pfsense 2.5.1 OpenVPN drop RDP to Windows Machine

wcpoon

pfsense 2.5.1 with OpenVPN
I encountered my OpenVPN connection problem, my connection to OpenVPN is connected.
I can ping to all my networks, however, when I want to RDP to Windows machine, the network will down..
Any idea what is the problem?

peterzy

If it is multi-wan try:

The only workaround I have found so far(in case someone needs it)
System >> Advanced >> Firewall & NAT

Bypass firewall rules for traffic on the same interface

This is workaround but definitely a bug in 2.5.1

I also swicthed Openvpn to the other WAN

wcpoon

@peterzy

Hi, tried enabled "Bypass firewall rules for traffic on the same interface", but still encountered same issues.
My setup is only 1 x WAN, the WAN is private ip address in the Internal Network, it act as the WAN..

Because I just want to use pfsense OpenVPN to create OpenVPN tunnel to my Internal Network..
I got another FW in front of pfsense, because that FW do not have SSL VPN features.

zabi

Hi,
I encountered similar problem on two different installations so I decided to not creating another topic.
@wcpoon you description is not so precise, so I don't know if we have same problem.

Issue occurred after migrating from 2.4.5p1 to 2.5.1. In both environment I had to rollback to 2.4.5p1.
On 2.5.1 OpenVPN is established correctly, RDP is connected smoothly and all looks ok... for few (up to 10) seconds. After this time RDP freezes and reconnect, after reconnection and few second of normal working it's again hangs. OpenVPN connection itself is stable.
Based on this I started digging around MTU, MSS and fragmentation. I tested in many combination "mssfix", "fragment", "tun-mtu", "link-mtu" and other similar OpenVPN statements. Nothing helped.

Then I look closer to MSS and found these topics and bugs 1 2 3 4
After setting MSS on the OpenVPN interface to 1420 issue with RDP vanished.

I compare /tmp/rules.debug from 2.4.5p1 and 2.5.1 both look similar, but in my opinion in 2.5.1 it's not working correctly and it need addition manual configuration on VPN interface.

I'll appreciate feedback from someone more familiar with iptables and how '/tmp/rules.debug' is interpreted.
@viktor_g Mayby you will be able to look at it could be connceted with: IPv6 PPPoE MSS incorrect

@wcpoon I hope I helped you a little bit.

From my point of view below statements aren't working in 2.5.1, but I cannot prove that. :)

scrub from any to <vpn_networks> max-mss 1398
scrub from <vpn_networks> to any max-mss 1398

Regards.

2.4.5p1

[2.4.5-RELEASE][admin@XXX]/root: grep scrub /tmp/rules.debug
scrub from any to <vpn_networks> max-mss 1398
scrub from <vpn_networks> to any max-mss 1398
scrub on $WAN all    fragment reassemble
scrub on $LAN all    fragment reassemble
scrub on $V100_10_0_100_0 all    fragment reassemble
scrub on $V102_10_0_102_0 all    fragment reassemble
scrub on $V104_10_0_104_0 all    fragment reassemble
scrub on $VPN_OpenVPN all    fragment reassemble
[2.4.5-RELEASE][admin@01]/root: grep vpn_networks /tmp/rules.debug
table <vpn_networks> { 10.0.16.0/24 10.0.16.0/24 10.150.40.10/32 10.202.91.0/24 10.245.254.0/24 }
scrub from any to <vpn_networks> max-mss 1398
scrub from <vpn_networks> to any max-mss 1398
[2.4.5-RELEASE][admin@01]/root:

2.5.1

[2.5.1-RELEASE][admin@02]/root: grep scrub /tmp/rules.debug
scrub from any to <vpn_networks> max-mss 1398
scrub from <vpn_networks> to any max-mss 1398
scrub on $WAN inet all    fragment reassemble
scrub on $WAN inet6 all    fragment reassemble
scrub on $LAN inet all    fragment reassemble
scrub on $LAN inet6 all    fragment reassemble
scrub on $V100_10_0_100_0 inet all    fragment reassemble
scrub on $V100_10_0_100_0 inet6 all    fragment reassemble
scrub on $V102_10_0_102_0 inet all    fragment reassemble
scrub on $V102_10_0_102_0 inet6 all    fragment reassemble
scrub on $V104_10_0_104_0 inet all    fragment reassemble
scrub on $V104_10_0_104_0 inet6 all    fragment reassemble
scrub on $VPN_1 inet all    fragment reassemble
scrub on $VPN_1 inet6 all    fragment reassemble
scrub on $VPN_OpenVPN inet all   max-mss 1380 fragment reassemble
scrub on $VPN_OpenVPN inet6 all   max-mss 1360 fragment reassemble
[2.5.1-RELEASE][admin@02]/root: grep vpn_networks /tmp/rules.debug
table <vpn_networks> { 10.0.16.0/24 10.0.16.0/24 10.150.40.10/32 10.202.91.0/24 10.245.254.0/24 }
scrub from any to <vpn_networks> max-mss 1398
scrub from <vpn_networks> to any max-mss 1398
[2.5.1-RELEASE][admin@02]/root:

wcpoon

@zabi

Hi,

my output,

[2.5.1-RELEASE][admin@pfSense.home.arpa]/root: grep scrub /tmp/rules.debug
scrub on $WAN inet all    fragment reassemble
scrub on $WAN inet6 all    fragment reassemble
[2.5.1-RELEASE][admin@pfSense.home.arpa]/root: grep vpn_networks /tmp/rules.debug
table <vpn_networks> { 192.168.77.0/24 }

My connection to RDP after authentication to Windows, the screen blank..
After that my ping will be timed out..
If i close my RDP Windows, the connection will be back after 30 seconds..
I can access to HTTPS, HTTP, SSH without any issues..

Just wonder is it the version 2.5.1 bugs..
I will deploy version 2.5.0 to try it out again..