pfsense openvpn won't connect from certain cable providers ?
-
@SteveITS said in pfsense openvpn won't connect from certain cable providers ?:
The packet capture suggested above will show you if the packets are even arriving on port 1194
Dirt cheap packet analyzer :
When connecting your OenVPN client, have a look at your pfSense OpenVPN server firewall rule on the WAN interface :
If traffic reached pfSense, you'll see the traffic counter going upwards.
-
@Gertjan
thank you that helps more on what you are saying. Since the new pfsense connects fine with certain internet providers and locations but not with a few others its showing a number. I am going to try to port next. Since when I try to connect with certain isp's it doesn't show anything at all with the logs. I appreciate everyone's help so far. I will keep you in the loop. -
So I followed these instructions https://www.youtube.com/watch?v=gnJgbwZGB8M](https://www.youtube.com/watch?v=gnJgbwZGB8M) tried in the 3000 range doesn't seem to work with the new pfsense, but the old one still works fine. Not sure what I am missing.
Since it works fine with the old pfsense in the 3000 range and doesn't work fine with the new one in the 3000 range I'm thinking its gotta be a setting for the new one in the 3000 range.
Also I went with Protocol "TCP IPV4 and IPV6 on all interfaces(multihome) "
-
Not sure if this is relevant but some carriers are now using Carrier Grade Network Address Translation (CGNAT) since the IPv4 pool is technically out of addresses. This setup by your provider effectively blocks you from hosting local servers like game, web, VPN etc. Usually when this is the case they'll make you buy a public facing static IP. You may check with your ISP and see if they recently implemented CGNAT.
-
still nothing, it seems to only be with any armstrong cable connection driving me absolutely nuts.
-
After making changes are you suppose to restart or reboot anything in pfsense?
Also this is basically all the settings correct ? vpn_openvpn_server.php?act=edit&id=1 there isn't another page anywhere is there?
(I had everything exactly the same set exactly as the old pfsense machine and still didn't work on the new, however it worked on the old one.)
-
I can say it has nothing to do with that. Because I can connect from a bunch of other networks with the new pfsense machine. Just anyone who has Armstrong cable it will not go through.
-
@pfchangs77 said in pfsense openvpn won't connect from certain cable providers ?:
Because I can connect from a bunch of other networks with the new pfsense machine. Just anyone who has Armstrong cable it will not go through.
You could change the used port, and check if that works.
If there is an "Internet supplier" that blocks this port, 1194 UDP, for incoming (to the client) traffic or outgoing traffic, then they will be out of business very fast.
-
thank you, I did already change the port to the same port number as the old pfsense and it didn't work on the new but worked on the old.
-
Just to be sure : your pfSense WAN IP is a RFC1918 ? If so, don't forget to NAT the upstream ISP router also.
-
you mean in /interfaces.php?if=wan ??
Block private networks and loopback addresses ?
on the old which works everywhere its unchecked. On the new one it is checked. I think I will try that one next.
-
@pfchangs77 said in pfsense openvpn won't connect from certain cable providers ?:
Block private networks and loopback addresses ?
Block ?
I didn't say : "block".My config :
I have a WAN interface :
as you can see, my IPv4 WAN IP is 192.168.10.4, that's a RFC1918. This isn't an IPv4 that my ISP gace me, it came from the upstream ISP router, 30 cm below the my pfSense.
This means I have to add a firewall WAN rule for every incoming connection.
Here are my pfSense WAN rules :
This also means I have to add a NAT rule in my ISP router :
One for UDP port 1194 to the IPv4 WAN (192.168.10.4) to pfSense, port 1194
One for UDP port 1195 to the IPv4 WAN (192.168.10.4) to pfSense, port 1195But again, this applies only if you have an RFC1918, and you can NAT the upstream ISP router device.
No "help me" PM's please. Use the forum, the community will thank you.
Edit : and where are the logs ?? -
thank you. I will surely look into this. I can only reboot every so often since they are currently using it. I will let you know.
-
Nope, none of that. Also I unchecked "Block private networks and loopback addresses" none of that either. I didn't reboot anything either.
-
Here is a connection log of the old pfsense machine which works fine everywhere. Which I thought was setup exactly the same as the new one. Not sure what I am missing with the new pfsense. Whenever i try to connect with the new one. Just nothing seems to go through armstrong cable.
{Nov 15 17:14:15 openvpn 54016 XXX.XXX.XXX.XXX:9257 peer info: IV_VER=3.git::081bfebe:RelWithDebInfo
Nov 15 17:14:15 openvpn 54016 XXX.XXX.XXX.XXX:9257 peer info: IV_PLAT=android
Nov 15 17:14:15 openvpn 54016 XXX.XXX.XXX.XXX:9257 peer info: IV_NCP=2
Nov 15 17:14:15 openvpn 54016 XXX.XXX.XXX.XXX:9257 peer info: IV_TCPNL=1
Nov 15 17:14:15 openvpn 54016 XXX.XXX.XXX.XXX:9257 peer info: IV_PROTO=30
Nov 15 17:14:15 openvpn 54016 XXX.XXX.XXX.XXX:9257 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:BF-CBC
Nov 15 17:14:15 openvpn 54016 XXX.XXX.XXX.XXX:9257 peer info: IV_LZO_STUB=1
Nov 15 17:14:15 openvpn 54016 XXX.XXX.XXX.XXX:9257 peer info: IV_COMP_STUB=1
Nov 15 17:14:15 openvpn 54016 XXX.XXX.XXX.XXX:9257 peer info: IV_COMP_STUBv2=1
Nov 15 17:14:15 openvpn 54016 XXX.XXX.XXX.XXX:9257 peer info: IV_GUI_VER=net.openvpn.connect.android_3.3.4-9290
Nov 15 17:14:15 openvpn 54016 XXX.XXX.XXX.XXX:9257 peer info: IV_SSO=webauth,openurl,crtext
Nov 15 17:14:15 openvpn 54016 XXX.XXX.XXX.XXX:9257 peer info: IV_BS64DL=1
Nov 15 17:14:15 openvpn 54016 XXX.XXX.XXX.XXX:9257 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1542'
Nov 15 17:14:15 openvpn 54016 XXX.XXX.XXX.XXX:9257 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #6 / time = (1700086453) 2023-11-15 17:14:13 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Nov 15 17:14:15 openvpn 54016 XXX.XXX.XXX.XXX:9257 TLS Error: incoming packet authentication failed from [AF_INET]XXX.XXX.XXX.XXX:9257
Nov 15 17:14:15 openvpn 54016 XXX.XXX.XXX.XXX:9257 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #7 / time = (1700086453) 2023-11-15 17:14:13 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Nov 15 17:14:15 openvpn 54016 XXX.XXX.XXX.XXX:9257 TLS Error: incoming packet authentication failed from [AF_INET]XXX.XXX.XXX.XXX:9257
Nov 15 17:14:15 openvpn 54016 XXX.XXX.XXX.XXX:9257 [userxxxxx] Peer Connection Initiated with [AF_INET]XXX.XXX.XXX.XXX:9257
Nov 15 17:14:15 openvpn 29325 user 'userxxxxx' authenticated
Nov 15 17:14:15 openvpn 54016 userxxxxx/XXX.XXX.XXX.XXX:9257 MULTI_sva: pool returned IPv4=193.168.2.14, IPv6=(Not enabled)
Nov 15 17:14:15 openvpn 29742 openvpn server 'ovpns1' user 'userxxxxx' address 'XXX.XXX.XXX.XXX' - connected
Nov 15 17:14:20 openvpn 31622 openvpn server 'ovpns1' user 'userxxxxx' address 'XXX.XXX.XXX.XXX' - disconnected} -
Any thoughts on the modem going bad? (Armstrong swears by it that everything is just like every other company. However they are the only one that will not connect.)
-
@Gertjan said in pfsense openvpn won't connect from certain cable providers ?:
This means I have to add a firewall WAN rule for every incoming connection.
Your not wanting to say you have to remove the rfc1918 block are you? Even if pfsense as rfc1918 wan, ie behind a nat. That block rfc1918 rule only blocks source of rfc1918.. It wouldn't stop some traffic that is coming from say 1.2.3.4 hitting your isp router, that you port forward to your pfsense wan. Unless your isp device was doing source natting and making that traffic look like it came from its rfc1918 address.
The block rfc1918 rule on the wan only needs to be removed when the "source" of the traffic would be rfc1918, it doesn't block traffic if the source is public and your pfsense wan is rfc1918. Ie pfsense behind some upstream nat router.
BTW - your pass rules, why are you using dest "this firewall" this would include all pfsense IPs, for stuff like openvpn this should really only be your pfsense wan address..
-
Thank you, I was just trying other settings thought maybe I missed something. I am just trying everything I possibly can to get this working. Any thoughts on the modem going bad? (Armstrong swears by it that everything is just like every other company. However they are the only one that will not connect.)
-
@pfchangs77 if your having an issue with someone connecting, to any service really on pfsense. First thing I would do is a sniff of the traffic (packet capture).. If pfsense never sees the traffic - doesn't matter if you have some service listening or firewall rules to block or allow, etc. Pfsense can do nothing wrong or right with the traffic if not actually being seen.
So start a packet capture under the diagnostic menu.. Send your traffic from your source client - do you see it hit pfsense? If not then there is pfsense can do with or about that traffic..
-
I did the new one everything seems fine so far.
