Upgrade from 16.7.14: IPSEC Traffic showing up on WAN

[mircsicz]

As promised to franco here's my posting about the actual issue:

After Upgrading from 16.7.14 to 17.1 and getting the other two bugs out of the way I'm still hit by this one!

I'm running approx half a dozen APU's of which I've already upgraded two. Both are working as expected. But then there's one OPNsense Installation running as a KVM client, and that machine suffer's from the above mentioned bug. There's 5 S2S Tunnel's of which some have 2 or three L2's...

And all the traffic headed towards the machine's behind those Tunnel's is recognized on the WAN interface of the OPNsense. And the only cure to the issue is to allow Class-A Traffic and create a Firewall rule on the WAN Interface that allow's traffic from behind the IPSec tunnel to the local network...



And just now I realized all my SSH connections are slugish, I can connect but might be kicked after a few sec's!!!

So I'm hoping this get's fixed very soon

[mircsicz]

Reply to myself, for documentary reason's, this is the log created during one of those extremly short SSH sessions:

[mircsicz]

Changing "Firewall > Settings > Advanced > Firewall Optimization" from normal to conservative gave me some ease...

[dragon2611]

I believe there are some issues with the connection tracking code in 17.1 which affects multi-wan and also IPSEC traffic the devs are aware and are working on it.

There are a few threads around here about it.

https://forum.opnsense.org/index.php?topic=4417.0

https://forum.opnsense.org/index.php?topic=4313.0

https://forum.opnsense.org/index.php?topic=4385.0

[franco]

This is the next thing on my list now. Maybe solved in time for 17.1.2.