Static routing cutting off HTTP POSTs
-
I have a static route setup to redirect traffic to a specific subnet through a Windows server on the LAN that is connected to a remote PPTP VPN. It looks like this:
LAN Network: 192.168.0.0/24
Static Route: 10.0.0.0/16 > 192.168.0.10
Server at 192.168.0.10 is connected to a remote PPTP VPN, an endpoint that I have no control over.On pfSense 2.1, this worked beautifully. On upgrading to 2.3.2, I am having an issue where larger HTTP POST web requests fail to send all the data. It is cutting off at roughly 200KB. I tried creating a backup, fresh install of pfSense, and restoring the backup - issue persists.
If I add a static route to my Windows web client/workstation to send 10.0.0.0/16 traffic directly to the VPN-client Server at 192.168.0.10, everything runs fine. If I POST to the same page directly from the server via web browser running on the server, the request works fine.
Something about the pfSense static routing has destroyed the ability to send large HTTP POSTs over the VPN connection. Does anyone know of any new setting/config that may cause this behavior? If not, perhaps a bug?
-
Here is where the traffic stops - 55 TCP segments into the request. The PC continues sending the requests after 55-segments, but they no longer get routed through pfSense - the second system receiving the re-routed packets shows no traffic.
Left is the routed traffic, right is the original workstation.
There's then a reset. It continues on for 55 segments again, then resets a second time. All traffic stops here.
Left is the routed traffic, right is the original workstation.
When I manually set the route in Windows rather than going through pfSense, no resets occur.
Does anyone know of a fix or workaround for this issue?
-
Topology:
Cuts HTTP POST:
|Workstation 192.168.0.239| -> |pfSense 192.168.0.1| -> |192.168.0.10 RRAS Server| -> |10.61.160.148|
Works with windows-routing:
|Workstation 192.168.0.239| -> |192.168.0.10 RRAS Server| -> |10.61.160.148|
Older version of pfSense 2.1 didn't have any problems. Our router is now on 2.3.2-RELEASE-p1.
-
Staring at this stuff even more, it looks like whenever a sequence goes over 64KB in size, it no longer gets routed through pfsense?
Here is the flow graph when routing through pfsense:
Here is routing directly via Windows-routes:
-
Anyone? I messed with the workstation MTU and it seems to be that whenever to go over a 32KB block sequence without an ACK back, pfsense stops routing additional packets.
-
System > Advanced, Firewall & NAT tab, check "Bypass firewall rules for traffic on the same interface"
See also:
https://doc.pfsense.org/index.php/Asymmetric_Routing_and_Firewall_Rules
https://doc.pfsense.org/index.php/Why_do_my_logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection -
System > Advanced, Firewall & NAT tab, check "Bypass firewall rules for traffic on the same interface"
See also:
https://doc.pfsense.org/index.php/Asymmetric_Routing_and_Firewall_Rules
https://doc.pfsense.org/index.php/Why_do_my_logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection"Bypass firewall rules for traffic on the same interface" was already checked. Maybe it's not working. I setup a manual rule with sloppy states and it appears to be fixed!
There were no rules for this route before - simply a static route and gateway in System > Routing. It really does sound like that option isn't working as it did in older pfSense versions.
Thanks much! Months of changing routes directly on workstations can finally be retired!
