Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    openvpn client dco connectivity issues @ 20250518113006_20250726122025

    Scheduled Pinned Locked Moved Development
    13 Posts 2 Posters 500 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • stephenw10S Offline
      stephenw10 Netgate Administrator
      last edited by

      Ah, yes that fix is in now. It should be in the next version.

      It shouldn't be related to DCO though. If the traffic works with DCO disabled any pfBlocker rules would still be applied.

      N 1 Reply Last reply Reply Quote 0
      • N Offline
        netblues @stephenw10
        last edited by

        @stephenw10 I agree.

        I had to revert to previous version. Sometimes "test" environments do some work :)

        Perhaps what is a bit rare is that I'm using dco as a client connecting to another pf, NOT as server. (other pf doesn't have dco enabled too).

        In any case, what do we need to debug this?

        1 Reply Last reply Reply Quote 0
        • stephenw10S Offline
          stephenw10 Netgate Administrator
          last edited by

          I'll try to replicate it here....

          N 1 Reply Last reply Reply Quote 0
          • N Offline
            netblues @stephenw10
            last edited by

            @stephenw10

            Just updated to latest beta.
            Pfblockerng is fixed. openvpn issue remains
            With dco, only ping.
            Without dco , I get everything

            N 1 Reply Last reply Reply Quote 1
            • N Offline
              netblues @netblues
              last edited by netblues

              This is getting worse.

              Further testing reveals it is also virtualisation related.

              This is a kvm bridged setup.
              It is working great up to previous released beta than 25.11.b.20251111.2016

              Symptoms.

              Dco doesn't work but only to physical lan connections.
              All physical lan connections can ping anything via the openvpn.
              Bridged connections to lan on the same virtual host work fine over openvpn with dco enabled.

              (Red Hat Enterprise Linux 9.7 (Plow) x86_64) Emulated machine pc-q35-rhel9.4.0 with uefi boot)

              BUT

              pfsense has 3 wan connections

              two are ethernet talking to a local cpe
              the third is doing pppoe via a bridged cpe ftth device.

              all connections can ping everywhere too.
              any connection NOT inside the box CAN'T use the pppoe connection.
              But they can use any other just fine, with top speeds as expected, tested via speedtest

              I have checked mtu settings.
              I have also tried pinging with large packet size. No issues.
              I've also tried changing pppoe kernel mode. No difference.

              This is a router on a stick config. Everything goes in/out from the same physical 10g Melanox interface. So it can't be physical layer issues.
              I have also disabled any limiters.

              Again, reverting to 25.07.1 everything just works.

              Any chances newer beta also took a newer bsd bug ?

              stephenw10S 1 Reply Last reply Reply Quote 0
              • stephenw10S Offline
                stephenw10 Netgate Administrator @netblues
                last edited by

                @netblues said in openvpn client dco connectivity issues @ 20250518113006_20250726122025:

                Any connection NOT inside the box CAN'T use the pppoe connection.

                Can you expand on that; do you mean LAN side policy routed devices don't work?

                N 1 Reply Last reply Reply Quote 0
                • N Offline
                  netblues @stephenw10
                  last edited by netblues

                  @stephenw10
                  kvm creates a bridge making the physical lan card available to pfsense, other virtual machines, and the kvm host.
                  Since this is a bridge to lan, other stations are also connected via physical ethernet

                  So whatever is on physical network and is policy routed to ppp connection doesn't work. (but can ping)
                  It works great if policy routed to dhcp/static wan connections.

                  The policy is unanimous. all lan connected networks to ppp wan.

                  Whatever comes from physical doesn't work. whatever comes from virtual machines bridged to the same vlan as pf lan interface works.

                  as for dco, virtual machines connect via openvpn with dco enabled work fine, physicaly connected machines can only ping remote stations.

                  all vlan configuration is done at the kvm and management switch level.
                  pfsense is presented with different virtio interfaces.

                  I have thought that it could be a mtu issue, however pinging with df flags reveals no issues too. (and dco can't be mtu too)

                  Disabling dco, allows all machines to connect via the vpn (but doesn't solve the ppp wan issue)

                  N stephenw10S 2 Replies Last reply Reply Quote 0
                  • N Offline
                    netblues @netblues
                    last edited by netblues

                    I have upgraded to 25.11-RC (amd64) built on Tue Nov 18 19:08:00 EET 2025
                    and tried both a uefi and an fx440 bios based setup.

                    Issues remain exactly the same in all environments.

                    Reverting to 25.07.1 release, everything works as expected both on uefi q35 and i440fx bios environments.

                    1 Reply Last reply Reply Quote 0
                    • stephenw10S Offline
                      stephenw10 Netgate Administrator @netblues
                      last edited by

                      @netblues said in openvpn client dco connectivity issues @ 20250518113006_20250726122025:

                      as for dco, virtual machines connect via openvpn with dco enabled work fine, physicaly connected machines can only ping remote stations.

                      That's client VMs in the same hypervisor? And they connect fine with DCO? What exactly fails?

                      N 1 Reply Last reply Reply Quote 0
                      • N Offline
                        netblues @stephenw10
                        last edited by

                        @stephenw10 Yes, same box, same hypervisor.

                        sip, ssh, rdp, web, everything works fine over dco for those on the same hypervisor
                        (and the same subnet)

                        Whatever lies outside the box and the same subnet only icmp works
                        (to either the behind the dco vpn or anything on the internet behind pppoe.

                        Same lan stations policy routed to another dhcp wan connection work FINE.

                        And again. reverting to previous version and uploading the SAME config file resolves ALL issues.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.