Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Cant route network through VPN without reboot

    Scheduled Pinned Locked Moved OpenVPN
    3 Posts 2 Posters 840 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      ahydle
      last edited by

      I have been noticing something when moving around my VPN connections which makes me think there is a table that needs to be manually flushed after reconfiguring things. I am wondering if anyone else has the same issue? I have several VPN connections that I am trying to migrate to a different ISP/Interface. If I create a new OpenVPN connection on the new interface and specify my remote network in the new connection (removing it from the old connection) I can connect just fine but when I try to ping from any of the client IP's on the remote firewall (including the LAN interface) I can see the traffic going into the tunnel but I dont see it in the packet captures coming out the other side.

      I also will see some of these messages in my logs "bad source address from client [x.x.x.x], packet dropped."  If I look at my routes I have a route for the ip address mentioned in the packet dropped message and it points to the appropriate vpn interface. If I ping from the OpenVPN interface (which uses the openvpn virtual IP's) I see everything working as expected.

      Now, if I keep working on this for several hours, everything just starts working OR if I reboot my main firewall everything starts working. I am assuming this is some sort of nat/route/filter table that is being rebuilt periodically but I am not sure what to look for and I need to make sure it is something I can change without knocking all my VPN's offline (if possible).

      Has anyone else noticed similar behavior?

      1 Reply Last reply Reply Quote 0
      • PippinP
        Pippin
        last edited by

        Regarding

        bad source address from client [x.x.x.x], packet dropped

        Usually means there is a iroute missing.
        Or is that a mobile/4G client?
        Then probably is inside a CGN, so though you see "correct" external address in log, the actual address from client is different.
        One can ignore the message if it`s a mobile client.

        I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
        Halton Arp

        1 Reply Last reply Reply Quote 0
        • A
          ahydle
          last edited by

          These are P2P connections and I have the network specified in the remote networks of the main firewall. Also the route appears in both the main firewall and my remote client firewall. I can also try adding push route to the advanced options and will get the same result.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.