OpenVPN to GRE Tunnel Traffic Being Dropped



  • Hey there!

    I've set up a pfSense box as the main firewall for a new section of our network. This firewall acts as an endpoint for all of our site-to-site VPNs (IPSec site-to-site with GRE tunnels to Ubiquiti boxes), a connection between our transit and data VPC in AWS (Policy-Based IPSec running BGP) and an OpenVPN access server to this network. I'm having an issue where devices on the OpenVPN network can connect to devices behind the IPSec tunnel to AWS, but cannot connect to any devices behind the GRE tunnels. I can see traffic coming in on the OpenVPN interface, but cannot see it exiting the firewall. I've checked the traffic logs and the traffic is not being blocked. If I lock down the firewall and turn off packet filtering momentarily (yes I know not a great idea but this is still in testing phase), the connection works just fine. I have the rule setup to avoid the bug between GRE tunnels and that works just fine. Hosts behind GRE tunnels can also access the AWS IPSec tunnels. Hosts in AWS can access both OpenVPN and GRE hosts. Diagram attached.

    0_1534366584473_vpc.JPG

    Recap:

    1. Hosts from Data VPC can reach Transit, GRE Router, OpenVPN host
    2. Hosts behind GRE Router can reach CA Data VPC, CA Transit VPC, any other GRE Router. CANNOT reach OpenVPN client or OpenVPN interface on firewall
    3. Host behind OpenVPN can reach Data VPC, Transit VPC. CANNOT reach GRE Router
    4. With Packet filtering disabled, all works fine. No indication in firewall log of packet drops. Packet capture on ovpns1 interface reveal packets entering from OpenVPN client always, so packets are being dropped between this interface and the loopback/Virtual IP being used for GRE.

    Any help here would be greatly appreciated! :)



  • Guess no one has an answer? :(

    I put this in the firewall queue because if Firewall functions are disabled, all works correctly. If I bring GRE interfaces up/down, it works momentarily before pf syncs firewall rules to interface.

    I've even tried playing with advanced settings on/off, I've checked the firewall logs and no blocks are recorded, and I've even dove into the status of all pf Rules in the Status.php tab and none of the counters are increment with the traffic. There's no reason for this traffic to be dropped.

    One detail that's omitted: The GRE interfaces terminate on a loopback interface, as they route over a Policy-Based IPSec tunnel to the sites. This was required as the sites all have dynamic IP addresses, so we cannot statically define GRE endpoints as would be needed for IPSec in transport mode with GRE tunnels.



  • FYI I resolved this:

    I'm dumb and the Auto-NAT rules were NATing traffic. :)