need help with TAP OpenVPN Connection Computer Cant Ping network/access it
-
@stephenw10 so you lost me there lol not hard
so i tried googling "State Killing on Gateway Failure pfsense" but they talk about vpns etc
so i looked at the gateway groups and as you see use global behavior.
i dont know where you reference that towards?as there is keep states on gateway recovery or reset
where do i look for it?
as i not sure where you set kill states for gatewways are down... do i change it there
or is there another spot i need to change? -
i think i need to set it to
Keep states on gateway recovery: states for this gateway group are unaffected.from the description... and i cant tell if is the vpn going down or the wan that goes down but ill try looking more and google
-
In System > Advanced > Misc there is a gateway section. That's where the state flushing is set:
-
@stephenw10
ah ok ya i found it
what a nice feature be of pfsense like some other programs like browsers... you could search.. and search the workd kill states and then could lead you to several spots be a helpful at timesso mine is set up like this
-
Hmm, not that there then. You can override that on each gateway though, it might be set to flush on the WAN gateway. Though I think you already checked that?
-
@stephenw10 ah ok
so i not sure where to find it per gateway? i did look under the rules
and scrolled down each and they all set to keep.. if thats what you ment for me to look at ? i not 100% sure.. but ill google also flush wan gateway..
under Routing--- Gateways this is what i got set
-
Yup, you can see there both gateways are set to 'Use global behaviour'. And you just checked that is set to not kill the states so it shouldn't be killing any states when the WAN gateway goes down.
Thus I would not expect open connections between LAN and CAMERAS to fail.
Is it possible the traffic is not going directly but instead via some cloud server?
-
@stephenw10 ah ok i guess just glitching???
no the software works by the ip address.. you just use the ip address.s as when you shut the modem off itself the cameras work fine.. i just find the when my internet red lines for a long time where you using your internet and its always showing 100% offline.. yet still working i find pfsense just glitchs at times.. i know youll say it cant be glitching but no one is 100% red lining there internet 100% of the time as everyou has faster internet then 3megabit.. so i figure its just my internet and glitchs pfsense
as i know sometimes if i cant get my internet back but without rebooting if i goto General Settings and scroll to the bottom and Save... my internet will come back from glitching ... and my other comp i was using the firewall on when it was like 2.5 2.6 it worked fine but when i upgraded to 2.8 it would glitch harder.. and then if the cpu idles at 29 30% pfsense is borked you can hardly do anything.. and if you try to reboot ssh or from the gui... it will hang the pfsense box.. you can ping 192.168.0.1 but your done pfsense no longer works and it sits there nothing will happen till u hit the reset button..
so i guess i just have to live with it. as everything is the default..
i still have that issue where i logged in it doesnt show the user name on the TAP connection it will show the dns address its connected to as the name of the user...
but TUN will show the user name
so test user
TUN = name = test
TAP = name = www.example.com as the example dns address so thats messedi also dealing with my websites and immich not working on the internet side connecting to pfsense to nginx proxy... i got ports open but i not sure how to see if the address is going hitting pfsense
-
@comet424 said in need help with TAP OpenVPN Connection Computer Cant Ping network/access it:
i still have that issue where i logged in it doesnt show the user name on the TAP connection it will show the dns address its connected to as the name of the user...
Right but where is it getting that 'dns address' from? It's linked to the user logging in somehow I assume?
I would not expect a direct IP connection between LAN and CAMERAS to effected at all by WAN issues unless it's nuking all the states everytime the gateway goes down.
I would check the states for a connection to a camera then recheck them when it fails. If the packet/data counter on the connection resets then the state has been closed and recreated.
-
@stephenw10
so the user name is getting it from the openvpn file i guess when i create it when i select the dns from the wizardas for the packet data count ill see i probably wont notice as its not happening all the time. or i dunno i just randomly see battle net reconnect and watch reolink cameras disconnect and re connect... ill do my best to monitor... gremlins i tell ya lol
as for the address is here and that dns address it showing thjats logged in
if it helps id send u message with the images unredacted...
-
Oh so it's showing the FQDN of the server in the client login list? Like the same thing for all clients? Hmm odd.
-
@stephenw10 i guess so if thats the fqdn
so ya instead say if you have the dns address www.microsoft.com
the user name logged in says www.microsoft.com not test or joe or charlie
i dunno if you can test it if you got a test bench comp.. if its just a check box
if its a bug in the software... if its just how TAP does it
it doesnt do this for TUN just the TAP connection
if i log in TUN it will show like charlie, lisa, test..but as soon as i log in with the same names under TAP connection i get the www.microsoft.com as example saying is logged in
-
ill try to get a screen shot of 2 logins at the same time if it will show
www.microsft.com
www.microsoft.com, logged in at same time but 2 different user namesas it doesnt matter what user i use the dns address shows up
but i havent tested 2 different logins at the same time what it will do.. ill get back to you what happens
-
Yeah I guess the question is if the logged values are like:
client1.netgate.com client2.netgate.com client3.netgate.comWhich would be fine.
Or like:
server.netgate.com server.netgate.com server.netgate.comWhich is not expected.
-
ok i figured it out
its when you create a user certificate
"Common Name" example they use www.example.com so i would use my dns address
If you create a certificate "common name" example.com
username = Test,Test2
Common names = www.example.com, www.example_this_is_common_nameTUN connection uses "username"
TAP connection uses "Common Name"
to equal "name logged in"i didnt grab pics.. but thats what it is doing... TAP pulls the common name TUN doesnt pull the common name... not sure if this is a bug.. or how its supposed to work but if thats how its supposed to work.. they need to say "use the username of the person"
or in the TAP openvpn server config if there is a check box to show common name or user name to show up in the logged in
but thats what i found
-
Ah, OK. Yeah the user cert common name should be the username or user FQDN not the server FQDN. That's not a bug.
-
@stephenw10
ah ok.. ya then the example they use "eg www.example.com"
its not a very good examplethe reason i figured maybe a bug
TUN connection doesnt use "Common Name" only TAP connection uses "Common Name"
they need a disclaimer underneath TAP uses This TUN doesnt use thisas its probably in the negate docs. but if your setting it up you wouldnt know when to use it and not use it
but its not something that would get noted... just trial and error lol
like a note under Common name
TUN not used
TAP use, username, user@dns_addy, user@email.com -
I mean the cert common name can be anything but it should be unique.
-
@stephenw10 ya
i mean be better documentations examples below Common Name
like a note under Common name
TUN not used
TAP use, username, user@dns_addy, user@email.comcuz the common name isnt used if you use a Tunnel connection so thats what through me off
as i created certs for multi users for Tunnel and for the common name i used my dns address.. but i didnt find this issue till i made a TAP connection doesnt follow the same rules
is what i ment... but ill make sure to re create all my TAP certs
but i just ment as a suggestion for a future release basiclly. -
The cert common name is used in TUN connections. Just not there it looks like.
Do you have
Username as Common Nameset in the advanced settings?
