Site to site (PFSense to legacy router MR260) - Cannot turn off compression…..

JoeSlowe

Can anyone help? Been on one fault to another and I think i'm working my way around the PFSense setup ok (not initially) but with the great help of past forum cases and your excellent range of other fixes/advise worked my way through most.

So all aspects appear to be working in this very simple (or at least should be) site to site setup.  I'll have around 20 end point sites in the end but am required for manufacturing lines to have these old units talk back to a central OpenVPN server.

Server site:
WAN: to public gateway
LAN: 192.168.1.0/24

VPN: 10.0.1.0/24
Cert only setup

Test Router: 192.168.2.0/24

The vpn link communicates, authenticates the certificates and passes down all the routing parameters I set on server side.

I see the correct routing tables showing on the VPN server side too.  All looks great but cannot pass data in any direction of the link.  Been around the houses with multiple re-installs etc and saw a post suggesting to check the OpenVPN logs which have highlighted the following:

Aug 20 23:56:32 openvpn 54150 MCW-MR260-2/213.205.252.30:62400 Bad LZO decompression header byte: 42
Aug 20 23:56:33 openvpn 54150 MCW-MR260-2/213.205.252.30:62400 Bad LZO decompression header byte: 69
Aug 20 23:56:33 openvpn 54150 MCW-MR260-2/213.205.252.30:62400 Bad LZO decompression header byte: 69
Aug 20 23:56:37 openvpn 54150 MCW-MR260-2/213.205.252.30:62400 Bad LZO decompression header byte: 69
Aug 20 23:56:37 openvpn 54150 MCW-MR260-2/213.205.252.30:62400 Bad LZO decompression header byte: 69
Aug 20 23:56:42 openvpn 54150 MCW-MR260-2/213.205.252.30:62400 Bad LZO decompression header byte: 70
Aug 20 23:56:43 openvpn 54150 MCW-MR260-2/213.205.252.30:62400 Bad LZO decompression header byte: 69
Aug 20 23:56:43 openvpn 54150 MCW-MR260-2/213.205.252.30:62400 Bad LZO decompression header byte: 69
Aug 20 23:56:43 openvpn 54150 MCW-MR260-2/213.205.252.30:62400 Bad LZO decompression header byte: 42
Aug 20 23:56:47 openvpn 54150 MCW-MR260-2/213.205.252.30:62400 Bad LZO decompression header byte: 69
Aug 20 23:56:47 openvpn 54150 MCW-MR260-2/213.205.252.30:62400 Bad LZO decompression header byte: 69
Aug 20 23:56:52 openvpn 54150 MCW-MR260-2/213.205.252.30:62400 Bad LZO decompression header byte: 69
Aug 20 23:56:52 openvpn 54150 MCW-MR260-2/213.205.252.30:62400 Bad LZO decompression header byte: 69
Aug 20 23:56:54 openvpn 54150 MCW-MR260-2/213.205.252.30:62400 Bad LZO decompression header byte: 42
Aug 20 23:56:57 openvpn 54150 MCW-MR260-2/213.205.252.30:62400 Bad LZO decompression header byte: 69
Aug 20 23:56:57 openvpn 54150 MCW-MR260-2/213.205.252.30:62400 Bad LZO decompression header byte: 69
Aug 20 23:57:02 openvpn 54150 MCW-MR260-2/213.205.252.30:62400 Bad LZO decompression header byte: 69
Aug 20 23:57:02 openvpn 54150 MCW-MR260-2/213.205.252.30:62400 Bad LZO decompression header byte: 69

This would suggest the reason the link is not passing any data/pinging etc.

The OpenVPN route shows as:

MCW-MR260-2 213.205.252.30:52575 192.168.2.0/24 Sun Aug 21 00:16:52 2016
MCW-MR260-2 213.205.252.30:52575 10.0.1.6 Sun Aug 21 00:16:52 2016

And stays online for a while but not passing data.

All firewall ports for the time being are set to "any" - Nothing in the logs to suggest an issue here which is also backed up by a few comments in other posts about it connecting and passing routes.

Router side shows the following routes:

Interface IP address 10.0.1.6
Pulled Route #1 192.168.1.0/24
Link socket local IP 10.198.125.62
Link socket remote IP xx.xx.xx.xx (masked out)

So I know the old legacy router series I have does not support lzo compression.  This was always set on the "server" to "Disabled - No Compression". I've tried turn it on/off etc and each time it still remains showing these errors.  I've tried typing into the advanced box to turn it off including setting this into a client override.  Again every permuitation didn't work.

I've even now just tried editing the server1.conf file and editing this and removing the line completely without any luck.

Copy of server config:
dev ovpns1
verb 1
dev-type tun
tun-ipv6
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
auth SHA1
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 10.0.0.1
tls-server
server 10.0.1.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc/server1
ifconfig 10.0.1.1 10.0.1.2
lport 1194
management /var/etc/openvpn/server1.sock unix
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.1024
crl-verify /var/etc/openvpn/server1.crl-verify
comp-lzo no
topology net30

Copy of client config:

push "route 192.168.1.0 255.255.255.0"
iroute 192.168.2.0 255.255.255.0
comp-lzo no

Anyone have any ideas/suggestions?  I'm happy to pay for advice too.  Anyone know how quickly you can purchase the PFSense support and how good they are?

I somehow need to ensure this is all working for Monday with a single unit so I can replicate during the week.

Help!  Please let me know if you need any information to assist.

PFSense is:  2.3.2-RELEASE (amd64)
Running inside a HyperV - FreeBSD 10.3-RELEASE-p5

Thank you all so much for the help so far from other posts! I'm so hoping someone can pull something out the bag on this final hurdle for me!

Thanks in advance!

Joe.