To be totally sure you're not getting munged by Windoze effects, you have to turn of the firewall on both ends, the source and the destination.

Do you have anything else you can use to test?
The web page of a printer on one side or the other is often a good choice for a test.

Can you log in to the 10.50.1.1 pfSense from the 10.50.0.0 side?
May be worth a ping test from 10.50.1.1 to 10.50.0.71 just to prove you have traffic flow in both directions.

Other than that, I would be looking for something else blocking traffic after pfSense.

Hi,

Just wanted to report back that, your advice was correct and when I checked my actual config, i had done all that. It was in fact fine.

My problem was situational… in that my connection is PPPoE so when i send FW1 for a reboot during testing, i have to wait until that PPPoE is established on FW2, the CARP VIP's are transferred to FW2 and eventually the VPN connection will come back up. The issue was FW1 rebooted so fast that it causes a flip flop effect whereby it takes the CARP Master roles back...but the PPPoE WAN connection is still up on FW2 until i reboot it.

I have now tested this all works with a full shutdown of one node (and someone on site to power it back up :) ) and visa versa.

Interestingly the VPN all stay up despite the FW2 now having the backup CARP role for the VPN VIP, This may be due to the fact I do connect with "other" -> "ovpn.domain.com" in my client exports and that resolves anywhere with applicable DNS lookup to the CARP VPN VIP (an alias on the WAN). Seems this is nice and versatile.

If you have any suggestion for how to handle an automatic failback (although doing it manually is ok) ....whereby the PPPoE gets dropped from FW2 back to FW1 if it comes back up i'd love to hear about that.

Also I'll raise a seperate topic for this if I can't get it to work, but is there an easy way of assigning a static ip to an openvpn client, obviously not in the main network range but just making sure it gets the same ip everytime it connects in without creating a ton of different servers. I've read a bit about doing this but wondered if there was a nice way through the web gui... most other methods are detailed file edits in the underlying FreeBSD system?

On 2.2.4 on both nodes now.

Thanks.

And still-

2/ Do you have any rules on the OpenVPN tab?

Then go to status/openvpn and post whats there.

Got to status/system logs/openvpn and post what is there.

Yeah, the only problems I've ever had is when you don't run as administrator. That's a big one.

It's not 100% clear what you mean. Do you mean your client is connecting by domain name and it's taking an IPv6 path around the VPN?

Preferring IPv4 over IPv6 is a setting that must be enacted on the client. If a client gets an AAAA DNS response and it has IPv6 connectivity, it will take that path.

So you have three choices:

1. Connect by IPv4 address, not hostname
2. Change the DNS such that it does not provide the client with AAAA query results for the target server (or all servers)
3. Find/change the client preference to prefer IPv4 over IPv6

So I think it might be working…. I did a packet capture on the Lan interface and I see traffic between source IP and destination IPs (not the VPN one though) and I did a packet capture on the VPN interface and I see traffic between the VPN and destination IPs... Which makes me think it is working, but maybe like I intend for it to be working...

Unless it's already used. :P Make sure you create a big enough "pool", limit the number of connections as needed and use IPs from the end of the available range for this "static" assignment…

@Supermule:

Dont expect anything to be safe. Look who created TOR. And ask yourself that question again…

Since people may not understand the reference that Brian is making here:

Quoting wikipedia:

The Tor Project, Inc is a Massachusetts-based 501©(3) research-education nonprofit organization founded by computer scientists Roger Dingledine, Nick Mathewson and five others.

Onion routing was developed in the mid-1990s at the U.S. Naval Research Laboratory by employees Paul Syverson, Michael Reed, and David Goldschlag to protect U.S. intelligence communications online. It was further developed by the Defense Advanced Research Projects Agency (DARPA) and patented by the Navy in 1998.

The actual network that people refer to as Tor belongs to the people who furnish the nodes used by it.

Tor was not invented to provide anonymity against a well-funded aggressor, such as the US Government.  It was created to enable dissidents in areas governed by relatively unsophisticated entities to be able to securely communicate between themselves and to the outside world.  Measured against it's original goal, Tor is a success.  But the script kiddies decided that they had found a better VPN, and the ability to spend money (such that some large percentage of Tor nodes is under the control of a single entity) trumps the architecture of Tor.

Tor is safe enough if you're a journalist in a third-world country.  It was never intended as a defensive measure against the likes of the NSA / CIA / ...

Hi jimp,

Sorry my long lasting answer. It doesn't work in diagnostics, too.

Authentication Failed.

If I change the password from 1234Jklö to 1234Qwer it works as suggested.

Squid will send through def gateway. (Whatever it is)

@doktornotor:

3 most common sources of pfSense troubles:

Squid and related proxy junk bridging PEBKAC

::) ::) ::)

/thread

On second thought: suppose Squid would have still been there, in transparent mode, shouldn't it then be still logged?

Or is the case this: firewall doesn't bother with anything at all if Squid is installed?

Because if that is true then that is a "less optimal design and implementation" "a feature". But if it is not true and if the firewall still monitors that traffic via Squid too, then it can log it too.

???

@heper:

set the interface-type to "none'  (you don't fill in ipv4/6 info on the interface page)

@got0:

The interface is only enabled, nothing more. For the rules, I use aliases for the 'interface net' and 'interface address' now.

No such thing needed for useless logspam - https://redmine.pfsense.org/issues/4102

I found this on the web, Nitro Key

User authentication on local computers (e.g. Windows, Linux) and networks (e.g. Firefox, OpenSSH,
OpenVPN, IPSec, OpenID).

@ulla5000:

I`ve taken the .p12 file, converted it to B64 Pem and imported the cert again.
Is there a (another) recomended way how to handle that?

I don't think so.

@ulla5000:

I`ve taken the .p12 file, converted it to B64 Pem and imported the cert again.

Create a new CA and issue new certs… ?  ::) :(

What version of pfSense are you running?