Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Site to site (PFSense to legacy router MR260) - Cannot turn off compression…..

    Scheduled Pinned Locked Moved OpenVPN
    1 Posts 1 Posters 1.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      JoeSlowe
      last edited by

      Can anyone help? Been on one fault to another and I think i'm working my way around the PFSense setup ok (not initially) but with the great help of past forum cases and your excellent range of other fixes/advise worked my way through most.

      So all aspects appear to be working in this very simple (or at least should be) site to site setup.  I'll have around 20 end point sites in the end but am required for manufacturing lines to have these old units talk back to a central OpenVPN server.

      Server site:
      WAN: to public gateway
      LAN: 192.168.1.0/24

      VPN: 10.0.1.0/24
      Cert only setup

      Test Router: 192.168.2.0/24

      The vpn link communicates, authenticates the certificates and passes down all the routing parameters I set on server side.

      I see the correct routing tables showing on the VPN server side too.  All looks great but cannot pass data in any direction of the link.  Been around the houses with multiple re-installs etc and saw a post suggesting to check the OpenVPN logs which have highlighted the following:

      Aug 20 23:56:32 openvpn 54150 MCW-MR260-2/213.205.252.30:62400 Bad LZO decompression header byte: 42
      Aug 20 23:56:33 openvpn 54150 MCW-MR260-2/213.205.252.30:62400 Bad LZO decompression header byte: 69
      Aug 20 23:56:33 openvpn 54150 MCW-MR260-2/213.205.252.30:62400 Bad LZO decompression header byte: 69
      Aug 20 23:56:37 openvpn 54150 MCW-MR260-2/213.205.252.30:62400 Bad LZO decompression header byte: 69
      Aug 20 23:56:37 openvpn 54150 MCW-MR260-2/213.205.252.30:62400 Bad LZO decompression header byte: 69
      Aug 20 23:56:42 openvpn 54150 MCW-MR260-2/213.205.252.30:62400 Bad LZO decompression header byte: 70
      Aug 20 23:56:43 openvpn 54150 MCW-MR260-2/213.205.252.30:62400 Bad LZO decompression header byte: 69
      Aug 20 23:56:43 openvpn 54150 MCW-MR260-2/213.205.252.30:62400 Bad LZO decompression header byte: 69
      Aug 20 23:56:43 openvpn 54150 MCW-MR260-2/213.205.252.30:62400 Bad LZO decompression header byte: 42
      Aug 20 23:56:47 openvpn 54150 MCW-MR260-2/213.205.252.30:62400 Bad LZO decompression header byte: 69
      Aug 20 23:56:47 openvpn 54150 MCW-MR260-2/213.205.252.30:62400 Bad LZO decompression header byte: 69
      Aug 20 23:56:52 openvpn 54150 MCW-MR260-2/213.205.252.30:62400 Bad LZO decompression header byte: 69
      Aug 20 23:56:52 openvpn 54150 MCW-MR260-2/213.205.252.30:62400 Bad LZO decompression header byte: 69
      Aug 20 23:56:54 openvpn 54150 MCW-MR260-2/213.205.252.30:62400 Bad LZO decompression header byte: 42
      Aug 20 23:56:57 openvpn 54150 MCW-MR260-2/213.205.252.30:62400 Bad LZO decompression header byte: 69
      Aug 20 23:56:57 openvpn 54150 MCW-MR260-2/213.205.252.30:62400 Bad LZO decompression header byte: 69
      Aug 20 23:57:02 openvpn 54150 MCW-MR260-2/213.205.252.30:62400 Bad LZO decompression header byte: 69
      Aug 20 23:57:02 openvpn 54150 MCW-MR260-2/213.205.252.30:62400 Bad LZO decompression header byte: 69

      This would suggest the reason the link is not passing any data/pinging etc.

      The OpenVPN route shows as:

      MCW-MR260-2 213.205.252.30:52575 192.168.2.0/24 Sun Aug 21 00:16:52 2016
      MCW-MR260-2 213.205.252.30:52575 10.0.1.6 Sun Aug 21 00:16:52 2016

      And stays online for a while but not passing data.

      All firewall ports for the time being are set to "any" - Nothing in the logs to suggest an issue here which is also backed up by a few comments in other posts about it connecting and passing routes.

      Router side shows the following routes:

      Interface IP address 10.0.1.6
      Pulled Route #1 192.168.1.0/24
      Link socket local IP 10.198.125.62
      Link socket remote IP xx.xx.xx.xx (masked out)

      So I know the old legacy router series I have does not support lzo compression.  This was always set on the "server" to "Disabled - No Compression". I've tried turn it on/off etc and each time it still remains showing these errors.  I've tried typing into the advanced box to turn it off including setting this into a client override.  Again every permuitation didn't work.

      I've even now just tried editing the server1.conf file and editing this and removing the line completely without any luck.

      Copy of server config:
      dev ovpns1
      verb 1
      dev-type tun
      tun-ipv6
      dev-node /dev/tun1
      writepid /var/run/openvpn_server1.pid
      #user nobody
      #group nobody
      script-security 3
      daemon
      keepalive 10 60
      ping-timer-rem
      persist-tun
      persist-key
      proto udp
      cipher AES-256-CBC
      auth SHA1
      up /usr/local/sbin/ovpn-linkup
      down /usr/local/sbin/ovpn-linkdown
      local 10.0.0.1
      tls-server
      server 10.0.1.0 255.255.255.0
      client-config-dir /var/etc/openvpn-csc/server1
      ifconfig 10.0.1.1 10.0.1.2
      lport 1194
      management /var/etc/openvpn/server1.sock unix
      ca /var/etc/openvpn/server1.ca
      cert /var/etc/openvpn/server1.cert
      key /var/etc/openvpn/server1.key
      dh /etc/dh-parameters.1024
      crl-verify /var/etc/openvpn/server1.crl-verify
      comp-lzo no
      topology net30

      Copy of client config:

      push "route 192.168.1.0 255.255.255.0"
      iroute 192.168.2.0 255.255.255.0
      comp-lzo no

      Anyone have any ideas/suggestions?  I'm happy to pay for advice too.  Anyone know how quickly you can purchase the PFSense support and how good they are?

      I somehow need to ensure this is all working for Monday with a single unit so I can replicate during the week.

      Help!  Please let me know if you need any information to assist.

      PFSense is:  2.3.2-RELEASE (amd64)
      Running inside a HyperV - FreeBSD 10.3-RELEASE-p5

      Thank you all so much for the help so far from other posts! I'm so hoping someone can pull something out the bag on this final hurdle for me!

      Thanks in advance!

      Joe.

      OpenVPN-Logs.PNG
      OpenVPN-Logs.PNG_thumb
      OpenVPN-Logs.PNG
      OpenVPN-Logs.PNG_thumb

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.