Strange behavior
-
Hi Everyone,
I got an unusual problem. Every other network traffic request seems to be dropped.
A picture of my setup, although the tunnel is really 172.16.11.0/24
http://ncsu.adancalderon.net/pfsense/setup.jpgA short 1.6 MB Video showing my problems
http://ncsu.adancalderon.net/pfsense/Strange%20pfSense%20results.mp4Any Ideas?
Thanks,
Adan -
I would expect this if you are load balancing two WAN connections in a round-robin manner while one of them has no route but thinks it does.
From your diagram possibly alternate packets (while pinging) are sent via the WAN connection directly or via the VPN.Steve
-
Thanks for the input Steve. I have a very simple setup, only one WAN interface.
Here are screen shots of my configuration
Firewall->NAT-> Port Forward http://ncsu.adancalderon.net/pfsense/Firewall.NAT.Port_Forward.png
Firewall->NAT->Outbound http://ncsu.adancalderon.net/pfsense/Firewall.NAT.Outbound.png
Firewall->Rules->WAN http://ncsu.adancalderon.net/pfsense/Firewall.Rules.WAN.png
Firewall->Rules->LAN http://ncsu.adancalderon.net/pfsense/Firewall.Rules.LAN.png
Firewall->Rules->OpenVPN http://ncsu.adancalderon.net/pfsense/Firewall.Rules.OpenVPN.png
VPN->OpenVPN->Client Part A http://ncsu.adancalderon.net/pfsense/VPN.OpenVPN.Client_a.png
VPN->OpenVPN->Client Part B http://ncsu.adancalderon.net/pfsense/VPN.OpenVPN.Client_b.png
If anyone knows anything else I can provide that would help diagnose the cause, please let me know.
Thank you,
Adan
-
I can tell you that I have my OpenVPN set up a little bit different than you do.
No outbound NAT set up for VPN.
Instead- "Remote Network" = the remote network subnet. yours- http://ncsu.adancalderon.net/pfsense/VPN.OpenVPN.Client_b.png
My OpenVPN firewall rules are spelled out and not just *.
-
Thanks ;D, All I did was add the remote network where I had it blank before and all seems to work now.
I am going to try to add another VPN tunnel to another network and see if it keeps working.
Thanks a lot,
Adan
-
Sorry, fast call. I seems to have stopped working again. I also could not get two OpenVPN tunnels going either. I'll be trying again.
-
Hi All,
I got a whole lot more details as to what actually leads to my condition. When I added in the Remote network inside the OpenVPN Client settings, something changed that forced the system to start behaving as expected. I then proceeded and add another OpenVPN client. These settings are near identical, except for the Remote Network, Tunnel Network, Certs, and CAs. When I have two clients running is when things break. http://ncsu.adancalderon.net/pfsense/Status.OpenVPN.png
http://ncsu.adancalderon.net/pfsense/OpenVPN.Client_tab.pngPings work every other attempt. So then I go a head and Disable one of the OpenVPN Clients.
http://ncsu.adancalderon.net/pfsense/OpenVPN.Client_tab_onlyone.png
But things remain the same.If however I go ahead and change the Remote Network Setting on the active client, by either removing it or adding it back in; then something will happen that will allow things to work correctly.
I think this is causing something to restart because a reboot on the whole box with only one OpenVPN client enabled will also allow things to work.
These are how my Manual Outbound NAT Rules look
http://ncsu.adancalderon.net/pfsense/Firewall.NAT.Outbound_new.pngDoes anyone have any ideas on what else I could try?
Thank you,
Adan
-
Get rid of the outbound NAT for OpenVPN. I dont have them and it works fine. I think your confusing your system by having them there.
I also have two different connections coming in here.
-
Without Manual outboud NAT there is no routing at all to the other network. I believe if I set this up as a site to site VPN where I broadcast on the client that I route my lan then it will work with automatic, but that is not what I want. I do not want to route back for the remote lans.
:-\I am still not certain if there is any other way to do this. Is there anything wrong with my logic about how I am trying to do this? It seemed like it was a straight forward thing.
Thanks,
Adan -
there is no routing at all to the other network
Thats what the "Remote Network" on the OpenVPN page takes care of.
Ill post some screenshots later but it works as advertised here. :)
-
I took a break from this, but I still have not got this going. If anyone has any suggestions on the issue, please let me know. I suppose it's time to keep trying different things. :-\
