PulseSecure VPN client - can't connect to company VPN - are special firewall settings needed in pfsense?

NogBadTheBad

I use Pulse secure when working for home, nothing needed configuring on the router to get it to work.

mrneutron

My connection path at home goes through this path:
Netgate SG-1100, Arris Surfboard SB6141 cable modem, then Comcast, for Internet.
Something in this chain is preventing connection, to all the Windows pcs I've tried with PulseSecure's client.

I tried the experiment of connecting my Dell laptop (Windows 10 64-bit) to my Sprint cell phone's wifi hotspot to the Sprint 4G network. The laptop was able to connect to the company VPN with PulseSecure, through that connection path.
The same Dell laptop cannot connect through the Netgate SG-1100, Arris Surfboard SB6141, and Comcast.

NogBadTheBad

Is the WAN IP address on your pfSense router a RFC1918 address?

mrneutron

@NogBadTheBad said in PulseSecure VPN client - can't connect to company VPN - are special firewall settings needed in pfsense?:

RFC1918

No. The WAN address of the SG-1100 is a Comcast DHCP-assigned address in the block 73.37.x.x.
The cable modem is in pass-through mode, with no controls to change.

mrneutron

I just disabled the "firewall scrub" option in pfsense, and was ABLE to connect to the office vpn with PulseSecure client.

"Disable Firewall Scrub
When set, the scrubbing option in pf is disabled. The scrub action in pf can interfere with NFS, and in rare cases, with VoIP traffic as well. By default, pfSense uses the fragment reassemble option which reassembles fragmented packets before sending them on to their destination, when possible. More information on the scrub feature of pf can be found in the OpenBSD PF Scrub"

See:
https://docs.netgate.com/pfsense/en/latest/book/config/advanced-firewall-nat.html

mrneutron

I guess PulseSecure uses NFS?

This says:
One reason not to scrub on an interface is if one is passing NFS through PF. Some non-OpenBSD platforms send (and expect) strange packets -- fragmented packets with the "do not fragment" bit set, which are (properly) rejected by scrub. This can be resolved by use of the no-df option. Another reason is some multi-player games have connection problems passing through PF with scrub enabled. Other than these somewhat unusual cases, scrubbing all packets is a highly recommended practice.

http://web.archive.org/web/20101223090933/http://www.openbsd.org/faq/pf/scrub.html

NogBadTheBad

I don't disable pf scrubbing.

Why do you think Pulse uses NFS, NFS is used to mount remote filesystems locally.

mrneutron

@NogBadTheBad , I was just venturing a guess based on those guide sections I quoted. The first thing the guide mentions is NFS. I didn't look up what NFS stands for. Since it's a file system thing, I agree with you. It doesn't seem related.

Based on the evidence of being able to connect to my company vpn after turning off scrub, isn't it logical to conclude that something scrub is doing is preventing PulseSecure from connecting to my company vpn?

NogBadTheBad

If it works for you great

mrneutron

I am very frustrated to report that the PulseSecure client has been fooling me!
It appears PulseSecure connects even with the pfSense firewall scrub option enabled.

After I successfully connected to my company VPN, I noted:

1. I still got an error box popping up, after every login attempt.
   
2. The Pulse Secure window continues to say Securing Connection, even after a successful connection! It never changes from Securing Connection, to Connected!
   

It appears my trust in the feedback messages from Pulse Secure was misplaced.
PulseSecure appears to be a buggy, piece of crap, that has been misleading me!!

I'm sorry for wasting your time with this!