Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Why does starting a OpenVPN service break my AP?

    Scheduled Pinned Locked Moved OpenVPN
    13 Posts 3 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      SteelCityColt
      last edited by

      Absolutely strange one. I setup a VPN server on my pfSense box for RA and as soon as I set it live I started getting weird behaviour from my Ubiquiti AP. Pretty much lost it's internet connection (although it intermittently will break out). Can ping it from router, from desktop fine. I could just get about get into the AP's CLI and it could ping the router, and 8.8.8.8 but name not found when pinging google.com.

      Didn't think to tie it to openVPN at first so spent a few hours tearing network apart trying to work it out, and its only after doing a config restore on pfSense and things worked again that I realised it's the openVPN sever causing the issue.

      Any ideas why? It's like it's causing a conflict with the AP stopping it communicating with the rest of the network. It's intermittent but mostly not working more than working, and gets progressively worse to the point I couldn't access it via console.

      openVPN server has been setup using the wizard with tunnel being set to 10.0.8.0/24 and LAN to 192.168.0.1/24. As I had to open a port on my outgoing VPN, and it's limited to above 2048 I used 3389 to test.

      NollipfSenseN 1 Reply Last reply Reply Quote 0
      • NollipfSenseN
        NollipfSense @SteelCityColt
        last edited by

        @SteelCityColt It's going to be difficult to understand your issue without screen shots and logs.

        pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
        pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

        S 1 Reply Last reply Reply Quote 0
        • S
          SteelCityColt @NollipfSense
          last edited by

          @NollipfSense apologises, novice here, what would should I post up?

          NollipfSenseN 1 Reply Last reply Reply Quote 0
          • NollipfSenseN
            NollipfSense @SteelCityColt
            last edited by

            @SteelCityColt No problem...I would start with Status>System Logs>SystemGeneral when you enable openVPN, and also openVPN.

            pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
            pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

            1 Reply Last reply Reply Quote 0
            • S
              SteelCityColt
              last edited by

              No VPN.txt With VPN.txt

              Ran packet trace on the LAN with and without the VPN as per the attached. pinged AP from router, pinged router from AP, and then pinged and nslookup of google as well as a speed test from a wi-fi device. With VPN on, I can only ping the AP from the router.

              Nothing seems amiss in the openVPN log. In system log I can see these when I start the VPN:

              Feb 23 15:21:03 kernel arp: 192.168.0.21 moved from b0:5a:da:87:7d:69 to b0:5a:da:87:7d:68 on igb1
              Feb 23 15:27:13 kernel arp: 192.168.0.136 moved from 00:26:55:df:f3:c1 to b0:5a:da:87:7d:69 on igb1
              Feb 23 15:41:17 kernel arp: 192.168.0.21 moved from b0:5a:da:87:7d:69 to 00:26:55:df:f3:c1 on igb1
              Feb 23 16:00:58 kernel arp: 192.168.0.21 moved from 00:26:55:df:f3:c0 to b0:5a:da:87:7d:68 on igb1

              .21 is an unRaid server (which is also playing silly buggers right now on the networking side, will on work on auto DHCP, setting the same static network settings and it can't break out either), .136 is another NIC on the same server. the MACs are physical NICs on that machine.

              NollipfSenseN 1 Reply Last reply Reply Quote 0
              • NollipfSenseN
                NollipfSense @SteelCityColt
                last edited by NollipfSense

                @SteelCityColt Somehow it seems that your routing is messed up...the mac address should not be changing like that...let's hope someone will chime in with more insight. For the VPN, any reason why you didn't use the default port 1194UDP especially since you used the wizard?

                pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
                pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

                S JKnottJ 2 Replies Last reply Reply Quote 0
                • S
                  SteelCityColt @NollipfSense
                  last edited by

                  @NollipfSense as per the original post, the VPN provider I use for my WAN interface will only open ports above 2048.

                  1 Reply Last reply Reply Quote 0
                  • JKnottJ
                    JKnott @NollipfSense
                    last edited by

                    @NollipfSense said in Why does starting a OpenVPN service break my AP?:

                    Somehow it seems that your routing is messed up...the mac address should not be changing like that...let's hope someone will chime in with more insight.

                    If those devices are on the same LAN as where he's testing from, it has nothing to do with routing. Also, you never see the original MAC on a routed packet. You only see the MAC of the nearest interface.

                    PfSense running on Qotom mini PC
                    i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                    UniFi AC-Lite access point

                    I haven't lost my mind. It's around here...somewhere...

                    NollipfSenseN 1 Reply Last reply Reply Quote 0
                    • S
                      SteelCityColt
                      last edited by

                      So trying to think this through logically there's only 3 variables I set when using the wizard:

                      1. The port used (currently 3389)
                      2. The tunnel network (10.0.8.0/24)
                      3. The LAN network (192.168.0.0/24)

                      I might play around with changing these in case it's causing a conflict with the Ubiquiti AP.

                      From the tcpdumps the line that sticks out to me "Null Supervisory, Receiver not Ready, rcv seq 64, Flags [Poll], length 46" but I have no idea what it means.

                      NollipfSenseN 1 Reply Last reply Reply Quote 0
                      • NollipfSenseN
                        NollipfSense @JKnott
                        last edited by

                        @JKnott said in Why does starting a OpenVPN service break my AP?:

                        those devices are on the same LAN

                        Just realize...must have been seeing doubles yesterday...thanks!

                        pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
                        pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

                        1 Reply Last reply Reply Quote 0
                        • NollipfSenseN
                          NollipfSense @SteelCityColt
                          last edited by

                          @SteelCityColt Have you checked with Uniquite on whether there is any known issue?

                          pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
                          pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

                          S 1 Reply Last reply Reply Quote 0
                          • S
                            SteelCityColt @NollipfSense
                            last edited by

                            @NollipfSense said in Why does starting a OpenVPN service break my AP?:

                            @SteelCityColt Have you checked with Uniquite on whether there is any known issue?

                            Raised same question on their forums too.

                            1 Reply Last reply Reply Quote 0
                            • S
                              SteelCityColt
                              last edited by

                              Sorry to bump, but I have made some progress.

                              Although it's still only the wireless AP that seems to be affected which I can't quite my head around, it may well be a routing issue.

                              I found if I turn off my OpenVPN client on the pfsense box, then the OpenVPN server doesn't break net access for the wireless AP. Reading up on people having similar issues trying to run a client/server at same time, it seems the key is to check "don't pull routes". The issue then is how do I set up the routing manually to push out everything on the LAN via the VPN client. I'm guessing a combo of firewall and NAT?

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.