@Pippin Thank you for the reply. I went into VPN -> OpenVPN -> Clients and edited my client's configuration. Under Advanced Configuration I put into the custom options "ns-cert-type server; persist-tun; persist-key; mssfix 1400" and then saved. I then reloaded the VPN by going to Status -> OpenVPN. I did the usual ping/nmap verification checks to confirm connectivity. However this does not seem to have done anything. Below is a picture of the wireshark output (with the TCP stream from the browser being currently selected) and below that is the capture file.

Untitled.png

mssfix1400_full_cap.pcapng

P.S. I take it back - you may need firewall rules for IPSec to allow BGP traffic. You can create them from the firewall logs if you see blocked BGP traffic on IPSec.

@KOM ok thanks will try that

Show your OpenVPN Config and Firewall Rules (Screenshots).

-Rico

Thanks Pablo. Good to have in case we ever move to an HA setup with Google VPN. For anyone else that reads this, my posts were for the Classic Google VPN setup (non HA).

One note I wanted to add, in the BGP settings in my instructions above, don't change the setting for "Redistribute connected networks" to Yes. When set to Yes this advertised our WAN network to Google and caused issues with hitting public facing servers we had in Google. Since we only have a few networks locally, I just manually defined those along with the BGP network 169.254.10.0/30 in the fields below that setting.

The other option may be to change the setting to Yes and somehow mark it to ignore the WAN network, but I haven't looked into that.

@Chris78 Sorry to sort of resurrect this.. I went through all of the instructions , my intent was to have all traffic go through the VPN yet no luck :(
Could pfBlockerNG be the cause?
I'll admit this is a LOT of steps to go through and so much could go wrong

Thank you

After contact with microsoft helpdesk I found the solution for me.
For future reference: I had to turn on mss clamping and set it to 1350. This is also in the advanced IPSec settings

Maybe this settings was defaulted after an update? I wasn't the one who configured it in the first place, so I wouldn't know for sure.

I made sure to match my settings to this document https://docs.microsoft.com/nl-nl/azure/vpn-gateway/vpn-gateway-about-vpn-devices

@stephenw10 Thanks for the reply, I had this disabled already, but the pointer was appreciated

Solution can be found here:
IIPsec to Mikrotik

Hi, your machines uses s.o windows ? in that case turn off the firewall each and check pin to the other machine

@treborjm87

I'd be curious about this as well...

I think you need to establish how much throughput/bandwidth you need and how many concurrent user connections you anticipate, etc? (Is this box dedicated to routing and VPN only or more exotic use cases like running VMs, etc)

I've seen some charts floating around with hardware recommendations based on required throughput here and at the servethehome website.

https://www.netgate.com/docs/pfsense/virtualization/virtio-driver-support.html

Yes, nothing will change unless you change it. For example:
https://www.netgate.com/docs/pfsense/book/openvpn/openvpn-and-multi-wan.html

Steve

I am disappointed in this forum because not one suggestion was offered. Usually, community support for stuff like this is pretty good.

Regardless, I figured it out myself. This thread can be considered closed.

I stand corrected!😊

~Mat

@patrick0525 If you're completely certain that nothing on your end changed, it stands to reason that maybe something on their end did? I'm not familiar with the provider, but have you checked to see whether they have an updated configuration guide? Have you tried connecting to them from a PC instead of the pfSense machine? If they support TCP as well have you tried that? Just a few thoughts for preliminary troubleshooting steps.