Big problems with rules and some with openvpn

  • Hi, All!

    i installed pfsense to replace recently died freebsd server that was used for openvpn link with remote office.
    i spent 2 days to get it to work. and it seems that pfsense has very inadequate behaviour at least with openvpn enabled.
    maybe i missed something but i read many manuals and tried to configure everything from scratch few times.

    first found bug was with openvpn - routing from local lan to remote doesnt work at all. only from pfs box.
    it connects (as client), and even i can ping remote lan from pfs box, but not from local lan with allow any->any rules. i even added tun0 to opt1 interface and created "allow any" rule for it. i also tried with redirect-gateway option.
    i can only reach vpn interface address from local lan. correct routes were pushed by server (one for vpn address scope, and one for remote lan). and it began to work only after adding outgoing NAT for VPN interface. but i wanted just routing as it was on old server.

    the second bug is firewall rules. it is wierd. rules doesnt work as expected! sometimes they doesnt work at all until rebooting pfs box.
    for example, i disable "allow all" rule and create few rules for access to specific IPs and apply changes.
    i still can access everything. after reboot rules begin to work as expected.
    if i disable some rules and apply - nothing changes until reboot.
    but, rules to allow access often work right after applying, but to block or just disable doesnt.

    tun0 (as opt1) rules doesnt needed at all to access remote net. (even with enabled "Disable all auto-added VPN rules.")

    and btw, logging seems to work only for blocking rules. not for passing.

    thanx in advance for any advises

  • (You use the work "bug" very generous…. )

    Since you had an OpenVPN server before: did you compare the config file on the pfSense with your old config file?
    How you describe it, you've set it up wrong.
    Since you're pushing, you're using a PKI for a site-to-site. Did you also add client specific options to add local routes pointing to the subnet on the other side?
    Generally i don't recommend to use a PKI for site-to-site setups. Shared Key setups are a lot easier to manage for routed scenarios.

    Did you always clear the state table after changing the rules?
    How you describe, is that you tested, changed the rule, did the same test again and it worked.
    This is how i would expect it, since you created states with the first test.

    Are you aware that rules only apply inbound on an interface and not outbound?

  • about bugs… i tried to follow manuals. and it does not work as expected.

    state tables. hm. probably this is root of the evil :)

    yes, setup is PKI. i dont have access to other side config. routes are pushed from the other side (pfs box is client) -
    openvpn[1211]: /sbin/ifconfig tun0 mtu 1500 netmask up
    openvpn[1211]: /sbin/route add -net
    openvpn[1211]: /sbin/route add -net is remote network. i can ping it from pfs box.
    but from local network i can only ping (tun0 of pfs box) even with redirect-gateway and allow any->any rules on lan and opt (tun0) interfaces.

    local subnet

    some rules were like outbound
    LAN:  -> local subnet allow
    otherwise packets were blocked.

  • setup is PKI.
    openvpn[1211]: /sbin/ifconfig tun0 mtu 1500 netmask up

    That is not consistant.
    If you have a PKI you wouldn't see that.
    It should look something like that:

    /sbin/ifconfig tun0 pointopoint mtu 1500

Log in to reply