OPNsense Forum

Archive => 17.1 Legacy Series => Topic started by: mircsicz on February 06, 2017, 09:35:50 pm

Title: Upgrade from 16.7.14: IPSEC Traffic showing up on WAN
Post by: mircsicz on February 06, 2017, 09:35:50 pm
As promised to franco here's my posting about the actual issue:

After Upgrading from 16.7.14 to 17.1 and getting the other two bugs out of the way I'm still hit by this one!

I'm running approx half a dozen APU's of which I've already upgraded two. Both are working as expected. But then there's one OPNsense Installation running as a KVM client, and that machine suffer's from the above mentioned bug. There's 5 S2S Tunnel's of which some have 2 or three L2's...

And all the traffic headed towards the machine's behind those Tunnel's is recognized on the WAN interface of the OPNsense. And the only cure to the issue is to allow Class-A Traffic and create a Firewall rule on the WAN Interface that allow's traffic from behind the IPSec tunnel to the local network...

(https://snag.gy/kznBuP.jpg)

And just now I realized all my SSH connections are slugish, I can connect but might be kicked after a few sec's!!!

So I'm hoping this get's fixed very soon
Title: Re: Upgrade from 16.7.14: IPSEC Traffic showing up on WAN
Post by: mircsicz on February 07, 2017, 02:23:03 am
Reply to myself, for documentary reason's, this is the log created during one of those extremly short SSH sessions:

(https://snag.gy/IbyDPr.jpg)

Title: Re: Upgrade from 16.7.14: IPSEC Traffic showing up on WAN
Post by: mircsicz on February 08, 2017, 01:34:57 am
Changing "Firewall > Settings > Advanced > Firewall Optimization" from normal to conservative gave me some ease...
Title: Re: Upgrade from 16.7.14: IPSEC Traffic showing up on WAN
Post by: dragon2611 on February 08, 2017, 05:58:23 pm
I believe there are some issues with the connection tracking code in 17.1 which affects multi-wan and also IPSEC traffic the devs are aware and are working on it.

There are a few threads around here about it.

https://forum.opnsense.org/index.php?topic=4417.0

https://forum.opnsense.org/index.php?topic=4313.0

https://forum.opnsense.org/index.php?topic=4385.0
Title: Re: Upgrade from 16.7.14: IPSEC Traffic showing up on WAN
Post by: franco on February 09, 2017, 08:39:37 pm
This is the next thing on my list now. Maybe solved in time for 17.1.2.