Problems with blocked TUNx

sh_man · Mar 14, 2007, 3:22 PM

I have three openvpn's, one road warrior and two site to site being used to support two temporary offices at an event we are running for the next month.

At the moment the two sites are running 1.0.1-SNAPSHOT-02-09-2007 on LiveCD and floppy and the main office is running 1.0.1-SNAPSHOT-03-08-2007 on harddisk - this is to get around the problem of port 1194 being "taken" by the check_reload_status thing.

Both sites are set up the same - as far as I can tell. I can get openVPN running on both sites and get into the main office.

On rebooting a temp site firewall I often get firewall logs saying that tun0 has blocked traffic. Usually editing a firewall rule, making no changes, saving and applying gets things moving. A pain but at least it works.

I now have the following situation. Both are connecting in OK and both sites can get to the main office network. I can reach one remote site without problems but the other give me tunx blocked messages in the log. I have tried remote desktop and ping and got the following logs:-

Mar 14 15:10:25 TUN1 192.168.1.17:2806 192.168.180.34:3389 TCP
Mar 14 15:10:22 TUN1 192.168.1.17:2806 192.168.180.34:3389 TCP
Mar 14 15:08:21 TUN1 192.168.1.17 192.168.180.1 ICMP
Mar 14 15:08:16 TUN1 192.168.1.17 192.168.180.1 ICMP

Having looked elsewhere on the forum, I looked in the /tmp/rules.debug and found the following rules - but not one to let the tun1 traffic out.

pass in quick on tun1 all keep state label "let out anything from firewall host itself openvpn"
pass out quick on tun2 all keep state label "let out anything from firewall host itself openvpn"
pass in quick on tun2 all keep state label "let out anything from firewall host itself openvpn"

How can I get this rule in there reliably. :)

sullrich · Mar 14, 2007, 7:58 PM

This doesnt make much sense since the rules are present.

Try clicking on the red x to the left of the block item and let pfSense tell you which rule is blocking the traffic and report back.

Also try this from a shell:

pfctl -sr | grep tun

sh_man · Mar 14, 2007, 10:00 PM

The block is the default block all rule.

I think that there should be a rule like this:-

pass out quick on tun1 all keep state label "let out anything from firewall host itself openvpn"

but it does not appear to have been created - it wasn't in the post 'cos it wasn't in the rules.debug file or when I ran the command line.

sullrich · Mar 14, 2007, 10:04 PM

Try this after a reboot from a shell:

/etc/rc.filter_configure_sync

Then check to see if the rule is loaded.

sh_man · Mar 14, 2007, 10:12 PM

Tried that and everything appears to be the same - the tun2 has an in and out rule but the tun1 only has an in rule

sullrich · Mar 14, 2007, 10:15 PM

Check your logs, do you see

Not adding default pass in rule for interface $friendlytunif - tun{$x} with a gateway

sullrich · Mar 14, 2007, 10:24 PM

Just commited a change. Please try a snapshot about an hour from now.

sh_man · Mar 14, 2007, 10:27 PM

Cheers - and thanks for all you do - I certainly could not do my job without it.

Will have to wait till morning - its 10:30pm here and I'm sat on the sofa watching CSI and sort of working!

sh_man · Mar 15, 2007, 3:47 PM

Will need to do a little more testing when I get to work - the OpenVPN that I need to test is not currently up!

However, the rules do not appear to have changed.

Having had a quick look, if the time on the forum matches the time on the snapshot server there has not been a snapshot build since you commited your change. will keep my eye on it and get the next build when it appears.

sh_man · Mar 15, 2007, 3:46 PM

Done some more testing and still the same - so I guess I have not got a snapshot with the changes in.

sullrich · Mar 15, 2007, 4:20 PM

Snapshots where not building over night which was my fault. They should be building now.

sh_man · Mar 15, 2007, 7:53 PM

Cheers - just upgraded to it and it does the job. Thanks

sullrich · Mar 15, 2007, 8:25 PM

Yay! Thanks for reporting back.