2 routes with same destination ... is it possible?

M0L50N

I have 2 OpenVPN site-to-site between 2 sites, we will call them Tunnel-Data and Tunnel-Phone.

For now, IP Phone and data from site B to site A pass through Tunnel-Data. I tried to isolate IP Phone Traffic on a VLAN, and that VLAN to pass through Tunnel-Phone without success.

Site A - server openvpn
IP Phone Network 192.168.11.0/24

Site B - Client OpenVPN
IP Phone Network 192.168.12.0/24 because I can't have 2 networks 192.168.11.0 in each end of Tunnel. (If you have idea about that tell me please)

Site B with only the tunnel-data already have a route to 192.168.11.0. When I turn the Tunnel-Phone UP, openVPN can't create another route to 192.168.11.0 with the gateway of the Tunnel-Phone because that route already exist but pointing to the gateway of the Tunnel-Data.

Maybe I'm on the wrong path ... can you help me please? During the transition, I'd like to have access to 192.168.11.0 through 2 tunnels ... is it possible?

Thanks!

viragomann

@m0l50n said in 2 routes with same destination ... is it possible?:

Site B - Client OpenVPN
IP Phone Network 192.168.12.0/24 because I can't have 2 networks 192.168.11.0 in each end of Tunnel. (If you have idea about that tell me please)

Is there any issue with that? Any needs to have all IP phones from both sites in one L2?

Site B with only the tunnel-data already have a route to 192.168.11.0

Why?
Since you want to route that traffic through the Tunnel-Phone, remove that route and add it the the Tunnel-Phone configuration.

So at site B you should have 192.168.11.0/24 in the "IPv4 Remote networks" and at site A you should have 192.168.12.0/24.

M0L50N

@viragomann The last night I've tried that, I could not delete the Tunnel-Data route because some VLAN switch problem wasn't resolved for some IP phone. That's why I was searching for a way to have these 2 routes. Like you said, remove the route from Tunnel-Data will probably resolve my problem.

Thanks for your answer. Can I ask you some question related to that, you seem to well know network and pfsense.

Is it possible to have 2 routes target to the same destination, with different gateway? If no, what is the workaround?

Another one : Is it a good idea to isolate IP Phone traffic on his own tunnel, or this will change anything? Am I better to let all traffic on the same tunnel and just separate with VLAN.

Are VLAN tag pass through a OpenVPN tunnel? at the other end, the packet still flagged?

I'm doing all of these modification because all my sites connected to the same OpenVPN server have sporadic packet lost ... causing some lag with RDP and IP Phone through tunnel. I continiously ping Site-B-C-D from Site A and I remarked that when I have 1 or 2 ping timed out, that's synchronized on 3 sites. On site A, I have another OpenVPN Tunnel server (less used) for my SIEM and durung ping timed out with tunnel site B-C-D, no timed out on that tunnel?!?! Do you think to many client on the same OpenVPN server can cause this? Memory is always at 90-92% on my pfsense server, can it be that the problem?

Sorry to bombard you with questions like that, but I'm working on that problem since 1-2 month and I can't figure out how to exactly resolve the problem ... By the way, my internet at Site A is Fiber 250Mbps and really stable, I constantly ping 8.8.8.8 and to timed out at all!

Thanks!

viragomann

@m0l50n
It's not clear what you exactly intend to achieve with that.
Two VPN tunnels between to locations makes only sense if at least one of these locations has multiple WAN connections. So you can configure the tunnels on different WANs and they are able to failover if one WAN goes down.

But if you intend to give the IP phone connections higher priority you'd better do some kind of traffic shaping.

Is it possible to have 2 routes target to the same destination, with different gateway? If no, what is the workaround?

Not in such way. How should pfSense decide which route to use?
The only option is to configure a gateway group. You can add multiple gateways to it and give them different priorities and set a failover trigger.

However, if you want to direct certain devices to a specific gateway, pfSense provides you the policy routing function.

Is it a good idea to isolate IP Phone traffic on his own tunnel

I can't think of any advantage of this.

Are VLAN tag pass through a OpenVPN tunnel? at the other end, the packet still flagged?

No. VLAN tags only exists on layer 2. Routing to another site is based on L3.
If you have a VLAN inside your network it is terminated on the pfSense interface.
However, there is absolutely no need on that at all anyway.

I continiously ping Site-B-C-D from Site A and I remarked that when I have 1 or 2 ping

You're pinging through the tunnel, I guess? Is it working if you ping the external IP?

Do you think to many client on the same OpenVPN server can cause this?

If it's a low power system and the VPN traffic is high, this could be an issue.
Each OpenVPN tunnel uses one thread and can only run on one core. If you only have two cores and multiple tunnels with high concurrent throughput it might be imaginable that the CPU cannot handle all the traffic.

Maybe you can find some hint in the logs?

M0L50N

I agree with you that's not clear!!! :)

Yes I ping through tunnel and I ping external IP in same time ... ping timed out through all tunnels in same time and external IP and 8.8.8.8 not timed out.

You said perharps the hardware can be the cause, that's what I though too but I dont know how to determine if the problem is there. If yes, I will buy a more powerfull, maybe Netgate 7100 but I have to be sur!

On that main pfsense, I have :

• 1 OpenVPN server with 4 sites Tunnels pfsense OpenVPN client always connected to that to access ActiveDirectory, share data, RDP and SQL server for a comptability application (talk about 8-10 users always using these tunnels)
• 1 OpenVPN server with 1 client connected for my SIEM
• 1 OpenVPN server for mobile client working from home (appromately 15 connexions all the time)
• 1 OpenVPN server for Mobile IT staff : 1 user : ME !!!
• 1 OpenVPN server I added recently for Mobile users can access Phone system through VPN on their mobile phone. for now only 1-2 users

Check my ressource utilization :

More I'm digging, more I think that's the problem. I'm testing Traffic Shapping on lab, but I dont think that will resolve all my problem ... I got instability in tunnels!!! Even if I prioritize IP Phone packet, they must pass through VPN!!! QoS or traffic shapping is at Layer3 right? you said to me through VPN that's only Layer2 ... then I dont think I will resolve all my problem with that!

By the way, I checked the logs and nothing special

Thanks for your suggestions! ... that's really appreciate!

viragomann

@m0l50n said in 2 routes with same destination ... is it possible?:

Yes I ping through tunnel and I ping external IP in same time ... ping timed out through all tunnels in same time and external IP and 8.8.8.8 not timed out.

I was talking about the external IP of the remote VPN endpoint. So you also catch dropouts of the remote uplink.

On that main pfsense, I have :
1 OpenVPN server with 4 sites Tunnels pfsense OpenVPN client always connected to that to access ActiveDirectory, share data, RDP and SQL server for a comptability application (talk about 8-10 users always using these tunnels)
1 OpenVPN server with 1 client connected for my SIEM
1 OpenVPN server for mobile client working from home (appromately 15 connexions all the time)
1 OpenVPN server for Mobile IT staff : 1 user : ME !!!
1 OpenVPN server I added recently for Mobile users can access Phone system through VPN on their mobile phone. for now only 1-2 users

It depends primarily on the sum of the traffic and especially of the VPN traffic.
Without any traffic each VPN connection only needs some memory. But this is also lacking on your system.

Check my ressource utilization :

Your system is swapping quite heavily. That might be a performance issue at all. You should check out, what's using as much memory. Run

top -o res -a

to get al list of the process with the highest memory usage on top.
A handful OpenVPN connections should not eat up 4 GB memory. Do you run some packages like squid?

Also I would reboot the device at first, it's up for 100 days already.
Then watch the swap level.
Normally pfSense should not swap.

M0L50N

@viragomann said in 2 routes with same destination ... is it possible?:

top -o res -a

COMMUNITY EDITION
System
Interfaces
Firewall
Services
VPN
Status
Diagnostics
RPF-Sayabec.rpf.ca
101
Diagn´
Shell Output - top -o res -a
last pid: 20239; load averages: 0.19, 0.36, 0.36 up 101+01:07:43 22:46:54
52 processes: 1 running, 51 sleeping
CPU: 1.1% user, 0.4% nice, 3.4% system, 0.0% interrupt, 95.0% idle
Mem: 56M Active, 8852K Inact, 3022M Laundry, 509M Wired, 133M Buf, 305M Free
Swap: 1527M Total, 615M Used, 912M Free, 40% Inuse

Execute Shell Command
top -o res -a

Download File
File to download

Upload File

Execute PHP Commands
Comma

viragomann

@m0l50n

That is missing the processes. I was awaiting a table like this:

last pid: 84815;  load averages:  0.52,  0.33,  0.27  up 1+10:44:26    09:43:00
59 processes:  1 running, 58 sleeping

Mem: 27M Active, 175M Inact, 620M Wired, 40M Buf, 1115M Free
ARC: 134M Total, 46M MFU, 84M MRU, 32K Anon, 793K Header, 3796K Other
     84M Compressed, 211M Uncompressed, 2.53:1 Ratio
Swap: 2048M Total, 2048M Free


  PID USERNAME     THR PRI NICE   SIZE    RES STATE   C   TIME    WCPU COMMAND
  456 root           1  52    0    99M 42904K accept  1   0:59   0.00% php-fpm: pool nginx (php-fpm)
14049 root           1  52    0    99M 42592K accept  1   0:42   0.00% php-fpm: pool nginx (php-fpm)
70515 unbound        2  20    0 66248K 42020K kqread  1   0:02   0.00% /usr/local/sbin/unbound -c /var/unbound/unbound.conf
  455 root           1  39    0    99M 41120K piperd  0   0:45   0.00% php-fpm: pool nginx (php-fpm)
84891 root           1  52    0 95156K 38280K accept  1   0:43   0.00% php-fpm: pool nginx (php-fpm)
39420 root           1  20    0 51908K 36984K nanslp  0   0:08   0.00% /usr/local/bin/php -f /usr/local/pkg/pfblockerng/pfblockerng.inc dnsbl
  454 root           1  20    0 94896K 25416K kqread  0   0:10   0.00% php-fpm: master process (/usr/local/lib/php-fpm.conf) (php-fpm)
77791 dhcpd          1  20    0 16460K 12220K select  1   0:03   0.00% /usr/local/sbin/dhcpd -user dhcpd -group _dhcp -chroot /var/dhcpd -cf /etc/dhcpd.conf -pf /var/run/dhcpd.pid vtnet1 vtnet2.112
40088 root           1  20    0 23680K 10088K kqread  1   0:04   0.00% nginx: worker process (nginx)
39925 root           1  20    0 23680K  9096K kqread  1   0:02   0.00% nginx: worker process (nginx)
56729 root           1  20    0 14456K  8768K select  0   0:00   0.00% /usr/local/sbin/mpd5 -b -k -d /var/etc -f mpd_wan.conf -p /var/run/pppoe_wan.pid -s ppp pppoeclient
81166 root           1  52    0 21632K  7920K kqread  0   0:00   0.00% nginx: worker process (nginx)
81509 root           1  52    0 21632K  7920K kqread  0   0:00   0.00% nginx: worker process (nginx)
81274 root           1  52    0 21632K  7920K kqread  0   0:00   0.00% nginx: worker process (nginx)
81502 root           1  52    0 21632K  7920K kqread  0   0:00   0.00% nginx: worker process (nginx)
80890 root           1  52    0 21632K  7920K kqread  0   0:00   0.00% nginx: worker process (nginx)
81752 root           1  52    0 21632K  7916K kqread  1   0:00   0.00% nginx: worker process (nginx)

Please copy the text from the output frame and insert it into a code frame here.

M0L50N

@viragomann
Thanks for your advice. I reseted the pfsense and that's really better. No swapping, memory usage at 13%, CPU approx 15% and disk usage about 5%. I dont understand why I didn't think to reboot!!!

Now ressources are normal ... but my problem ping timed out still continue!

I dont run package like Squid.

I dont know if that will telling you something, but I see in my system logs a lot of "syslogd - sendto: No buffer space available"

I googled that problem and someone talk about that command :

netstat -s | grep buffer

check the result :
8206 dropped due to full socket buffers
0 messages dropped due to full socket buffers

Is it a cue?

M0L50N

@viragomann

Here's the result from the commande top -o res -a after the reboot :

last pid: 54633;  load averages:  0.61,  0.47,  0.38  up 3+09:23:11    08:33:15
50 processes:  1 running, 49 sleeping
CPU:  0.9% user,  0.3% nice,  2.5% system,  0.0% interrupt, 96.2% idle
Mem: 38M Active, 239M Inact, 466M Wired, 100M Buf, 3157M Free
Swap: 1527M Total, 1527M Free

Now ressources are normal ... but my problem ping timed out still continue!

In one of your answer, you tell me you didn't see any advantage to isolate IP phone traffic in a specific tunnel. How can I diagnostic to find the reason why I got ping timed only for client connected to the same OpenVPN server? Like I said, pfsense at site A have 4 OpenVPN server, 2 for mobile openVPN, 1 for SIEM et 1 main openvpn server where 4 sites are connected to ... this one got some timed out with all client at same time!?!?!?

Are you agree with me than traffic shapping wont help anymore if the tunnels drop some packet?

Thanks to give me some hints ... I dont look where to look anymore!

viragomann

@m0l50n said in 2 routes with same destination ... is it possible?:

I dont know if that will telling you something, but I see in my system logs a lot of "syslogd - sendto: No buffer space available"

syslog? Are you logging to an external syslog server? Possibly its network is to slow or something is flooding it.

You can run "netstat -x" to get detailed information of socket buffers for your connections.

Here's the result from the commande top -o res -a after the reboot :

last pid: 54633; load averages: 0.61, 0.47, 0.38 up 3+09:23:11 08:33:15
50 processes: 1 running, 49 sleeping
CPU: 0.9% user, 0.3% nice, 2.5% system, 0.0% interrupt, 96.2% idle
Mem: 38M Active, 239M Inact, 466M Wired, 100M Buf, 3157M Free
Swap: 1527M Total, 1527M Free

Now ressources are normal ... but my problem ping timed out still continue!

In the meantime I upgraded my first installation to 2.5.2 and realized that this version doesn't show the particular processes values anymore. But they are displayed in the console.
Anyway since it doesn't swap anymore and there is enough free memory, there is no need to know.

M0L50N

@viragomann said in 2 routes with same destination ... is it possible?:

netstat -x

Yes I'm logging to an external syslog server, and I export netflow too with softflowd target to the same external server. In my systems logs I always got some error like that :
softflowd 738 Unable to export flows
syslogd - sendto: No buffer space available
You think the problem is related with the target external syslog server? Can it cause some problem to my OpenVPN server to my sites?

Here's what netstat -x give me :

Shell Output - netstat -x
Active Internet connections
Proto Recv-Q Send-Q Local Address          Foreign Address        R-MBUF S-MBUF R-CLUS S-CLUS R-HIWA S-HIWA R-LOWA S-LOWA R-BCNT S-BCNT R-BMAX S-BMAX   rexmt persist    keep    2msl  delack rcvtime
tcp4       0      0 Pfsense-SiteA.https      192.168.1.99.49271          0      0      0      0  65700  65700      1   2048      0      0 525600 525600    0.00    0.00 7150.54    0.00    0.00    0.35
udp4       0      0 192.168.254.1.27723    192.168.254.2.2055          0      0      0      0  42080  57344      1   2048      0      0 336640 458752
udp4       0      0 192.168.254.1.37894    192.168.254.2.2055          0      0      0      0  42080  57344      1   2048      0      0 336640 458752
udp4       0      0 Pfsense-SiteA.syslog     *.*                         0      0      0      0      0  57344      0   2048      0      0      0 458752
udp4       0      0 Pfsense-SiteA.snmp       *.*                         0      0      0      0  42080  57344      1   2048      0      0 336640 458752

I dont know how to interpret that result?