PfSense drops packets

CHfish

Hi

I have a setup where I use the pfSense appliance as LAN client (thus it has no public IP).
It was once a NAT-Router but my current ISP doesn't allow a third party router.
I have three interfaces:

WAN (disabled)
LAN (enabled)
LANGuests (enabled)

I've setup 2x OpenVPN Server (Site-to-Site & RoadWarrior) which can be reached from outside thanks to port forwarding on the ISP router.

and set the NAT and FW rules as follows:
NAT disabled
FW Rules:

Floating empty
LAN: Pass IPv4+6 * * * *
OpenVPN: Pass IPv4+6 * * * *
no additional rules.

But OpenVPN tunnels can't be established.

If I enable "Advanced Options, Disable all packet filtering" OpenVPN works just fine.
But I need NAT functionality and thus "Disable all packet filtering" doesn't really help (except for troubleshooting).

Can anyone give me a hint why OpenVPN only works without packet filtering?

Thank you

Trel

In the OpenVPN config, what do you have set for the following three values

Interface, Protocol, Local Port

CHfish

@Trel:

In the OpenVPN config, what do you have set for the following three values

Interface, Protocol, Local Port

Road Warrior:
Interface: any
Protocol: UDP
Local port: 1194

Site2Site:
Interface: any
Protocol: UDP
Local port: 1195

Thank you

doktornotor

Where it drops them? Have you considered looking at the firewall logs (and posting those here)?

I use the pfSense appliance as LAN client

Eeeeeeeeh? Whatever interface that has a GW set is considered to be WAN. There's no such thing as "LAN client"

Trel

@doktornotor:

Eeeeeeeeh? Whatever interface that has a GW set is considered to be WAN. There's no such thing as "LAN client"

If he has it sitting on the LAN with nothing going through the WAN, he could definitely have it as a "LAN client".

I could see a few valid reasons to have LAN interfaces without a WAN one, for example if it's acting as a firewall between local-only VLANs or physically separated LANs. (Where you'd want to allow some traffic through but still keep them separate).

doktornotor

You completely missed the point.

CHfish

Sorry guys I think I used a different definition on WAN (public IP) / LAN (private IP).
The interface named LAN has a default gateway set (Uplink Internet).
Please find the Rules and the Log attached.
Thank you for your assistance

rules.PNG_thumb

log.PNG_thumb

doktornotor

Yeah the traffic is blocked because the source obviously does NOT match "LAN net". I have no idea what are you trying to do with that rule? Why'd you want "allow any" rule on something that's effectively your WAN? You want "any" there for the OpenVPN port (or at least an alias that contains IPs/nets that are supposed to be able to connect to the VPN). I still don't get what you gained by disabling the WAN interface and creating such horribly confusing setup.

johnpoz

So u added gateway to lan turning it into a wan but disabled your actual "wan" interface???? Wtf?? Dude start over!! Where u have Internet access is your wan your network behind the firewall is lan

CHfish

@doktornotor:

Yeah the traffic is blocked because the source obviously does NOT match "LAN net". I have no idea what are you trying to do with that rule? Why'd you want "allow any" rule on something that's effectively your WAN? You want "any" there for the OpenVPN port (or at least an alias that contains IPs/nets that are supposed to be able to connect to the VPN). I still don't get what you gained by disabling the WAN interface and creating such horribly confusing setup.

Thank you.
Sorry I must have had been totally blind. I was confident I deleted the correct rule when cleaning up the fw table which I didn't.
Regarding the setup. I've been using many different routers where the definition of WAN and LAN obiviously doesn't match your defintions.
My defintions of WAN means the connection leaving the building - this is not the case for the sole interface of pfSense.
But the main reason for the creepy setup was the fact that I have a lot configured on pfSense and I didn't want to migrate all which was obiously a bad idea. Will start from scractch when I have some time.
Thank you

I could see a few valid reasons to have LAN interfaces without a WAN one, for example if it's acting as a firewall between local-only VLANs or physically separated LANs. (Where you'd want to allow some traffic through but still keep them separate).

But then better to go with a so called transparent firewall that is acting as a "bridge" and absolutely this
is mostly the beginning from the end and beside coming so many problems that it is not fine to recommend
it or suggest it to the whole crowd of peoples or the plain masses, only some very experienced users who are
knowing exactly what to do and why to do should do this. But this ones are not asking then here in the forum!
Side effects mostly are;

Packet loss
Packet drops
Port flapping

And so on.

Which router is given to you by your ISP? And what is the name of this ISP?
Some ISPs are doing or serving DS-light or so called IPv4/6 dual stack internet connections
where VPN is generally not working without a work around! Only to be sure that we are not running
in a self made trap.

It was once a NAT-Router but my current ISP doesn't allow a third party router.

Please create a so called router cascade or double NAT.
Internet –- ISP --- WAN Port of the Router1 and LAN 1 Port to the pfSense--- pfSense Firewall (WAN Port)

First router: (ISP Router)

Internet to the WAN Port
if this router is capable of doing VPN, please disable this function in the settings of the Router1
Otherwise it will not be running well because the first router (Router1) is thinking that the VPN connect is for him selfs and he tries to take the VPN connection over, mostly done by AVM Fritz!Box Routers
Disable also the DHCP server at the first router
Set up static (fix) IPs to all devices connected to the first router
Set up the IP from the first router to 192.168.1.1/24 (255.255.255.0)

Second Router: (pfSense Firewall)

Set up at the WAN Port a static IP address likes 192.168.1.254/24 (255.255.255.0)
Set up now the LAN entries with the Gateway of the WAN interface IP
LAN: 192.168.178.0/24
IP Address: 192.168.178.1.1/24
Gateway: 192.168.1.254/24
DNS1: 192.168.1.254
DNS2: empty or 8.8.8.8
set up now the port forwarding from the first router (ISP router) to the second router (pfSense)
Regarding all the Ports and protocols the VPN method you are using is needing.

Thats it now it should work.

CHfish

BlueKobold, thank you for your feedback.

I'm a Swisscom 1 GBit/s Swisscom FTTH subscriber (native IPv4, 6rd based IPv6) with VoIP and IPTV.
Bridging is no option here because Swisscom VoIP telephony will not work anymore. Actually I wouldn't bridge but just forward the fiber signal to the pfSense WAN port using a switch with SFP as a media converter.
Swisscom doesn't hand out SIP data (it's their current policy) but only uses (more or less) propiertary and encrypted channels to send VoIP logins to the router.
IPTV-wise the setup of the required features for the multicast support is doable (I did it before)

Double Cascade is no real option here. Mainly for performance reasons.
I've got a 1 GBit/s subscription and the PC Engines APU can't make more than 400 MBit/s NAT-wise.

Double NAT also means no IPv6 (since IPv6 NAT is AFAIK not even supported).

Besides missing the obvious error in the firewall table everything runs just smooth as it is.

I've I got time I will rebuild it but still without double NAT (because of IPv6) and performance.

Thank you once again

Trel

One question though, if you're not double natting and not bridging, what purpose would filtering serve in the first place? If PFSense is truly a LAN client in your setup, once someone's connected via OpenVPN, they'd have full network access via whatever the usual upstream switch was, so why bother having filtering turned on for PFSense to begin with?

CHfish

@Trel:

One question though, if you're not double natting and not bridging, what purpose would filtering serve in the first place? If PFSense is truly a LAN client in your setup, once someone's connected via OpenVPN, they'd have full network access via whatever the usual upstream switch was, so why bother having filtering turned on for PFSense to begin with?

1. To be able to reach the ISP router in a OpenVPN tun setup the vpn client address needs to be natted to the LAN address of the pfsense box
2. When using the catch all traffic rule (sending all data through the tunnel) the same rule applies for traffic towards internet
Both of this is because you can't (even) set a static route on the Swisscom Router…