

    No, a C2758 bought from the pfsense store. It's an 8 core Atom, 8GB RAM, SSD.

    0
  • C

    Shouldn't be a problem in that case. I guessed Hyper-V since it's weird about reporting its interface speeds.

    Only way I can think of that happening on a C2758 is if you configured the shaper for > 100 Mb on an interface that's running at 100 Mb. Is that possibly the case?

    The upgrade wouldn't have changed anything there, it was just pre-reboot you were still running a previous ruleset that loaded without errors, which was gone post-reboot.

    0
  • M

    @cmb:

    Shouldn't be a problem in that case. I guessed Hyper-V since it's weird about reporting its interface speeds.

    Only way I can think of that happening on a C2758 is if you configured the shaper for > 100 Mb on an interface that's running at 100 Mb. Is that possibly the case?

    The upgrade wouldn't have changed anything there, it was just pre-reboot you were still running a previous ruleset that loaded without errors, which was gone post-reboot.

    All the interfaces are running at 1Gb & I'm pretty sure the highest I had specified in the shaper was 300Mb. One LAN interface that was in the shaper is unplugged. Maybe that did it? I had specified the minimum bandwidth I wanted available to VoIP on that interface for when I start using it.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2019 Rubicon Communications, LLC | Privacy Policy