Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Privacy VPN not policy routing

    General pfSense Questions
    2
    6
    147
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      michmoor LAYER 8 Rebel Alliance
      last edited by

      I hae 2x Proton VPN privacy VPNs set up on a post upgrade 24.03 system.
      Last night i noticed my phone wasnt getting onto the Internet as no web pages were loading so i thought nothing more about it and i will deal with it in the morning. My set up only has one device being policy routed.
      Today i took a deeper dive into this problem. Not sure on the exact moment when this broke (pre or post upgrade) but i do know this is a recent problem.

      First thing i did was check my DNS server to make sure i am resolving and i am.
      Second thing is that i took a pcap off the firewall on my privacy vpn interface. No packets.
      Then i took a pcap off my wireless network for my phones IP and sure i enough i see attempts going out but TCP SYN retrans occuring.
      Whatever is happening the packets arent making it out the vpn.

      I checked my NAT outbound policy and those are unchanged.

      btw, i do have other wireguard tunnels to linode and OCI and those are unaffected.
      So dont believe this to be a wireguard specific issue.
      Doesnt seem like configuration as thats been unchanged.

      Any ideas?

      3092b48f-33a6-4358-a596-1981cfe6f500-image.png

      Firewall: NetGate,Palo Alto-VM,Juniper SRX
      Routing: Juniper, Arista, Cisco
      Switching: Juniper, Arista, Cisco
      Wireless: Unifi, Aruba IAP
      JNCIP,CCNP Enterprise

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        Do you see states created for those connection attempts? On multiple interfaces?

        Do you see blocked traffic?

        It's almost always a bad idea to have outbound NAT rules with source 'any'. That can over-match and will NAT traffic from the firewall itself which should not be.
        Unlikely that's the cause here but best practice is to always define a source.

        Steve

        M 1 Reply Last reply Reply Quote 0
        • M
          michmoor LAYER 8 Rebel Alliance @stephenw10
          last edited by

          @stephenw10
          Addeum.

          I do have a guest wifi that is also policy routed out proton VPN.

          Very very strange behavior I am seeing.

          According to the firewall, its hitting my reject rule

          a5b9436c-299d-4217-8f80-38f54ce01259-image.png

          So there is no state.

          But its bypasses my other rule

          6f144210-79dd-407b-a931-7b09a20d025c-image.png

          I have filter reloaded quite a few times.
          Ive never seen this behavior occur.

          Firewall: NetGate,Palo Alto-VM,Juniper SRX
          Routing: Juniper, Arista, Cisco
          Switching: Juniper, Arista, Cisco
          Wireless: Unifi, Aruba IAP
          JNCIP,CCNP Enterprise

          M 1 Reply Last reply Reply Quote 0
          • M
            michmoor LAYER 8 Rebel Alliance @michmoor
            last edited by

            @stephenw10
            disregard that guest network issue. I spotted the firewall problem right as I posted it.

            Still working on the policy routing on the iPhone issue.
            Im going to just recreate that wireguard VPN and see what happens.

            stay tuned .....

            Firewall: NetGate,Palo Alto-VM,Juniper SRX
            Routing: Juniper, Arista, Cisco
            Switching: Juniper, Arista, Cisco
            Wireless: Unifi, Aruba IAP
            JNCIP,CCNP Enterprise

            1 Reply Last reply Reply Quote 1
            • stephenw10S
              stephenw10 Netgate Administrator
              last edited by

              It's not matching that 'permit internet' rule because the source is the interface address. It should probably be the subnet.

              M 1 Reply Last reply Reply Quote 1
              • M
                michmoor LAYER 8 Rebel Alliance @stephenw10
                last edited by

                @stephenw10
                recreating the wireguard configuration solved it.
                Smells like a protonVPN issue but cant prove it with data..just feelings, haha.

                Firewall: NetGate,Palo Alto-VM,Juniper SRX
                Routing: Juniper, Arista, Cisco
                Switching: Juniper, Arista, Cisco
                Wireless: Unifi, Aruba IAP
                JNCIP,CCNP Enterprise

                1 Reply Last reply Reply Quote 1
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.