Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PFsense and Work Citrix Gateway

    General pfSense Questions
    4
    7
    1.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      BravoBravo1
      last edited by BravoBravo1

      Hello everyone, I've used PFsense on and off for a few years and in small deployments so I am not entirely new to the platform but at time, a novice user.

      Recently I deployed PFsense at my home so I can gain more experience with it.
      My setup is a repurposed Sophos unit with PFsense installed on it.

      With nearly a stock configuration (aside from adding a few DNS entries for my DNS resolver), the setup is stock.
      My work uses Citrix Gateway and for some reason, upon establishing the VPN connection between my work laptop and their infrastructure, the VPN drops within a few minutes.

      I have no extra rules and I'm using PFsense in a factory setting.
      Looking at my work laptop, I was able to review a bit of the logging on the VPN Client and I see a few things post-VPN connection that are errors.

      One of them is LaunchDTLSHandShake | 7056| Didn't receive proper response from Vserver. Most probably, DTLS tunnel is not supported. Terminating DTLS creation.
      I've looked at the firewall logs to see if anything jumps out but there is not much help there.

      From what I understand, inside to outside connections should be allowed easily with factory settings, so I'm not entirely sure why this isn't working.

      If I take PFsense out of the picture and hookup my TP Link wireless router, all works fine for days on end.

      If I remove TPLink and put back PFsense, the connection will never stay established for longer then a minute or two.

      Any suggestions on how I can identify or tackle this to figure it out?

      Thank you!

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        The biggest difference between stock pfSense and most other SOHO devices is that pfSense randomises the source port of outgoing connections for security. Most applications have no problems with this but some older protocols and things that struggle with NAT (games consoles!) can be broken by that.
        To workaround it you can add an outbound NAT rule that matches only the traffic in question and specifically has static source ports set.

        I would guess that's the issue.

        https://docs.netgate.com/pfsense/en/latest/nat/outbound.html#static-port

        Steve

        B johnpozJ 2 Replies Last reply Reply Quote 0
        • B
          BravoBravo1 @stephenw10
          last edited by

          @stephenw10 said in PFsense and Work Citrix Gateway:

          c

          Thank you for your response, it's something for me to go on and look into.

          I appreciate the suggestion :-)

          G 1 Reply Last reply Reply Quote 0
          • G
            gzesku @BravoBravo1
            last edited by

            @bravobravo1
            Have you managed to create a stable connection with citrix using pfsense? :)

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator @stephenw10
              last edited by

              @stephenw10 said in PFsense and Work Citrix Gateway:

              The biggest difference between stock pfSense and most other SOHO devices is that pfSense randomises the source port

              I don't think that is true to be honest. Which soho routers have you seen that do that, I don't recall that ever being the case. They all use napt.. Which changes the source port, static port nat can be problematic if you have multiple clients.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.7.2, 24.11

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                Yes, I'm not sure where that snippet of info came from!
                You sure do see a lot of things that can be made to work by setting a fixed source port like that though. So I would still try that.

                johnpozJ 1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator @stephenw10
                  last edited by johnpoz

                  @stephenw10 I missed the part where his is inside a DTLS tunnel..

                  But I can almost promise you tplink is using napt.. Unless it has something setup for dtls for vpn passthru, which find unlikely.. What port is being used for the dtls tunnel? There really isn't a set standard port.

                  But setting static port, sure not going to break anything worse than it is ;)

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                  1 Reply Last reply Reply Quote 1
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.