Announcement

Collapse
No announcement yet.

No access from NGFW to LAN after 16.6.2 upgrade

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    No access from NGFW to LAN after 16.6.2 upgrade

    I few weeks ago, I attempted to upgrade the NGFW at one of my family's home. I kept running into problems with the LAN being able to go out through the NGFW or the NGFW being able to ping devices on the LAN. First I had to correct the port assignments (noticed the wrong ARP entries on the wrong interfaces). I took packet captures from the NGFW on the LAN interface and saw traffic coming in with only very few packets having a destination address of the LAN. Then after trying to disable any settings that would potentially block traffic between the NGFW and the LAN and still having no success, I would reimage back to 16.5.2, reload my configuration and everthing would be working normal again.

    I made multiple attempts this week to upgrade to 16.6.2 over two evenings all with the same end result. I can access the Internet from the NGFW and can remote into it via the ETM, but no communications between the LAN and the NGFW (other than I see packets received on the LAN port, but not going to the LAN from the NGFW. I am assuming that the new Debian upgrade doesn't fully like the two-port NIC that the LAN is connected to.

    I left the system on 16.5.2 a few weeks ago and return to my home (4 hours away), but in all the upgrades and downgrades, must have forgotten to disable the automatic upgrades. It upgraded last night and now they are back in the situation with no external access. I have again remotely connected the NGFW, updated the port assignments, disabled any settings that would possibly block any traffic, but still no able to reach or ping the LAN from the NGFW.

    Any ideas of how I can get access restored remotely since I am 4 hours away?

    Tags: None
  • #2
    Read this thread if you haven't already.
    HTML Code:
    https://forums.edge.arista.com/forum/ng-firewall/networking/396501-support-for-debian-persistent-network-interface-names

    Comment

    • #3
      So far that only ensured that my External and LAN connections stayed on the same eth* interfaces. After rebooting, I still can't communication between my LAN and the NGFW. I guess a better description is my NGFW can't communicate with the LAN computers. My hosts show up in the NGFW HOSTS report and I see several attempts of hosts sending requests out to the ISP's DNS, but nothing is going back into my LAN from the NGFW. It feels like traffic is being blocked, even though I have turned off the FW, disabled new Filter Rules for non-trusted SSH, added new temporary Access Rules to allow LAN-to-ANY and ANY-to-LAN. I still can't access any further than the two NGFW interfaces I have currently have configured (Externel eth2 and LAN eth0).

      Comment

      • #4
        I had the FW rebooted and then instead of booting to Arista GNU/Linux 5.10.0-14-untangle-amd64, I had them select Arista GNU/Linux 4.19.0-11-untangle-amd64. The dashboard still shows 16.6.2, but it did restored access between the LAN and the NGFW and I thought everything was on the mends. But when we tried to access websites, office (Outlook email), the sessions would get reset like a proxy was blocking it, but I can't find anything else in the configuration that would be blocking traffic. I guess I will take the 4-hour trip to reimage back to 16.5.2 if a swap out of the NIC card doesn't fix the issue.

        Comment

        • #5
          My guess is the best thing to do would be a clean install of 16.2. Then do the .link files. For some reason something is corrupted and not worth trouble shooting from so far away. Remote support might be able to trouble shoot if they were willing.

          Comment

          • #6
            I wonder if all these problems are a way of getting people to switch off of Untangle. The upgrade was a serious train wreck.

            Comment

            • #7
              Originally posted by jhelmly View Post
              when we tried to access websites, office (Outlook email), the sessions would get reset like a proxy was blocking it, but I can't find anything else in the configuration that would be blocking traffic.
              I'm having the same issue since Monday morning. Nothing in the Reports apps shows the outgoing connection as being blocked. I've looked into Shield, Firewall, Network.

              I had to create a Bypass Rule to PASS everything to the destination External interface.

              According to the documentation, Untangle doesn't block outgoing traffic by default, and, I've been using my Untangle for years. But since Monday morning, I need now this Bypass rules to be able to have any outgoing traffic to WAN interface.

              According to documentation, Bypass rules bypass Apps. But no Apps seems to be blocking the outgoing traffic. Prior to creating the bypass rule, I had turned off every single Apps and outgoing traffic was still blocked.

              Something is wrong in 16.6.2, there's an hidden App somewhere blocking traffic, that doesn't logs into the Reports App. I do not have any Filter Rules, NAT Rules. The Firewall App doesn't block the outgoing connection, it even shows as being passed in the Reports app.

              Kernel is 4.19.0.11-untangle-amd64
              Click image for larger version Name: bypass.png Views: 96 Size: 20.1 KB ID: 396678

              Comment

              Previous template Next
              Working...
              X
              😀
              🥰
              🤢
              😎
              😡
              👍
              👎