Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Routing established TCP connection through PFsense and OpenVPN

    Firewalling
    2
    2
    221
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bemethor
      last edited by

      Hi,

      I am trying to configure PFsense with OpenVPN as follows.

      pfsense_config.png

      In this configuration, I have two links between server and client. Link 1 is used for forward traffic only (server to client), and Link 2 can be used for forward, and always for return traffic.
      Link 2 deploys an OpenVPN between two PFsense machines.

      The switch uses openswitch to send packets on link 1 or 2. I have four main scenarios, with TCP traffic:

      • Case 1: Send all packets on Link 1
      • Case 2: Send all packets on Link 2
      • Case 3: Send all packets on Link 1, then switch to Link 2 after X seconds
      • Case 4: Send all packets on Link 2, then switch to Link 1 after X seconds

      In any case, return traffic, from client to server, uses Link 2.

      Cases 1 and 2 work fine. I just had to increase the "TCP start timeout" to avoid firewall blocking packets after 30s in the PFsense client.

      However, with Case 3, as soon as I switch forward traffic to Link 1 after X seconds, the TCP acks on Link 2 are blocked and never received by the server. I tried to change some advanced parameters in the PFsense configuration, but I did not manage to make it work.
      For Case 4, I will investigate further once Case 3 is solved.

      Do you have any thoughts on what I can do to allow TCP acks on Link 2 ?

      Thanks

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @bemethor
        last edited by

        @bemethor
        Not really clear, what's the benefit of the link switching at all.

        pfSense is a stateful firewall. It requires to see the SYN packet of a TCP connection to pass the following packets.

        You can close the connection, when switching to the other link, so the client has to establish a new one. But this has to be done on the the openswitch. And it has the drawback that it slows down the communication.

        Alternatively you can circumvent the blocking of out of state packets on pfSense by adding a sloppy state rule to allow response packets without an existing state.
        But this could be a security impact. So you should at least restrict it to the certain source and destination.

        Since you intend to switch the connection in both directions you will need such rule on both nodes.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post