<![CDATA[Routing established TCP connection through PFsense and OpenVPN]]>Hi,

I am trying to configure PFsense with OpenVPN as follows.

pfsense_config.png

In this configuration, I have two links between server and client. Link 1 is used for forward traffic only (server to client), and Link 2 can be used for forward, and always for return traffic.
Link 2 deploys an OpenVPN between two PFsense machines.

The switch uses openswitch to send packets on link 1 or 2. I have four main scenarios, with TCP traffic:

  • Case 1: Send all packets on Link 1
  • Case 2: Send all packets on Link 2
  • Case 3: Send all packets on Link 1, then switch to Link 2 after X seconds
  • Case 4: Send all packets on Link 2, then switch to Link 1 after X seconds

In any case, return traffic, from client to server, uses Link 2.

Cases 1 and 2 work fine. I just had to increase the "TCP start timeout" to avoid firewall blocking packets after 30s in the PFsense client.

However, with Case 3, as soon as I switch forward traffic to Link 1 after X seconds, the TCP acks on Link 2 are blocked and never received by the server. I tried to change some advanced parameters in the PFsense configuration, but I did not manage to make it work.
For Case 4, I will investigate further once Case 3 is solved.

Do you have any thoughts on what I can do to allow TCP acks on Link 2 ?

Thanks

]]>https://forum.netgate.com/topic/180924/routing-established-tcp-connection-through-pfsense-and-openvpnRSS for NodeMon, 13 Apr 2026 12:02:57 GMTMon, 19 Jun 2023 10:03:58 GMT60<![CDATA[Reply to Routing established TCP connection through PFsense and OpenVPN on Mon, 19 Jun 2023 17:37:24 GMT]]>@bemethor
Not really clear, what's the benefit of the link switching at all.

pfSense is a stateful firewall. It requires to see the SYN packet of a TCP connection to pass the following packets.

You can close the connection, when switching to the other link, so the client has to establish a new one. But this has to be done on the the openswitch. And it has the drawback that it slows down the communication.

Alternatively you can circumvent the blocking of out of state packets on pfSense by adding a sloppy state rule to allow response packets without an existing state.
But this could be a security impact. So you should at least restrict it to the certain source and destination.

Since you intend to switch the connection in both directions you will need such rule on both nodes.

]]>https://forum.netgate.com/post/1111261https://forum.netgate.com/post/1111261Mon, 19 Jun 2023 17:37:24 GMT