Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Ovpn issues / rules.debug

    Scheduled Pinned Locked Moved OpenVPN
    5 Posts 3 Posters 720 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      exlfrnk
      last edited by

      Hi,
      running current pfsense 2.4.2-RELEASE-p1 (amd64)
      built on Tue Dec 12 13:45:26 CST 2017

      I have an ovpn client set up working and not working at the same time. I suspect i have multiple issues.

      1: SInce a couple of days i get the bell in the header and:
      There were error(s) loading the rules: /tmp/rules.debug:252: syntax error - The line in question reads [252]: pass out route-to ( ovpnc1 <ip-redacted>) from <ip-redacted>to !/ tracker 1000006963 keep state allow-opts label "let out anything from firewall host itself"

      Examining the line in rules.debug really shows the systax error must be after the from…. to  .  exclamation mark backslash  does not seem legit. Which process creates the rules?

      2. Strangely enough, the tunnel gets used perfectly fine for smtp, but not anymore for my imap and http/s traffic. THose packets get dropped somewhere, without notice. How can i get a full log of all dropped packets?</ip-redacted></ip-redacted>

      1 Reply Last reply Reply Quote 0
      • T
        tylerjd
        last edited by

        I am also having this exact issue with the error, though I see no appreciable loss in the packets going through it on either side.

        Perhaps you could tcpdump (using Diagnostics > Packet Capture on pfSense) both sides and then compare the two to see dropped packets?

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          I take it from that error, you have the OpenVPN interface assigned. What settings do you have on the assigned interface? Any special settings?

          Maybe you tried to put a Virtual IP on the OpenVPN interface? Or maybe there is some kind of broken Virtual IP entry that thinks it's on the VPN interface?

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • T
            tylerjd
            last edited by

            Yes it's an assigned OpenVPN, interface it's nothing special as far as I am aware, I do policy routing to it to act as a gateway for some machines but that's as fancy as it gets.

            Attached is a screenshot of my interface settings for the OpenVPN tunnel, the IP set is the same one provided to it via the vpn tunnel.

            I also have the suricata and freeradius packages installed, I don't know how much that'd impact this issue though.

            ![Screenshot from 2018-02-05 22-59-52.png](/public/imported_attachments/1/Screenshot from 2018-02-05 22-59-52.png)
            ![Screenshot from 2018-02-05 22-59-52.png_thumb](/public/imported_attachments/1/Screenshot from 2018-02-05 22-59-52.png_thumb)

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              Don't do that. Set the assigned interface to "None" for IPv4 and IPv6.

              OpenVPN will manage the address internally, setting it there is messing it up.

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.