Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfSense Azure appliance not passing SMB traffic to Azure

    Scheduled Pinned Locked Moved General pfSense Questions
    5 Posts 2 Posters 531 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      insobox49
      last edited by

      So an interesting problem that we've been dealing with. We setup an Azure appliance pfSense and haven't really used it yet outside of configuring some IPSec tunnels (the primary purpose). We got notified by the user that they were seeing some very odd behavior and timeouts when doing anything SMB related.

      Currently what we have right now:

      • pfSense 2.4.3 in our Data Center with an IPSec tunnel to a pfSense Azure Virtual Appliance.

      Currently the only odd behavior we can recreate or find is most SMB tasks from our Data Center side -> Azure just lock up and freeze. We see errors in the windows side about auth failures. We've completely blown away the appliance and rebuilt it from scratch. Did a ton of work on the windows side with no real results. The reason we know it's something crazy with the pfSense appliance is that we rebuilt the IPSec tunnel with a Virtual Network Gateway in Azure and the problem after the routing table updates goes completely away.

      The Azure configuration side.
      Currently there is a resource group that as a Virtual Network of 10.1.0.0/19 that has been broken up in to smaller /24 subnets for the various different work that is to be done.

      We have the WAN on 10.1.14.X and the LAN on 10.1.15.X . We also created a custom Routing Table and associated those subnets within Azure to point to the LAN Address on the pfSense (10.1.15.4). There are also static routes in the pfSense to route the traffic for the various subnets across that same LAN Gateway address.

      ICMP works, RDP Works, and even Azure SMB -> Our Data Center works. We can take a file and copy it through RDP with no problem. That same file over SMB is a no go. Randomly we'll get one server on our side to start transferring files to Azure or maybe even a few but never all of them until we move the VPN to go directly back through Azures' Virtual Network Gateway.

      I can get more detailed but this could be a mile long post, any idea on what in the pfSense or in the routing could be screwing with these SMB packets?

      Thanks in advance

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        What MSS is being negotiated in the TCP sessions between the Azure VNG and the pfSense IPsec? You might need to enable MSS clamping or something.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • I
          insobox49
          last edited by

          Currently none, I did read MSS Clamping was suggested and if you can't enable that then set the MTU to 1400 (which is what the pfSense does when enabled). Would I need to enable on both sides? I believe I enabled this earlier and did not see any differences but more than happy to try again.

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Packet capture and look at the MSS being negotiated. on the one that works and the one that doesn't.

            pfSense doesn't care that it's SMB. It's not looking that deeply into the packet.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • I
              insobox49
              last edited by

              I just read that it actually needs MSS Clamping to be 1350 or MTU at 1400 and misread the line in the pfSense as being MTU and not MSS. I just realized my mistake it's been a long three days in troubleshooting this. I just stopped and started the IPSec service on the Azure appliance after making that change and it worked the first few tries (this has happened a few times). I'll go ahead and continue testing to see if the results stick.

              1 Reply Last reply Reply Quote 1
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.