OpenVPN traffic blocked by rule
-
Sorry for the delay - here are the screen shots.
I don't see a default rule anywhere…
-
You have no rules on OpenVPN, which means everything in on VPN gets blocked.
-
Oops - removed it when I was trying to diagnose the problem, and clearly forgot to put it back.
I've recreated the rule - which I believe will allow anything through from the openvpn clients to the LAN network - and I'm still getting blocked.
The firewall log tells me:The rule that triggered this action is: @1 scrub in on re0 all fragment reassemble @1 block drop in log all label "Default deny rule"
-
Temporarily set your firewall rules on your OpenVPN to allow all (get rid of the destination of LAN NET and set it to any). See if that works. If that doesn't work, you have a problem elsewhere.
-
Thanks for the quick reply.
I've changed "lan net" to "any" (and the gui shows all *'s) but it's still being blocked.
Very odd, eh?
-
Post your OpenVPN config. I have a feeling one of those and/or your nat isn't set up correctly.
-
OpenVPN config screenshot attached - not sure how to export the config (or even if it can be done.)
Really appreciate your help.
-
I just opened and then deleted a similar thread(when i saw this one). I'm unable to connect to clients on my lan from my road warrior VPN. I can access the webconfig just fine though.
I am running 2.0-RC3 (i386) built on Wed Jun 22 00:50:29 EDT 2011
-
Is it correct with the subnet mask of 255.255.254.0 in you "push route"command ?
could you connect to clients connected to the "Local Subnet" with 192.168.70.0/24 ?
Or is it just a problem with the destination subnet 192.168.10.0/23 (remember subnet hint above)? -
The push route is correct, it is 192.168.10.0/23. That's at the other end of a site-to-site.
The problem I'm experiencing is connecting to machines on the local 192.168.70.0/24 network.
The route table on the client is correctly populating - 192.168.70.0/24 and 192.168.10.0/23 are both routed along the openvpn connection.
wjs - thanks for that info; I was pondering wether upgrading would fix it. Clearly not.
-
VPN looks fine, it works fine in general and I doubt wjs's issue is the same cause. You still have blocks showing in your firewall log? If so, post /tmp/rules.debug
-
Here's the vaguely anonymized rules.debug.
#System aliases loopback = "{ lo0 }" WAN = "{ re1 }" LAN = "{ re0 }" IPsec = "{ enc0 }" OpenVPN = "{ openvpn }" #SSH Lockout Table table <sshlockout> persist table <webconfiguratorlockout> persist #pfSnortSam tables table <snort2c> table <pfsnortsamout> table <pfsnortsamin> table <virusprot> # User Aliases # Gateways GWWANGW = " route-to ( re1 192.168.6.254 ) " set loginterface re0 set optimization normal set limit states 47000 set limit src-nodes 47000 set skip on pfsync0 scrub in on $WAN all fragment reassemble scrub in on $LAN all fragment reassemble nat-anchor "natearly/*" nat-anchor "natrules/*" # Outbound NAT rules # Subnets to NAT tonatsubnets = "{ 192.168.70.0/24 192.168.71.0/24 127.0.0.0/8 }" nat on $WAN from $tonatsubnets port 500 to any port 500 -> 192.168.6.1/32 port 500 nat on $WAN from $tonatsubnets to any -> 192.168.6.1/32 port 1024:65535 # Load balancing anchor rdr-anchor "relayd/*" # TFTP proxy rdr-anchor "tftp-proxy/*" table <vpns> { 192.168.10.0/23 192.168.0.0/24 } table <direct_networks> { 192.168.6.0/24 192.168.70.0/24 } # NAT Inbound Redirects rdr on re1 proto tcp from 213.246.151.242 to 192.168.6.1 port 22 -> 192.168.70.2 rdr on re1 proto tcp from any to 192.168.6.1 port 443 -> 192.168.70.2 rdr on re1 proto tcp from any to 192.168.6.1 port 993 -> 192.168.70.2 rdr on re1 proto tcp from any to 192.168.6.1 port 39993 -> 192.168.70.2 rdr on re1 proto tcp from any to 192.168.6.1 port 25 -> 192.168.70.2 # UPnPd rdr anchor rdr-anchor "miniupnpd" anchor "relayd/*" #--------------------------------------------------------------------------- # default deny rules #--------------------------------------------------------------------------- block in log all label "Default deny rule" block out log all label "Default deny rule" # We use the mighty pf, we cannot be fooled. block quick proto { tcp, udp } from any port = 0 to any block quick proto { tcp, udp } from any to any port = 0 # Block all IPv6 block in quick inet6 all block out quick inet6 all # pfSnortSam block quick from <snort2c> to any label "Block snort2c hosts" block quick from any to <snort2c> label "Block snort2c hosts" block quick from <pfsnortsamout> to any label "Block pfSnortSamOut hosts" block quick from any to <pfsnortsamin> label "Block pfSnortSamIn hosts" # SSH lockout block in log quick proto tcp from <sshlockout> to any port 22 label "sshlockout" # webConfigurator lockout block in log quick proto tcp from <webconfiguratorlockout> to any port 443 label "webConfiguratorlockout" block in quick from <virusprot> to any label "virusprot overload table" table <bogons> persist file "/etc/bogons" # block bogon networks # http://www.cymru.com/Documents/bogon-bn-nonagg.txt block in log quick on $WAN from <bogons> to any label "block bogon networks from WAN" antispoof for re1 antispoof for re0 # allow access to DHCP server on LAN pass in on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server" pass in on $LAN proto udp from any port = 68 to 192.168.70.254 port = 67 label "allow access to DHCP server" pass out on $LAN proto udp from 192.168.70.254 port = 67 to any port = 68 label "allow access to DHCP server" # loopback pass in on $loopback all label "pass loopback" pass out on $loopback all label "pass loopback" # let out anything from the firewall host itself and decrypted IPsec traffic pass out all keep state allow-opts label "let out anything from firewall host itself" pass out route-to ( re1 192.168.6.254 ) from 192.168.6.1 to !192.168.6.0/24 keep state allow-opts label "let out anything from firewall host itself" pass out on $IPsec all keep state label "IPsec internal host to host" # make sure the user cannot lock himself out of the webConfigurator or SSH pass in quick on re0 proto tcp from any to (re0) port { 80 443 22 } keep state label "anti-lockout rule" # User-defined rules follow pass in quick on $WAN reply-to ( re1 192.168.6.254 ) proto { tcp udp } from any to any port 1194 keep state label "USER_RULE: OpenVPN" pass in quick on $WAN reply-to ( re1 192.168.6.254 ) inet proto icmp from any to 192.168.6.1 icmp-type echoreq keep state label "USER_RULE: Allow ping" pass in quick on $WAN reply-to ( re1 192.168.6.254 ) proto tcp from 213.xxx.yyy.zzz to 192.168.70.2 port 22 label "USER_RULE: NAT Inbound SSH (work)" pass in quick on $WAN reply-to ( re1 192.168.6.254 ) proto tcp from any to 192.168.70.2 port 443 label "USER_RULE: NAT Inbound HTTPS" pass in quick on $WAN reply-to ( re1 192.168.6.254 ) proto tcp from any to 192.168.70.2 port 993 label "USER_RULE: NAT Inbound IMAPS" pass in quick on $WAN reply-to ( re1 192.168.6.254 ) proto tcp from any to 192.168.70.2 port 39993 label "USER_RULE: NAT Inbound SSH" pass in quick on $WAN reply-to ( re1 192.168.6.254 ) proto tcp from any to 192.168.70.2 port 25 label "USER_RULE: NAT Inbound SMTP" pass in quick on $LAN from 192.168.70.0/24 to any keep state label "USER_RULE: Default allow LAN to any rule" pass in quick on $IPsec proto tcp from 192.168.0.2 to 192.168.70.2 port 22 flags S/SA keep state label "USER_RULE: SSH from church" pass in quick on $IPsec proto tcp from 192.168.0.2 to 192.168.70.2 port 25 flags S/SA keep state label "USER_RULE: SMTP from church" pass in quick on $IPsec inet proto icmp from 192.168.0.2 to 192.168.70.0/24 keep state label "USER_RULE: SMTP from church" pass in quick on $IPsec from 192.168.10.0/23 to 192.168.70.0/23 keep state label "USER_RULE: Dave" pass in quick on $OpenVPN from any to any keep state label "USER_RULE" # VPN Rules pass out on $WAN route-to ( re1 192.168.6.254 ) proto udp from any to 81.xxx.yyy.xxx port = 500 keep state label "IPsec: Dave - outbound isakmp" pass in on $WAN reply-to ( re1 192.168.6.254 ) proto udp from 81.xxx.yyy.xxx to any port = 500 keep state label "IPsec: Dave - inbound isakmp" pass out on $WAN route-to ( re1 192.168.6.254 ) proto udp from any to 81.xxx.yyy.xxx port = 4500 keep state label "IPsec: Dave - outbound nat-t" pass in on $WAN reply-to ( re1 192.168.6.254 ) proto udp from 81.xxx.yyy.xxx to any port = 4500 keep state label "IPsec: Dave - inbound nat-t" pass out on $WAN route-to ( re1 192.168.6.254 ) proto esp from any to 81.xxx.yyy.xxx keep state label "IPsec: Dave - outbound esp proto" pass in on $WAN reply-to ( re1 192.168.6.254 ) proto esp from 81.xxx.yyy.xxx to any keep state label "IPsec: Dave - inbound esp proto" # ERROR! Unable to determine remote IPsec peer address for site.somedomain.com anchor "tftp-proxy/*"</bogons></bogons></virusprot></webconfiguratorlockout></sshlockout></pfsnortsamin></pfsnortsamout></snort2c></snort2c></direct_networks></vpns></virusprot></pfsnortsamin></pfsnortsamout></snort2c></webconfiguratorlockout></sshlockout>
-
Rules are correct. What does the output of 'ifconfig -g openvpn' show?
-
Hi cmb - ifconfig -g openvpn results in
ovpns1
Not much really. Hope that's more useful than it looks!
-
that just validates the server's interface is correctly in the 'openvpn' group, which means the rules apply to it correctly, assuming that is the associated interface and you have one OpenVPN server on that host.
-
Yes - there's only one openvpn server on the box.
-
It appears that the update
"2.0-RC3 (amd64)
built on Wed Jun 29 18:35:57 EDT 2011 "fixed the issue. Very odd.
Thanks for the input, guys.