TCP Connection Not Working (LAN/OpenVPN)
-
Welcome!
I am new to pfSense forums and I hope that I chose the correct category. I tried to solved it on StackExchange and the I realized, that this should be the right board. ;)I am currently working on my network setup for educational purposes. pfSense is installed on a virtual machine on my proxmox node which is connected to my home router (fritz.box). There is another virtual machine on the node which is running a http server I want to access outside my network. Both virtual machines are connected to a basic linux bridge of proxmox without any firewall or routing configuration (acts as a normal switch). pfSense also host the dhcp server for this network which works fine.
So I created a openvpn server from which I can access the lan of my VMs. OpenVPN pushes the route to the client and DHCP to the VMs in pfSense LAN. So I am able to connect to my openvpn server and I can ping all machines on the lan and the other way around. Now I started to work with TCP/HTTP(80) but there are a few problems. If I try to access an HTTP resource of my VM, the created connection cannot be established. The state of the server stucks at "SYN_RECV" and the client one at "SYN_SENT".
I have tried to disable the firewall pf pfSense but this does not change anything.Network Structure:
FritzBox LAN: 172.20.0.0/16 (Router as GW with 172.20.0.1) [ISP Connection/Should not be important]
pfSense LAN: 10.44.2.0/24 (pfSense as GW with 10.4.2.254)
pfSense OpenVPN: 10.44.3.0/24 (OpenVPN Server with 10.44.3.1, client-to-client disabled, using SSL/TLS, only Linux/Ubuntu/Debian machines)Remote clients are located in 172.20.0.0/24 or 0.0.0.0/0. My home router forwards the openvpn port to pfSense. (This part works fine, PING works)
EDIT: Yes, the VM is also connected to my home lan for normal internet uplink. I have disabled it so the default route is through pfSense, but this does not change anything.VMs "ip -4 route":
default via 172.20.0.1 dev eth0 10.44.2.0/24 dev eth2 proto kernel scope link src 10.44.2.11 10.44.3.0/24 via 10.44.2.254 dev eth2 172.20.0.0/16 dev eth0 proto kernel scope link src 172.20.4.2
Client "ip -4 route":
default via 172.20.0.1 dev enp6s0 proto static metric 100 10.44.2.0/24 via 10.44.3.1 dev tun0 proto static metric 50 10.44.3.0/24 dev tun0 proto kernel scope link src 10.44.3.2 metric 50 169.254.0.0/16 dev enp6s0 scope link metric 1000 172.20.0.0/16 dev enp6s0 proto kernel scope link src 172.20.6.5 metric 100
pfSense "netstat -r4":
Routing tables Internet: Destination Gateway Flags Netif Expire default 172.20.0.1 UGS vtnet0 10.44.1.0 link#2 U vtnet1 pve-snake-router link#2 UHS lo0 10.44.2.0 link#3 U vtnet2 10.44.2.254 link#3 UHS lo0 10.44.3.0 10.44.3.1 UGS ovpns1 10.44.3.1 link#8 UHS lo0 10.44.3.2 link#8 UH ovpns1 localhost link#6 UH lo0 172.20.0.0 link#1 U vtnet0 172.20.4.254 link#1 UHS lo0
After that, I analysed the tcp traffic with wireshark/tcpdump and it seems, that SYN and SYN,ACK ist sent correctly, but I cannot find the final ACK.
VM Server:
14:18:57.571985 IP 10.44.3.2.42956 > 10.44.2.11.http: Flags [s], seq 3192289577, win 29200, options [mss 1308,sackOK,TS val 3098827 ecr 0,nop,wscale 7], length 0 14:18:57.572006 IP 10.44.2.11.http > 10.44.3.2.42956: Flags [S.], seq 2421464031, ack 3192289578, win 28960, options [mss 1460,sackOK,TS val 68259688 ecr 3098827,nop,wscale 7], length 0 14:18:57.825934 IP 10.44.3.2.42958 > 10.44.2.11.http: Flags [s], seq 2213274578, win 29200, options [mss 1308,sackOK,TS val 3098889 ecr 0,nop,wscale 7], length 0 14:18:57.825952 IP 10.44.2.11.http > 10.44.3.2.42958: Flags [S.], seq 595037825, ack 2213274579, win 28960, options [mss 1460,sackOK,TS val 68259752 ecr 3098889,nop,wscale 7], length 0 . . . . . Remote Client: [code] 15:18:57.567020 IP 10.44.3.2.42956 > 10.44.2.11.http: Flags [s], seq 3192289577, win 29200, options [mss 1460,sackOK,TS val 3098827 ecr 0,nop,wscale 7], length 0 15:18:57.570249 IP 10.44.2.11.http > 10.44.3.2.42956: Flags [S.], seq 2421464031, ack 3192289578, win 28960, options [mss 1308,sackOK,TS val 68259688 ecr 3098827,nop,wscale 7], length 0 15:18:57.817649 IP 10.44.3.2.42958 > 10.44.2.11.http: Flags [s], seq 2213274578, win 29200, options [mss 1460,sackOK,TS val 3098889 ecr 0,nop,wscale 7], length 0 15:18:57.835985 IP 10.44.2.11.http > 10.44.3.2.42958: Flags [S.], seq 595037825, ack 2213274579, win 28960, options [mss 1308,sackOK,TS val 68259752 ecr 3098889,nop,wscale 7], length 0 15:18:58.567001 IP 10.44.3.2.42956 > 10.44.2.11.http: Flags [s], seq 3192289577, win 29200, options [mss 1460,sackOK,TS val 3099077 ecr 0,nop,wscale 7], length 0 15:18:58.568639 IP 10.44.2.11.http > 10.44.3.2.42956: Flags [S.], seq 2421464031, ack 3192289578, win 28960, options [mss 1308,sackOK,TS val 68259938 ecr 3098827,nop,wscale 7], length 0 15:18:58.570778 IP 10.44.2.11.http > 10.44.3.2.42956: Flags [S.], seq 2421464031, ack 3192289578, win 28960, options [mss 1308,sackOK,TS val 68259938 ecr 3098827,nop,wscale 7], length 0 15:18:58.815006 IP 10.44.3.2.42958 > 10.44.2.11.http: Flags [s], seq 2213274578, win 29200, options [mss 1460,sackOK,TS val 3099139 ecr 0,nop,wscale 7], length 0 . . . . Does anyone see my fault? :)[/s][/s][/s][/s][/code][/s][/s]
-
Any ideas?