Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Static route -> TCP retransmissions

    Scheduled Pinned Locked Moved Routing and Multi WAN
    8 Posts 3 Posters 2.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sysoict
      last edited by

      Hi all,

      We replaced our DDwrt router with a pfsense installation. Eversince, our OpenVPN connection doesnt work.

      We have a Windows box running an OpenVPN server, which is setup to share the LAN behind it.

      Windows box LAN IP: 192.168.30.10
      OpenVPN interface: 10.9.0.0/24

      In PFsense I add a gateway; 192.168.30.10 and a static route 10.9.0.0/24 -> GW 192.168.30.10 IF: LAN

      From a Windows OpenVPN client I tested a couple of things.

      • I can ping the hosts on the lan (192.168.30.0/24)

      • I can reach all ports on the Windows box (192.168.30.10)

      • I can reach all ports on the Windows box (10.9.0.1)

      • I can reach all ports on the PFsense (192.168.30.1)

      • I cant reach any ports on different hosts on the LAN (192.168.30.0/24)

      • The firewall logs show no connections are dropped. The firewall lan interface is configured to allow any to any on any protocol

      • I captured the traffic using Wireshark when I used a Windows Openvpn client machine to telnet to port 80 on a LAN`s host. It shows TCP retransmissions. (source 192.168.30.6 destination 10.9.0.2)

      What am I missing here?

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned
        last edited by

        Perhaps if you moved the OpenVPN server to pfSense it'd work better? On that note, why are you setting up a static route for pfSense LAN? No idea what LAN are you trying to "share" behind the Windows server, but it obviously must NOT be the same LAN the pfSense is sitting on.

        1 Reply Last reply Reply Quote 0
        • S
          sysoict
          last edited by

          Thank for your reply!

          I want to stick with the Windows box, as its more powerful. The pfsense wouldnt be able to saturate our internet connection over OVPN.

          We have only one lan subnet (192.168.30.0/24). I want that subnet to be available to our OpenVPN clients. This used to work fine on our previous router.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            "We have a Windows box running an OpenVPN server, which is setup to share the LAN behind it. "

            Sounds like a complete cluster…  Running a vpn endpoint inside a network vs the edge has all sorts of problems.. Asymmetrical routing would be first one that comes to mine..

            When you say lan behind this windows box - so its acting as a router as well?  So you have downstream router, is this also natting? etc..

            Run openvpn on pfsense at your edge!!  Where a vpn endpoint belongs, and then you can connect to any segments/vlans you might have connected to pfsense, or via transit to some downstream router, etc. etc..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • D
              doktornotor Banned
              last edited by

              @sysoict:

              I want that subnet to be available to our OpenVPN clients. This used to work fine on our previous router.

              Yeah, that'd work out of the box if you terminated your VPN in a normal place, not inside your LAN. (There's also virtualization if concerned about wasting powerful servers.)

              1 Reply Last reply Reply Quote 0
              • S
                sysoict
                last edited by

                I failed to clarify the situation enough.

                At our office, we just have one LAN (192.168.30.0/24).  The OpenVPN server running on the Windows box is setup to allow traffic to the LAN -> push "route 192.168.30.0 255.255.255.0"

                On our previous router, I only had to add a static route. Was I lucky this used to work? If i understand correctly , you are saying its not best practice to run a VPN server on a different machine inside the LAN. Is this because of complication? Or other dangers?

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  No it is not a good idea to run a vpn endpoint inside a lan, yes this complicates the setup.. You end up with asymmetrical routing is the number 1 issue.  So you clients on this 192.168.30 lan use what for the gateway, I would assume pfsense.

                  So now a vpn connection comes into your box also on 192.168.30, and sends traffic direct to your target.  From what IP, are you using tap to put these devices on the same 192.168.30, are they getting a vpn IP, etc.

                  Follow the flow of traffic..  If you work out the asymmetrical routing problem - you more than likely end up with a hairpin with traffic in and out the same interface on your vpn endpoint that doesn't need to do that, etc..

                  Its much simpler and easier to manage to just put the vpn on the edge.. Pfsense runs openvpn server out of the box - what would be the point of running the vpn on a different box?

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • S
                    sysoict
                    last edited by

                    I ended up moving the CA and server certs to the PFsense and setup the OpenVPN server on it. Works OK now.

                    My main point was to spread the load. The server that it used to run has a much better CPU than the router. It looks like the PFsense can saturate our 50MBIT connection, so thats fine.

                    Thanks a lot for the insight!

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.