Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT VLAN through VPN Troubles

    Scheduled Pinned Locked Moved
    NAT
    nat vlan vpn headers
    3
    5
    627
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      picnicsecurity
      last edited by

      Hello All,

      I am having a rather unique issue that I can not seem to figure out. In a nutshell, I can not connect to the webservers behind the vpn in a browser. Below are all the details and troubleshooting steps I have done so far. If anyone has any idea as to a solution I would be forever grateful.

      Problem:
      I have pfsense NAT-ing all my traffic on a VLAN through a VPN. I can not type in the IPs of webservers on the remote lab network and have their webpage display in a browser. I can get the page with wget or curl. If I add headers to the wget request though, it will produce the exact same issue as confirmed by wireshark.

      Note:
      When I refer to "remote webservers" I am referring to the hosts behind the VPN in the 10.11.0.0/16 network. The attached captures came from pfsense under Diagnostics -> Packet Capture and I have confirmed that the captures are the same regardless of where it is captured from.

      Goal:
      To be able to view the remote webservers through a browser

      Troubleshooting:
      I verified that I can ping the remote webservers. I can also scan the hosts with nmap and get full detailed information.
      The issue has been confirmed on Windows 10 (x64), Kali Linux (x64), and Kali Linux (x86)
      The issue has been confirmed on Chrome, Internet Explorer, and Firefox.
      On all OS-es I can use wget/curl to download the index.html file without issue. ( See packetcapture_good.cap )
      When using any browser the request will time out after a certain amount of requests. ( See packetcapture_bad.cap )
      Verified under Status -> OpenVPN that I am connected and getting Bytes Sent and Received
      Verified that OpenVPN, OVPN, and UNTRUSTED33 (local vlan) have a permit all rule under Firewall -> Rules -> $(Interface)
      Verified that I am using Manual Outbound NAT and that all trafic from the 33 VLAN is being sent to 10.11.0.0/16. ( See Below Photo )
      Untitled.png
      The following command allows me to download the index.html file:

      wget 10.11.1.13

      The following command replicates the issue with the browser:

      wget 10.11.1.13 --header="User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0" --header="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" --header="Accept-Language: en-US,en;q=0.5" --header="Accept-Encoding: gzip, deflate" --header="Connection: keep-alive" --header="Upgrade-Insecure-Requests: 1" -v

      The following command removes the above issue:

      wget 10.11.1.13 --header="User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0" --header="Accept: text/html,application/xhtml+xml" -v

      When connecting any one of my local hosts to the VPN directly, I can view the remote webservers without issue

      Temporary Solution:
      I used a Firefox extension called Simply Modify Headers that allows me to remove the parts of and or the whole headers that seem to be causing the issue. However, this is not exactly stable and is only a bandaid fix.

      I do not know of any other information that I could provide but I will gladly do my best to provide whatever is asked.

      Thanks Everyone!

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by johnpoz

        @picnicsecurity said in NAT VLAN through VPN Troubles:

        Upgrade-Insecure-Requests

        My take would be server your talking to doesn't understand this.

        Not sure why you think this has anything to do with natting or pfsense.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.03

        P 1 Reply Last reply Reply Quote 0
        • P
          picnicsecurity @johnpoz
          last edited by

          @johnpoz I thought so too but then why would that header then work just fine when using the VPN directly? I honestly do not know if this a NAT or pfsense problem and the only reason I decided to post here was because when I removed pfsense from the equation it worked. I wasn't sure how else to narrow down the culprit.

          1 Reply Last reply Reply Quote 0
          • PippinP
            Pippin
            last edited by

            On your VPN client, add

            mssfix 1400

            to it's config file and try again.

            I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
            Halton Arp

            P 1 Reply Last reply Reply Quote 0
            • P
              picnicsecurity @Pippin
              last edited by

              @Pippin Thank you for the reply. I went into VPN -> OpenVPN -> Clients and edited my client's configuration. Under Advanced Configuration I put into the custom options "ns-cert-type server; persist-tun; persist-key; mssfix 1400" and then saved. I then reloaded the VPN by going to Status -> OpenVPN. I did the usual ping/nmap verification checks to confirm connectivity. However this does not seem to have done anything. Below is a picture of the wireshark output (with the TCP stream from the browser being currently selected) and below that is the capture file.

              Untitled.png

              mssfix1400_full_cap.pcapng

              1 Reply Last reply Reply Quote 0
              • First post
                Last post