Ovpn issues / rules.debug

  • Hi,
    running current pfsense 2.4.2-RELEASE-p1 (amd64)
    built on Tue Dec 12 13:45:26 CST 2017

    I have an ovpn client set up working and not working at the same time. I suspect i have multiple issues.

    1: SInce a couple of days i get the bell in the header and:
    There were error(s) loading the rules: /tmp/rules.debug:252: syntax error - The line in question reads [252]: pass out route-to ( ovpnc1 <ip-redacted>) from <ip-redacted>to !/ tracker 1000006963 keep state allow-opts label "let out anything from firewall host itself"

    Examining the line in rules.debug really shows the systax error must be after the from…. to  .  exclamation mark backslash  does not seem legit. Which process creates the rules?

    2. Strangely enough, the tunnel gets used perfectly fine for smtp, but not anymore for my imap and http/s traffic. THose packets get dropped somewhere, without notice. How can i get a full log of all dropped packets?</ip-redacted></ip-redacted>

  • I am also having this exact issue with the error, though I see no appreciable loss in the packets going through it on either side.

    Perhaps you could tcpdump (using Diagnostics > Packet Capture on pfSense) both sides and then compare the two to see dropped packets?

  • Rebel Alliance Developer Netgate

    I take it from that error, you have the OpenVPN interface assigned. What settings do you have on the assigned interface? Any special settings?

    Maybe you tried to put a Virtual IP on the OpenVPN interface? Or maybe there is some kind of broken Virtual IP entry that thinks it's on the VPN interface?

  • Yes it's an assigned OpenVPN, interface it's nothing special as far as I am aware, I do policy routing to it to act as a gateway for some machines but that's as fancy as it gets.

    Attached is a screenshot of my interface settings for the OpenVPN tunnel, the IP set is the same one provided to it via the vpn tunnel.

    I also have the suricata and freeradius packages installed, I don't know how much that'd impact this issue though.

    ![Screenshot from 2018-02-05 22-59-52.png](/public/imported_attachments/1/Screenshot from 2018-02-05 22-59-52.png)
    ![Screenshot from 2018-02-05 22-59-52.png_thumb](/public/imported_attachments/1/Screenshot from 2018-02-05 22-59-52.png_thumb)

  • Rebel Alliance Developer Netgate

    Don't do that. Set the assigned interface to "None" for IPv4 and IPv6.

    OpenVPN will manage the address internally, setting it there is messing it up.

Log in to reply