Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN TAP pfSense Gateway Website Inaccessible

    Scheduled Pinned Locked Moved OpenVPN
    26 Posts 5 Posters 2.8k Views 5 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      seejay
      last edited by

      Still see this in OpenVPN logs:

      Nov 28 09:43:48 openvpn 23207 Local Options String (VER=V4): 'V4,dev-type tap,link-mtu 1605,tun-mtu 1532,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA256,keysize 256,secret'

      Doesn't seem right.

      1 Reply Last reply Reply Quote 0
      • JKnottJ Offline
        JKnott @seejay
        last edited by

        @seejay said in OpenVPN TAP pfSense Gateway Website Inaccessible:

        @JKnott Thanks. Are you suggesting I need to manually set MTUs on the WAN / LAN / OpenVPN interfaces and that defaults would cause this type of condition? If I set 1500 manually on the WAN, do I set 1472 on the OpenVPN adapter? What about the bridged LAN adapter?

        If your WAN is 1500, the VPN will be 1472. If the LAN at either end is other than 1472, then you will have an issue with handling packets that have the full MTU. A TAP VPN is functionally the same as a bridge or switch, in that all connected networks must support the same MTU. With IP, the 2 end points negotiate the MTU, based on the end with the smallest MTU. The VPN MTU will not be considered in that process. If it was a TUN VPN, then the smaller MTU will cause the router to fragment the packet or send a too large ICMP message back to the source. That cannot happen with a TAP VPN, so there is no mechanism to reduce the MTU.

        Bottom line, the WAN MTU determines the VPN MTU, which in turn determines the LAN MTUs.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        1 Reply Last reply Reply Quote 0
        • S Offline
          seejay
          last edited by seejay

          @JKnott So if I force both WANs to 1500 MTU, and both LANS to 1472 MTU, do I need to apply an mssfix or other value to the openvpn config or will it determine it correctly? I separately dont understand how when setting WAN1500, LAN1472, OpenVPN server reports on startup:

          Nov 28 10:04:51 openvpn 82520 Local Options String (VER=V4): 'V4,dev-type tap,link-mtu 1605,tun-mtu 1532,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA256,keysize 256,secret'

          Nov 28 10:04:51 openvpn 82520 Expected Remote Options String (VER=V4): 'V4,dev-type tap,link-mtu 1605,tun-mtu 1532,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA256,keysize 256,secret'

          Lastly, I would expect this problem only to occur on packets large enough in size to approach this boundary. The website packets for the gateway that fail are usually no greater than a couple 100.

          JKnottJ 1 Reply Last reply Reply Quote 0
          • S Offline
            seejay
            last edited by

            A quick LAN speed test across the VPN shows better read performance undoubtedly forcing WAN at both ends to 1500, LAN at both ends to 1472, and mssfix on both OpenVPN configs to 1432. sadly, the respective pfsense websites at opposite ends of the bridge still are not coming up (but still ping).

            1 Reply Last reply Reply Quote 0
            • S Offline
              seejay
              last edited by

              Taking the MTU advice I applied it back to our dedicated NIC configuration (Separate set of NICs on the pfsense boxes attached to the same LAN but with no IP assigned in pfsense). Seems to be stable so far with no dropouts, and I can again reach the pfsense websites across the bridge. Going to run this way for a bit and see if we stay stable with 0% packet loss.

              1 Reply Last reply Reply Quote 0
              • JKnottJ Offline
                JKnott @seejay
                last edited by

                @seejay said in OpenVPN TAP pfSense Gateway Website Inaccessible:

                So if I force both WANs to 1500 MTU, and both LANS to 1472 MTU, do I need to apply an mssfix or other value to the openvpn config or will it determine it correctly

                It should be OK, as there will not be a conflict with MTU size.

                PfSense running on Qotom mini PC
                i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                UniFi AC-Lite access point

                I haven't lost my mind. It's around here...somewhere...

                1 Reply Last reply Reply Quote 0
                • S Offline
                  seejay
                  last edited by

                  Back to square zero. Separate dedicated NICs with no IP observe packet loss and instability, using same LAN nic as PFSENSE LAN IP assignment makes everything stable but cant access web pages across the bridge. MTUs set properly now in both cases.

                  C 1 Reply Last reply Reply Quote 0
                  • C Offline
                    coffeecup25 @seejay
                    last edited by coffeecup25

                    @seejay Are the rules out of order on your firewall. For example, is the 'restrict everything else' above the entry that says your OpenVPN connection is OK? (Voice of experience talking)

                    Also, is the lan to use on the TAP server configuration the same as the one you want to access? (Sorry, but I did not read all the details about all the problems.)

                    Finally, I used this guide to set up my TAP configuration (https://hardforum.com/threads/pfsense-2-0-1-openvpn-configuration-guide.1663797/). Any clues here?

                    (I have 3 configuration 1 TUN pass through only, 1 TUN with full access, 1 TAP with full access. Why: because I wanted to)

                    S 1 Reply Last reply Reply Quote 0
                    • S Offline
                      seejay @coffeecup25
                      last edited by

                      @coffeecup25 said in OpenVPN TAP pfSense Gateway Website Inaccessible:

                      @seejay Are the rules out of order on your firewall. For example, is the 'restrict everything else' above the entry that says your OpenVPN connection is OK? (Voice of experience talking)
                      Also, is the lan to use on the TAP server configuration the same as the one you want to access? (Sorry, but I did not read all the details about all the problems.)
                      Finally, I used this guide to set up my TAP configuration (https://hardforum.com/threads/pfsense-2-0-1-openvpn-configuration-guide.1663797/). Any clues here?
                      (I have 3 configuration 1 TUN pass through only, 1 TUN with full access, 1 TAP with full access. Why: because I wanted to)

                      Thanks for the response. In order of your questions:

                      1. @seejay Are the rules out of order on your firewall. For example, is the 'restrict everything else' above the entry that says your OpenVPN connection is OK? (Voice of experience talking)
                        -- Yes, the anti-lockout rule is always the first entry, and all IPV4* traffic is set to pass on the OpenVPN interface.

                      2. Is the lan to use on the TAP server configuration the same as the one you want to access? (Sorry, but I did not read all the details about all the problems.)
                        -- Definitely. I've built these bridges multiple times, and given I can access all of the other resources on the LAN normally I am not concerned that I've confused this.

                      3. Finally, I used this guide to set up my TAP configuration (https://hardforum.com/threads/pfsense-2-0-1-openvpn-configuration-guide.1663797/). Any clues here?
                        -- Sadly this looks more like a server/client setup for TAP as opposed to site-to-site configuration, but similar concepts.

                      Ultimately no matter which TAP/bridging configuration I've employed for site-to-site TAP I have odd issues like the one outlined in this post, or random packet loss and/or TCP resets. You've seen me go through things like the MTU and other diagnosis ad nauseum to no avail.

                      For comparison I've also set up a tunnel configuration for the same network(s) and its far superior. Of course it doesn't fully meet the original use case but I'm trying out some other tooling to try and work around the lack of broadcast traffic out of the box. Ultimately unless I'm missing something there seems to be a bug in the implementation of the bridged OpenVPN interface (or something overlooked non obvious in the default setup).

                      JKnottJ 1 Reply Last reply Reply Quote 0
                      • R Offline
                        Rai80
                        last edited by Rai80

                        I've been running a TAP openvpn tunnel between two sites without any issues. I use tap for broadcast/multicast traffic, which is not possible with a tun openvpn tunnel.

                        Check the following:

                        • net.link.bridge.pfil_bridge = 0 to disable filtering on bridge
                        • net.link.bridge.pfil_member = 0 to disable filtering on bridge-member
                        • Assign en IP address to bridge instead of a bridge-member interface
                        1 Reply Last reply Reply Quote 0
                        • S Offline
                          seejay
                          last edited by

                          New suggestions, will have to give a try on #3. On one hand I can see that being the issue, on the other hand according to:

                          https://docs.netgate.com/pfsense/en/latest/interfaces/interface-bridges.html

                          the IP address assignment should be acceptable in either place (the bridge with no members, or one member only in the bridge).

                          1 Reply Last reply Reply Quote 0
                          • JKnottJ Offline
                            JKnott @seejay
                            last edited by

                            @seejay said in OpenVPN TAP pfSense Gateway Website Inaccessible:

                            Ultimately no matter which TAP/bridging configuration I've employed for site-to-site TAP I have odd issues like the one outlined in this post, or random packet loss and/or TCP resets. You've seen me go through things like the MTU and other diagnosis ad nauseum to no avail.

                            One thing you'll have to bear in mind is the bandwidth mismatch between the VPN and LANs. The LANs can handle data a lot faster than the VPNs. So, if you're bridging the LANs, as you do with TAP, then there's no way the VPN can pass all the data between them. In my case, the LAN is Gb, but my Internet connection runs at about 91 Mb down and 11 up. That's a ratio of over 10:1 in one direction and almost 100:1 in the other. This is before we even can consider the limitations at the other end.

                            PfSense running on Qotom mini PC
                            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                            UniFi AC-Lite access point

                            I haven't lost my mind. It's around here...somewhere...

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.