Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfSense 2.5 VPN-Killswitch gets hammered

    Scheduled Pinned Locked Moved Firewalling
    5 Posts 2 Posters 655 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Bob.DigB Offline
      Bob.Dig LAYER 8
      last edited by Bob.Dig

      Noticed something weird, fresh install of pfsense 2.5 with some OVPN-Clients. I made a VPN-Killswitch via tagging. But after a reboot and all Clients were up again, something was hitting the killswitch all the time. Even after restarting every client (again).
      I then activated "Reset all states if WAN IP Address changes" and rebooted and the problem was gone. Although I don't think that this option is related to that problem...
      Never had this happened to me like this in 2.4.

      Bob.DigB 1 Reply Last reply Reply Quote 0
      • Bob.DigB Offline
        Bob.Dig LAYER 8 @Bob.Dig
        last edited by

        Maybe it is related to Hyper-V, SR-IOV and a new NIC that I am using and has nothing to do with the new pfSense version.

        1 Reply Last reply Reply Quote 0
        • Bob.DigB Offline
          Bob.Dig LAYER 8
          last edited by Bob.Dig

          Meanwhile I had to disable SR-IOV, but the problem persist.

          It is now past half an hour and still there is one connection hammering into the "VPN-KillSwitch", although the tunnels are all well and up.
          Is this the "fault" of pfSense or the program on that host, that is doing this? Can I kill states with that rule? Probably not, because it is just a floating rule rejecting tagged connections outgoing on WAN?
          I killed that state manually but there is no way doing this automatically?

          JeGrJ 1 Reply Last reply Reply Quote 0
          • JeGrJ Offline
            JeGr LAYER 8 Moderator @Bob.Dig
            last edited by

            @bob-dig How about checking what get's blocked by that rule and where it comes from? Do a state table lookup and see what's running against that rule?

            Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

            If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

            Bob.DigB 1 Reply Last reply Reply Quote 1
            • Bob.DigB Offline
              Bob.Dig LAYER 8 @JeGr
              last edited by

              @jegr Hey JeGr, it seems to be a p2p-filesharing-application and or dns. I use 8.8.8.8 as the default dns for several interfaces.

              Because I couldn't stop it happening, I enables "Do not create rules when gateway is down" in the advanced settings and created reject rules as necessary. Now I have a clean log at least...

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.