Unable to pass traffic
-
Experiencing an odd issue with ovpn where the client connects, it receives and IP address but totally unable to pass traffic to the other end of the tunnel. The configuration is client-server relation, where the server will allow external users to remote with OpenVPN Connect using a TUN mode.
Firewall rules are configure as any any any, the logs are showing no dropped or blocked packets. The VPN gateway is reachable by PING and it is responding. Another odd vehaviour is the range of IP address that are accepted by the VPN, anything bellow 10.10.10.0/24 are working; anything above just fails and the deamon refuses to start.
The 10.10.xxx.xxx/24 passess throuh an igb 172.16.xxx.xxx/24. Behind the interface there are three subnets that I need to reach, 10.101.xxx.xxx/24, 10.23.xxx.xxx/24 and 10.20.xxx.xxx/24.
All the subnets were added to the accessable list and routes pushed for those subnets. A static route pointing to 10.10.xxx.xxx/24 with 172.16.xxx.xxx/24 GW was created as a testing point, but it failed again.Log's verbosity level has been set to 10. There are two AF_UNSPE errors:
TLS: tls_multi_process:i=2 state=S_INITIAL,mysid=4b4783c9 74789809,stored-sid=00000000 00000000,stored-ip=[AF_UNSPEC]
TLS: tls_multi_process:i=2 state=S_UNDEF,mysid=00000000 00000000,stored-sid=00000000 00000000,stored-ip=[AF_UNSPEC]Any help on this issue greatly appreciated.
If ther something else you migh need plese let me know. -
@g405tsh311 said in Unable to pass traffic:
The 10.10.xxx.xxx/24 passess throuh an igb 172.16.xxx.xxx/24.
What??
Log's verbosity level has been set to 10.
This gives you too much irrelevant noise. Level 4 would be sufficient to investigate this issue.
Post the servers and the clients IPv4 routing table.
-
I will sanitze the config and posted as soon as I can.
igb is the interface name given by pf.
Are you referring to the VPN server routing configuration?
The routes are pushed to the clients via OpenVPN Connect.
Can you please clarify?Thank you in advance for your assistance.
-
This are the routes are currently being pushed:
push "route 10.101.xxx.xxx 255.255.255.0"
push "route 10.23.xxx.xxx 255.255.255.0"
push "route 192.168.xxx.xxx 255.255.255.0"
push "dhcp-option DOMAIN internal.local.com"
push "dhcp-option DNS 10.23.xxx.xxx"
push "dhcp-option DNS 10.23.xxx.xxx"
push "block-outside-dns"
route 10.101.xxx.xxx 255.255.255.0 172.16.xxx.xxxPlease let me if you need more info.
-
@g405tsh311 said in Unable to pass traffic:
The 10.10.xxx.xxx/24 passess throuh an igb 172.16.xxx.xxx/24.
igb is the interface name given by pf.Still not clear, what this sentence should tell me in this context.
This are the routes are currently being pushed:
The question is, which routes are installed in fact on the server and on the client.
This can be seen in the routing table. -
@viragomann
igb1 IP 172.16.xxx.xxx/24 is the default gateway to 10.101.xxx.xxx/24 where the traffic should be passing to. I know something is reachable since user are authenticating to LDAP successfully.Please, keep in mind that the server is providing access to users via OpenVPN Connect, therefore, there are not routes on the client side of the VPN. OpenVPN is pushing the routes to Windows and adding the routes in the routing table. Here is a simplify diag below:
Hoping this will assist on clarifying some of the questions.
-
@g405tsh311
Each network enabled device owns a routing table, no matter if you pushes routes to it from the OpenVPN server or not.
The pushed routes should be added to the clients routing table. But you can't be sure without looking into it. Also other routes could override the pushed ones.The routing tables of of all devices in the path (client, server, destination device) are essential to solve routing issues.
-
I am unsure where are you going with this???
The routing table are being updated on the clients ends. Hence, the users are able to reach the LDAPS Server in the 10.101.xxx.xxx/24 subnet. Otherwise the authentication will fail since there is not LDAPS in pfSense.If you would like to see the routes:
------- ----------------- ------- ----------- -------- -- 22 192.168.xxx.255/32 0.0.0.0 256 25 Ac 22 192.168.xxx.1/32 0.0.0.0 256 25 Ac 22 192.168.xxx.0/24 0.0.0.0 256 25 Ac 20 192.168.xxx.0/24 10.10.xxx.xxx 256 25 Ac 20 172.16.xxx.xxx/24 10.10.xxx.xxx 256 25 Ac 18 172.16.xxx.255/32 0.0.0.0 256 35 Ac 18 172.16.xxx.xxx/32 0.0.0.0 256 35 Ac 18 172.16.xxx.xxx/24 0.0.0.0 256 35 Ac 20 10.101.xxx.xxx/24 10.10.xxx.xxx 256 25 Ac 20 10.23.xxx.xxx/24 10.10.xxx.xxx 256 25 Ac 18 0.0.0.0/0 172.16.1.1 0 35 AcAs youcan see, the routing table updates are working. The routes are present tin the routing table. But, on piece of information I forgot to provide, there are multiple VPN Servers running, unsure what the max number of VPN servers that pfSense can run concurrently.
The interesting route in the pfFW:
10.10.xxx.xxx/24 link#11 U 14 1500 ovpns3 10.10.xxx.xxx link#6 UHS 15 16384 lo0Looking at the logs, set to level 4, the only one I see right now is "Clock Unsynchronized"
Other than that the VPN logs are cleaned and the same for the FW rules.Thank you again for your patience and assistance.