OpenVPN TAP pfSense Gateway Website Inaccessible

seejay

Back to square zero. Separate dedicated NICs with no IP observe packet loss and instability, using same LAN nic as PFSENSE LAN IP assignment makes everything stable but cant access web pages across the bridge. MTUs set properly now in both cases.

coffeecup25

@seejay Are the rules out of order on your firewall. For example, is the 'restrict everything else' above the entry that says your OpenVPN connection is OK? (Voice of experience talking)

Also, is the lan to use on the TAP server configuration the same as the one you want to access? (Sorry, but I did not read all the details about all the problems.)

Finally, I used this guide to set up my TAP configuration (https://hardforum.com/threads/pfsense-2-0-1-openvpn-configuration-guide.1663797/). Any clues here?

(I have 3 configuration 1 TUN pass through only, 1 TUN with full access, 1 TAP with full access. Why: because I wanted to)

seejay

@coffeecup25 said in OpenVPN TAP pfSense Gateway Website Inaccessible:

@seejay Are the rules out of order on your firewall. For example, is the 'restrict everything else' above the entry that says your OpenVPN connection is OK? (Voice of experience talking)
Also, is the lan to use on the TAP server configuration the same as the one you want to access? (Sorry, but I did not read all the details about all the problems.)
Finally, I used this guide to set up my TAP configuration (https://hardforum.com/threads/pfsense-2-0-1-openvpn-configuration-guide.1663797/). Any clues here?
(I have 3 configuration 1 TUN pass through only, 1 TUN with full access, 1 TAP with full access. Why: because I wanted to)

Thanks for the response. In order of your questions:

1. @seejay Are the rules out of order on your firewall. For example, is the 'restrict everything else' above the entry that says your OpenVPN connection is OK? (Voice of experience talking)
   -- Yes, the anti-lockout rule is always the first entry, and all IPV4* traffic is set to pass on the OpenVPN interface.

2. Is the lan to use on the TAP server configuration the same as the one you want to access? (Sorry, but I did not read all the details about all the problems.)
   -- Definitely. I've built these bridges multiple times, and given I can access all of the other resources on the LAN normally I am not concerned that I've confused this.

3. Finally, I used this guide to set up my TAP configuration (https://hardforum.com/threads/pfsense-2-0-1-openvpn-configuration-guide.1663797/). Any clues here?
   -- Sadly this looks more like a server/client setup for TAP as opposed to site-to-site configuration, but similar concepts.

Ultimately no matter which TAP/bridging configuration I've employed for site-to-site TAP I have odd issues like the one outlined in this post, or random packet loss and/or TCP resets. You've seen me go through things like the MTU and other diagnosis ad nauseum to no avail.

For comparison I've also set up a tunnel configuration for the same network(s) and its far superior. Of course it doesn't fully meet the original use case but I'm trying out some other tooling to try and work around the lack of broadcast traffic out of the box. Ultimately unless I'm missing something there seems to be a bug in the implementation of the bridged OpenVPN interface (or something overlooked non obvious in the default setup).

Rai80

I've been running a TAP openvpn tunnel between two sites without any issues. I use tap for broadcast/multicast traffic, which is not possible with a tun openvpn tunnel.

Check the following:

• net.link.bridge.pfil_bridge = 0 to disable filtering on bridge
• net.link.bridge.pfil_member = 0 to disable filtering on bridge-member
• Assign en IP address to bridge instead of a bridge-member interface

seejay

New suggestions, will have to give a try on #3. On one hand I can see that being the issue, on the other hand according to:

https://docs.netgate.com/pfsense/en/latest/interfaces/interface-bridges.html

the IP address assignment should be acceptable in either place (the bridge with no members, or one member only in the bridge).

JKnott

@seejay said in OpenVPN TAP pfSense Gateway Website Inaccessible:

Ultimately no matter which TAP/bridging configuration I've employed for site-to-site TAP I have odd issues like the one outlined in this post, or random packet loss and/or TCP resets. You've seen me go through things like the MTU and other diagnosis ad nauseum to no avail.

One thing you'll have to bear in mind is the bandwidth mismatch between the VPN and LANs. The LANs can handle data a lot faster than the VPNs. So, if you're bridging the LANs, as you do with TAP, then there's no way the VPN can pass all the data between them. In my case, the LAN is Gb, but my Internet connection runs at about 91 Mb down and 11 up. That's a ratio of over 10:1 in one direction and almost 100:1 in the other. This is before we even can consider the limitations at the other end.